A system where the provider cannot read your data, even if compelled to try
A zero-knowledge system is one where the service provider has no technical ability to read the data you store with them, because the keys never leave your device.
The phrase comes from cryptography — originally describing proofs where one party convinces another of a fact without revealing the fact itself. In consumer storage it’s used more loosely, to mean: your passphrase derives an encryption key on your Mac, that key encrypts every byte before it’s uploaded, and the server only ever sees opaque ciphertext. An employee with full admin access to the storage, a subpoena served on the company, or an attacker who breaches the provider’s infrastructure all see the same thing — encrypted blocks that can’t be turned back into your files without the key they don’t have.
The tradeoff is honest: if you lose every copy of your key material, the provider cannot help you. There is no “reset password” email that recovers the data, because there’s nothing on their end to reset against. This is why zero-knowledge products pair a primary passphrase with recovery codes and, optionally, a secondary escrow path.
In macup, zero-knowledge is the architectural default, not a premium feature. Your 48 GB Final Cut library is encrypted on your M-series Mac before a single chunk hits the network, and the decryption keys live in your keychain and your printed recovery code — never in our database.