pCloud Encryption is the simplest and most secure way to encrypt data.
With pCloud’s unique client-side encryption functionality users’ files are safely hidden from any unauthorized access. pCloud Encryption lets users protect their confidential files with high-end security, making it as easy as placing a file in a folder. pCloud's security application encrypts data on user's computer, and uploads only the encrypted version to the servers. Files never leave user's device, so there is no way that anyone receives sensitive information in a plain version. We apply zero-knowledge privacy, meaning that encryption keys are not uploaded or stored on our servers, and we are incapable of viewing user files. The encryption key (Crypto Pass) is only available to the one who creates it, i.e. the user.
We are different than other security-led cloud storage providers.
pCloud is the first cloud storage provider to offer both encrypted and non-encrypted folders in the same account. Although at first thought it is the most natural approach to just encrypt everything, the downside is that when servers do not understand the data, they cannot help you work with your files. You can't expect server support for generating thumbnail previews of images, transcoding of media files so they are playable in the cloud, creating and extracting archives, and similar operations that cloud users need. That is why, with pCloud, you can choose which files to encrypt and lock, and which ones to store in their natural state and apply file operations on.
pCloud makes the best of both worlds.
We did our encryption in the most user-friendly way - encrypted files will be visible and usable in your storage only when you enter your encryption password (Crypto Pass) and unlock them. Otherwise, as soon as you click the Lock button they are no longer accessible locally by anyone else. You are the only one who holds the key. Even we, as a service provider, do not have access to your encrypted files. This is in contrast to embedding encryption in so called "Sync" clients that would still upload encrypted data to servers but would keep data in plain text on user's computer so anybody who has access to the computer would see it (e.g. when you lose your laptop). pCloud Encryption does not have such a vulnerability.
The strictly technical aspects.
We use industry standard 4096-bit RSA for users' private keys and 256-bit AES for per-file and per-folder keys. We do data authentication in a different way compared to most competitors. Authentication is the process of verifying that you decrypted data the right data. Many experts consider it a mandatory part of encryption.
Authentication is done by calculating cryptographic hash of the data during encryption and decryption, and comparing the results. There are two popular approaches to that: one is to calculate the checksum of the whole file, another is to calculate checksums of small blocks in the file. The downside of the first approach is that you need to have the whole file in order to authenticate it, which may not be the case. Partial file modifications are also problematic in this case and might also require access to the full file. The second approach is vulnerable to several types of attacks. Most likely, the service provider may construct a version of the file that never really existed by combining different small blocks in different ways.
In pCloud Encryption we solve this problem by using a tree of hashes (also called Merkle tree, similar to what Bitcoin is using as a central part in its protocol).