Client-Side Encryption vs Server-Side Encryption: Key Differences

When a cloud service says "your files are encrypted", the crucial follow-up question is: where are they encrypted? The location of the encryption operation determines who can access your plaintext data.

Server-Side Encryption (SSE)

With server-side encryption, your file is transmitted to the server (usually over TLS) and then encrypted at rest by the server using a key that the server manages. Your file is never readable on the network, but it is readable at the server level before encryption is applied.

Who controls the key? The platform. This means the platform can decrypt your files. Legal orders, breaches, or insider access can expose your data.

Most cloud storage (AWS S3, Google Cloud Storage, Cloudflare R2) uses server-side encryption by default. It's secure against many threats but not against the platform itself.

Client-Side Encryption (CSE)

With client-side encryption, your file is encrypted on your device before it leaves — typically in the browser using the Web Crypto API or in a native app. The server receives and stores only ciphertext. The platform has no key and cannot decrypt your data.

Who controls the key? You. The platform is effectively blind to your content.

Examples: Cryptomator, ProtonDrive, Keybase, Tresorit. These tools offer genuine "zero-knowledge" storage.

The Trade-offs

Feature	Server-Side	Client-Side
Key custody	Platform	You
Search/Preview	Full support	Limited
Recovery if key lost	Yes	No
Privacy from platform	No	Yes

Choosing the Right Approach

For most everyday file sharing — including TiniDrop — server-side encryption with strong access controls and password-protected links provides excellent practical security. Client-side encryption is appropriate when the platform itself must not be able to read your data.