How Koofr Vault Ensures Zero-Knowledge Encryption
Discover how Koofr Vault gives you complete control over your privacy with true client-side encryption. Learn how your data is encrypted and decrypted only on your device — never on Koofr’s servers — and explore how this design ensures zero-knowledge security, transparency, and compatibility with tools like rclone.
Written by human for humans
In today’s cloud-first world, our lives are constantly connected — from work documents stored online to personal memories backed up across devices. But with convenience comes a nagging concern: who really has access to your data?
At Koofr, we understand that trust must be earned, not assumed. That’s why we created Koofr Vault, an app and a feature built to give you complete peace of mind. By introducing end-to-end encryption (E2EE), we’ve taken data security one step further — ensuring your files are encrypted before they ever leave your device.
Koofr Vault. An extra layer of security.
Here’s the beauty of it: only you hold the key. Koofr Vault is designed so that not even we can access your encrypted files. The setup completely removes Koofr's ability to ever view your encrypted data. Your data stays yours — private, protected, and completely under your control.
1. The Core Principle: Everything Happens on Your Computer
At the heart of Koofr Vault lies a simple but powerful idea: your data’s protection starts and stays with you.
Unlike most cloud-based encryption systems that rely on remote processing, Koofr Vault runs entirely within your web browser — whether you’re on a laptop, desktop, or even your phone. All the program code operates locally on your device, ensuring that your private files never leave your hands unprotected.
This design means that the encryption and decryption process happens 100% on your computer. Our servers play no part in these steps. From our perspective, your stored files are just random, meaningless chunks of encrypted information. We simply provide the secure, high-speed infrastructure to hold those encrypted pieces for you.
Think of it this way: Koofr is the warehouse — Vault is your lock. You encrypt (lock) your safe box on your device before storing it in our secure warehouse. We keep it safe, organised, and always available — but we can never open it. You stay in complete control of your data and your keys.
2. The Private Key: Your Absolute Control
The moment you enter your Safe Key into the Koofr Vault browser app is the most crucial step in your security journey. This is where the real magic — and protection — begins.
Your Safe Key is the non-negotiable anchor of Koofr Vault’s security model. It is never transmitted to, stored by, or even seen by Koofr’s servers — not for a millisecond. There are no hidden network requests or background syncs. Everything related to encryption and decryption happens locally in your browser, right on your device.
For those who love transparency, Koofr Vault is open-source, meaning anyone can inspect the code and verify how it works. You can view the source on Koofr’s GitHub repository.
Why Irrecoverability Matters — The Security Guarantee
Because Koofr never receives or stores your Safe Key, there’s no way for us to recover it or reset your password. It’s the clearest possible evidence that your encrypted data belongs only to you.
With that power comes responsibility: you are the sole guardian of your Safe Key. If you lose it, even we cannot help you unlock your files. The key that grants you absolute control also makes you fully accountable for keeping it safe.
You hold the only key — literally.
3. What We Store: The Encrypted Configuration File
When it comes to encryption, protecting your data isn’t just about scrambling files — it’s also about carefully handling the small but critical pieces of information that make decryption possible later.
Modern encryption systems rely on certain configuration data, such as a salt and an iteration count, to ensure key derivation is strong and unique.
A salt is a random value added to your password (or Safe Key) before encryption, making each derived key different — even if two users happen to use the same password. This prevents attackers from using precomputed rainbow tables, where they try to match hashes of common passwords.
A salt isn’t secret; it’s simply random. It must be available later so your browser can regenerate your encryption key when you log in again. If we didn’t persist the salt, you’d need to type two separate secrets — for example, rclone calls them "password1" (your Safe Key) and "password2" (the salt). Storing the salt is a secure and standard practice. In Koofr Vault, there’s one more piece of information that gets stored — a small helper called the "password_validator". This is a random string that serves one crucial purpose: allowing the app to verify whether your entered Safe Key is correct without ever revealing it.
Here’s how it works:
- When you first create your Vault, your browser generates a random "password_validator".
- This value is encrypted locally using your Safe Key — directly in your browser.
- Both the plaintext and the encrypted version of this validator are then stored on Koofr’s servers.
When you later unlock your Vault, your browser encrypts the stored plaintext validator again using the Safe Key you entered. If the newly encrypted value matches the stored one, the system knows your password is correct — without ever sending your Safe Key to Koofr.
This check prevents a dangerous scenario where a mistyped password could still decrypt something, but show you only garbage. Thanks to the validator, we can confirm that your Safe Key is valid before showing your encrypted data — all without seeing or storing your actual key.
The only things Koofr keeps on its servers are:
- The salt and other non-secret metadata needed for key derivation, and
- The plaintext + encrypted "password_validator" pair (which is useless without your Safe Key).
Even if someone accessed this data, it would be meaningless — they still couldn’t derive or guess your Safe Key, nor decrypt any of your files.
We only store the minimal data needed to make your Vault work securely, and every sensitive part of the process happens on your device.
4. The Process Explained: Downloading a File
To understand just how seamless — and secure — client-side encryption really is, let’s look at what happens when you download a file from Koofr Vault.
The downloading process step-by-step
- Server Storage: Your file lives on Koofr’s servers as a completely encrypted blob — a jumble of unreadable data with no connection to the original content.
- Download Request: When you open Koofr Vault and choose to download a file, your browser initiates the transfer. The encrypted blob is sent directly from Koofr’s servers to your local device.
- Client-Side Decryption: Once the encrypted file reaches your browser, the Koofr Vault app (running locally) takes over. It uses the Safe Key you provided to decrypt the data — all within your device. At no point does Koofr’s infrastructure participate in this decryption process.
- The result: The file is instantly transformed back into readable form only on your computer. The plaintext version never leaves your device, and it never exists anywhere on Koofr’s servers.
5. Openness and Compatibility: The rclone Parallel
Koofr Vault’s strict commitment to keeping encryption keys entirely client-side is the foundation of its compatibility with rclone, a trusted open-source file synchronisation tool.
Users have long trusted rclone because it stores its configuration — including any encryption keys — locally on their own devices. The tool never transmits these keys to remote servers; it simply uses them to encrypt and decrypt files before or after uploading.
Koofr Vault works the exact same way. Your Safe Key remains fully under your control and never leaves your computer or browser session. When Koofr Vault integrates with rclone, it honours the same privacy-first model: encryption happens client-side, and Koofr’s servers only see the encrypted results.
This design isn’t a coincidence — it’s a conscious decision to align Koofr Vault with the principles of open, verifiable security. By adopting methods similar to well-established tools like rclone, Koofr demonstrates a clear commitment to transparency and user trust.
You’re not just using another cloud service — you’re participating in an open, privacy-respecting ecosystem where your keys, your data, and control remain entirely yours.
Koofr Vault provides strong, end-to-end encryption with a convenient web interface. But for those who want absolute minimalism and zero metadata stored on our side, there’s an even more bare-metal option: You can use rclone directly with the "koofr+crypt" backends. This approach achieves the same zero-knowledge encryption model as Koofr Vault, but skips even the small bits of configuration data that Vault securely stores (like salts and password validators). It’s a bit less convenient, but it gives you maximum privacy and total control, with literally nothing left on Koofr’s servers except encrypted blobs. If you’re curious, there’s a community discussion about it on Reddit.
How to set up client-side encryption of your Koofr files with rclone
6. Conclusion: True Privacy in the Cloud
With Koofr Vault, every encryption and decryption step happens locally, ensuring that Koofr’s servers never see your readable files or your keys. This design completely changes the cloud security dynamic — transforming Koofr from a service you trust into one you can verify.
Unlock enhanced security with Koofr Vault.
Koofr delivers world-class cloud storage and reliable infrastructure, while Koofr Vault adds an extra layer of security for your files. Start encrypting your most sensitive data with Koofr Vault and experience the peace of mind that comes from knowing that your files are yours — and yours alone.
Want to talk to us? Join our growing Reddit community!