Most "encrypted" cloud storage still holds the keys that unlock your data. That is convenient — until the provider is breached, subpoenaed, or simply curious. Zero-knowledge backup flips the model: encryption happens on your device, and the keys never leave it.
How Secureefy Backup does it
Every file is encrypted before it leaves your machine using AES-256-GCM, an authenticated cipher that both encrypts and detects tampering. The key is derived from your passphrase using PBKDF2-SHA256 with 100,000 iterations and a 32-byte random salt.
- Algorithm: AES-256-GCM (authenticated encryption)
- Key derivation: PBKDF2-SHA256, 100,000 iterations
- Nonce: 12-byte random per file
- Auth tag: 128-bit — tampering is mathematically detectable
Keys live in the macOS Keychain / Secure Enclave and Windows Hello secure storage. We store only ciphertext we cannot read.
Why authenticated encryption matters
Older tools used AES-256-CBC with no integrity check, so a corrupted or maliciously altered file could decrypt to garbage silently. GCM's authentication tag means a wrong password and a tampered file are indistinguishable — and both fail safely.
Your keys, not ours. That is the whole point.
If you take one thing away: if a backup vendor can reset your encryption for you, they can read your data. Secureefy can't, by design.