Building trust in a zero-knowledge app: what to look for
You can’t verify our code from the app alone. Here’s what we do (and what to look for in any zero-knowledge product).
Trust in a zero-knowledge app is hard: you’re told “we can’t see your data,” but how do you know? We don’t have a formal audit (yet), but we try to be transparent about design and behavior so you can reason about risk.
What to look for
- Clear description of what’s encrypted and where (client vs server).
- Use of standard crypto (e.g. AES-GCM, PBKDF2) and no “custom” ciphers.
- No password recovery that would require the provider to decrypt.
- Open design: we document what we store and how encryption works.
What we publish
We describe the flow (password → KDF → key → encrypt in browser, send ciphertext). We name algorithms and parameters. You can inspect network traffic: you’ll see ciphertext and metadata, never plaintext or keys. That doesn’t prove we never log—but it’s the baseline we’d expect from any serious zero-knowledge product.
FAQ: Building trust in a zero-knowledge app
Q1. How can I trust a zero-knowledge claim if I can’t see the backend?
Look for clear, consistent documentation of architecture, algorithms, and what’s stored. You should be able to verify that encryption happens client-side and that only ciphertext and public parameters hit the server.
Q2. Do I need a third-party audit to trust a product like this?
Audits help, but they’re not the only signal. Transparent design docs, open communication about trade-offs, and a track record of fixing issues quickly all matter too.
Q3. What technical signs suggest a real zero-knowledge design?
Client-side key derivation (for example, PBKDF2 in the browser), AES-256-GCM encryption via Web Crypto, no password or key in network traces, and minimal server-side metadata are all good signs.
Q4. What should make me suspicious?
Claims of zero-knowledge alongside features like content-based search, password recovery, or server-side content analysis often indicate that the provider can see more than they admit.
Q5. How does Inkrypt try to earn trust today?
By documenting our design, naming our algorithms and parameters, and making it easy for you to inspect what’s sent over the network. We’d rather you understand our limitations than believe in magic.
Where to go next
If you want to evaluate our claims more deeply:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
- Open https://www.inkrypt.online, create a note, and inspect requests to see exactly what leaves your browser.