What is Zero-Knowledge Encryption?

A plain-English explanation of how your data stays private — and why even we can't read your messages.

Zero-Knowledge means we can't read your data

Even if someone forced us to hand over our servers, your messages would be unreadable. Here's why.

When you send a message through mboxly.app, something important happens before it ever leaves your browser: it gets encrypted. Not on our servers — in your own browser, using AES-256-GCM, the same algorithm trusted by banks and governments worldwide.

The encryption key is generated locally and embedded in the unique link you share with your recipient. That fragment — the part after the # in the URL — is never sent to our servers. It's a browser feature: fragments are intentionally kept client-side.

What reaches our servers is only the encrypted ciphertext — a block of scrambled bytes that is mathematically useless without the key we never see.

This is the difference between zero-knowledge and ordinary encrypted services. Many products say data is encrypted, but they mean it is encrypted while travelling and then decrypted again on the server for storage or indexing. Zero-knowledge means the provider is outside the trust boundary for message content. The server can store, rate-limit, expire, and deliver ciphertext, but it cannot inspect what the ciphertext contains.

Zero-Knowledge

In a zero-knowledge design, the server stores encrypted content but never receives the key required to read it.

That one sentence is the shortest way to explain why even the service operator cannot access a user's message content.

Why does this matter?

Traditional messaging and file-sharing services encrypt data in transit (TLS), but decrypt it on their servers to store, index, or process it. That means the service provider can read your data — and so can anyone who breaches their infrastructure.

Zero-knowledge means we hold no key. We cannot decrypt your content even if we wanted to. There's no master key, no backdoor, no way to comply with a data request that doesn't exist.

Compliance teams sharing sensitive documents
Developers sending API keys to colleagues
Anyone who values genuine privacy over marketing promises

If you want to see the same model applied to concrete use cases, compare this with secure file drop and Time Vault. Those articles show how zero-knowledge changes both file sharing and delayed delivery.

Common questions

Can mboxly.app read my messages?

No. Encryption happens in your browser before anything is sent. The decryption key lives only in the link — a URL fragment we never receive.

What encryption algorithm is used?

AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). It provides both confidentiality and integrity — tampered ciphertext is rejected on decryption.

What happens after I share the link?

The recipient opens the link, their browser extracts the key from the URL fragment, downloads the ciphertext from our servers, and decrypts it locally. Depending on your settings, the message may then self-destruct.

Is this GDPR compliant?

Yes. Because we process no personal data in the message content, and our infrastructure runs on AWS EU, we meet GDPR data residency and minimisation requirements.

Does zero-knowledge mean metadata disappears too?

No. Zero-knowledge protects message content, not all surrounding metadata. A service may still know when a message was created, when it expires, approximate file size, or that a given link was requested. Privacy improves dramatically, but content secrecy and metadata secrecy are not the same thing.

Keep reading

What is Zero-Knowledge Encryption?

Zero-Knowledge means we can't read your data

Why does this matter?

Common questions

More in Zero-Knowledge

GDPR, Zero-Knowledge Encryption, and the Breach Notification Problem

The # in the URL That Keeps Your Key Secret