30 terms

Encrypted cloud & privacy glossary

30 self-contained definitions to understand cloud encryption, data protection and jurisdiction without marketing or jargon. Each term links to detailed explanations in our editorial base.

#01 Zero-knowledge encryption: Encryption model where the cloud provider never holds decryption keys. Files are encrypted client-side before upload; the server stores only ciphertext. Even under a court order, the provider technically cannot access data in cleartext.
#02 End-to-end encryption (E2EE): Protocol where data is encrypted on the sender's device and decrypted only on the recipient's device. No intermediary (ISP, host) can read the content. E2EE is necessary but not sufficient for zero-knowledge: a service can be E2EE while managing keys server-side.
#03 AES-256: Symmetric encryption algorithm (Advanced Encryption Standard) with a 256-bit key, standardised by NIST in 2001. The industry standard for at-rest encryption in cloud services. 256-bit is the recommended level for sensitive data; AES-128 is acceptable for general use.
#04 Client-side encryption: Operation where data is encrypted locally on the user's device before transmission to the server. The encryption key never leaves the device. Practical synonym for zero-knowledge when key management is also local. Opposite of server-side encryption.
#05 At-rest encryption: Protection of data stored on disk or in a database. All serious cloud services apply it (AES-256), but it is not enough: the provider can still read files by accessing the keys it manages. At-rest encryption alone does not guarantee confidentiality from the provider.
#06 In-transit encryption: Protection of data during network transfer, typically via TLS 1.2 or 1.3. Guards against network interception (man-in-the-middle) but not against the provider itself, which receives data in cleartext server-side if no client encryption is applied.
#07 Metadata: Data about data: filename, size, modification timestamp, access frequency, source IP. Even zero-knowledge services often expose unencrypted metadata. Proton Drive encrypts filenames separately; most others leave this information accessible to the provider.
#08 CLOUD Act (USA, 2018): US law (Clarifying Lawful Overseas Use of Data Act) enabling federal authorities to compel US companies to hand over data stored anywhere in the world, without notifying the data owner. Applies to Microsoft, Google and Amazon even for their European datacentres.
#09 GDPR: General Data Protection Regulation, in force in the EU since May 2018. Governs the collection, processing and transfer of personal data. In principle prohibits data transfers to countries without adequate protection — in direct tension with the US CLOUD Act for transatlantic providers.
#10 Five / Nine / Fourteen Eyes: Intelligence-sharing alliances between countries. Five Eyes: USA, UK, Canada, Australia, New Zealand. Nine Eyes adds: Denmark, France, Netherlands, Norway. Fourteen Eyes adds 5 more (Germany, Belgium, Spain, Italy, Sweden). Providers domiciled in these countries may be subject to pooled state surveillance requests.
#11 Jurisdiction: Country of legal domicile for the cloud provider. Determines which law governs data access requests (CLOUD Act for US entities, LPD for Switzerland, GDPR for the EU). Switzerland is outside the EU, outside the 14 Eyes and not subject to the CLOUD Act — making it a preferred jurisdiction for private storage services.
#12 TOFU (Trust On First Use): Trust model where the first public key received from a contact is accepted without external verification. Used in protocols such as Signal or some SFTP implementations. Exposes to a man-in-the-middle attack during the first connection, before the key fingerprint is confirmed out-of-band.
#13 Convergent encryption: Technique where the same plaintext always produces the same ciphertext, because the key is derived from a hash of the content. Enables server-side deduplication without exposing content. Used by services such as MEGA. Drawback: an adversary who knows the likely content can verify its presence by hash comparison.
#14 Deduplication: Storage technique eliminating redundant copies of the same content. Reduces infrastructure costs for the provider. Incompatible with strict zero-knowledge encryption (each user would have a different ciphertext for the same file), except via convergent encryption — with its associated limitations.
#15 Sharding: Fragmentation of a file into multiple shards distributed across different servers or nodes. Improves resilience and performance. In a privacy context, sharding combined with end-to-end encryption prevents any individual node from reconstructing the complete file. Used notably by Internxt.
#16 WebDAV: HTTP extension enabling remote file management (read, write, rename, delete). Supported by Nextcloud, pCloud and others for compatibility with third-party clients. Facilitates integration into automated workflows but adds no native encryption layer.
#17 Sync vs backup: Sync maintains a real-time mirror copy: any local deletion is replicated to the cloud. Backup retains historical versions independently of local changes. For protection against ransomware or accidental deletion, a true backup with versioning is essential.
#18 Versioning: Retention of previous versions of a file. Enables restoration of a file's state before a modification, corruption or ransomware attack. Retention periods vary by plan: Proton Drive keeps 200 versions, Tresorit 180 days, pCloud 15 to 365 days depending on plan.
#19 Lifetime plan: Commercial offer granting access to a service for an indefinite period in exchange for a one-time payment. pCloud and Internxt offer lifetime deals significantly cheaper than a 5-10 year subscription. Main risk: the provider's financial viability is not guaranteed long-term.
#20 SOC 2: American audit framework (Service Organization Control 2) developed by the AICPA. Evaluates five criteria: security, availability, processing integrity, confidentiality and privacy. A SOC 2 Type II report (covering a 6-to-12 month period) is a measure of operational maturity, distinct from an encryption certification.
#21 ISO/IEC 27001: International information security management standard. ISO 27001 certification attests that an organisation applies an Information Security Management System (ISMS) compliant with the standard's requirements, audited by an accredited body. More widespread in Europe than SOC 2.
#22 Independent audit: Security evaluation of a system by a specialised third party (e.g. Cure53, SEC Consult, NCC Group, Trail of Bits). An audit of the client source code confirms the actual implementation of zero-knowledge encryption. Proton Drive, Tresorit and Filen have published audit reports. The absence of an audit does not prove insecurity, but limits verifiability.
#23 Open source vs proprietary: An open-source client (published, verifiable source code) allows third parties to confirm that the announced encryption is actually implemented. A proprietary client requires trusting the provider's claims or a third-party audit. Proton Drive, Internxt and Filen publish their client code; pCloud and Tresorit remain proprietary.
#24 Post-quantum cryptography: Algorithms designed to resist attacks from a quantum computer. Current algorithms (RSA, ECDSA, DH) will be vulnerable once quantum computers are sufficiently powerful. NIST standardised the first post-quantum algorithms in 2024 (ML-KEM, ML-DSA). Proton has been transitioning to post-quantum primitives since 2024.
#25 Key derivation function (KDF): Cryptographic function transforming a password (low entropy) into a robust encryption key. Modern KDFs (Argon2id, bcrypt, PBKDF2) deliberately slow brute-force attempts. The strength of zero-knowledge encryption partly depends on the quality of the KDF and the complexity of the chosen password.
#26 Perfect forward secrecy (PFS): Property of a cryptographic protocol ensuring that compromise of a long-term key does not allow decryption of past communications. Each session uses distinct ephemeral keys. Implemented in TLS 1.3 (used for all modern cloud transfers), but less relevant for at-rest storage.
#27 Key management: Set of procedures for generating, storing, rotating and revoking cryptographic keys. In a zero-knowledge model, keys must never leave the user's device in cleartext. Poor key management (unencrypted backup, transmission to server) nullifies the guarantees of encryption.
#28 Data residency: Physical location of servers storing data. Distinct from the legal jurisdiction of the provider: a US provider with servers in Germany remains subject to the CLOUD Act. Data residency matters for GDPR (obligation to keep data within the EEA), but does not replace a jurisdiction analysis.
#29 Zero-knowledge proof (ZKP): Cryptographic protocol allowing one party to prove knowledge of information without revealing the information itself. Different from "zero-knowledge storage": ZKP protocols (zk-SNARK, zk-STARK) are used in advanced cryptography and blockchain. In cloud storage context, "zero-knowledge" refers to the absence of keys at the provider, not a formal ZKP protocol.
#30 Ransomware protection: Measures preventing or limiting ransomware damage via the cloud. Automatic versioning is the primary protection: it allows files to be restored to a state prior to infection. Some services (Tresorit, Proton Drive) detect suspicious mass modifications. Instant sync without versioning can conversely propagate malicious encryption.
#31 Swiss Federal Act on Data Protection (LPD/nFADP): Swiss federal data protection law, revised in 2020 and in force since 1 September 2023. Aligns with GDPR on several points (individual rights, accountability) while maintaining Swiss specificities. Switzerland is not an EU member, but the European Commission has recognised an adequate level of protection for data transfers since 2000 (decision renewed).

Go further

E2E vs zero-knowledge: what marketing hides Cloud storage comparison quiz — 60 s Cloud storage cost calculator