Skip to main content

Client-side encryption

In Nebbl you can create buckets with zero-knowledge client-side encryption enabled.

How does it work?

Before you can create a bucket with client-side encryption, you have to set your session password. This password is used to derive an encryption key which will be used to encrypt and decrypt files upon uploads and downloads.

The encryption key is encrypted itself and then sent to the Nebbl database for storage using zero-knowledge mechanism. This way Nebbl and no one else can know or access your encryption key.

Encryption and decryption

When you upload files to your client-side encrypted bucket Nebbl frontend app gets your encrypted encryption key from the database, decrypts it and encrypts your files with it before sending them to the bucket. This happens automatically. All you need is only to verify your session password which will be used to decrypt your encryption key.

The same process happens when you download files from your client-side encrypted bucket. They are decrypted automatically and you only need to verify your session password for it.

What to keep in mind

Encryption and decryption in Nebbl is done using AES-GCM algorithm. This is one of the most secure encryption algorithms by today's standards and is used by major cloud providers like AWS, Google Cloud and Microsoft Azure.

However the drawback is that the file size will be increased slightly and the upload and download speed will be slower.

As for the file size, AES-GCM algorithm has a maximum limit on the amount of data that can be encrypted with a single key and initialization vector (IV) combination. Specifically, the maximum amount of plaintext data that can be encrypted is 2^39 - 256 bits, which is approximately 512 GB. This limit is due to the way the GCM mode works and the need to maintain security against certain types of attacks.

Another thing to keep in mind is that the download process will run a bit differently. Unlike a traditional download where you're prompted to save the file immediately after clicking the download button, the encrypted file download will run in the background and you will see the progress in the file item next to the file info icon. Only when the progress reaches 100% you'll be prompted to save the file.