What exactly is client-side encryption?

would client-side encryption help hide messages being sent/received, so that [my local network administrator] would not be able to read them?

Client-side encryption is not about transport encryption. The point of client-side encryption is not whether an eavesdropper can capture your communication on the way to a server. Rather it's about encrypting data without involving another party (i.e. the service provider, "the server") in the process.

Client-side encryption just means that the server doesn't encrypt the data which it's storing for a user by itself, but leaves the encryption to the client, giving the client full control over the process. This way the service provider is proving that they can't access the plaintext because they never handled the encryption keys in the first place. In theory, this means you don't need to trust the service provider to handle your data confidentially. (In practice, you'd have to verify that the provided client application actually implements CSE as promised by the provider.)

Whether the client-side-encrypted data is transferred securely (over an encrypted channel between you and the server) is a separate issue.


Client-side encryption means that the client is encrypting the data and NOT sharing the key with the server. When done properly, this would prevent anyone without the key from deciphering the data.

For example: if I encrypt my files before storing them in S3, this is client-side encryption. As long as my key is secure and the encryption algorithm is safe (both of which are complicated enough to get right), no-one outside my computer can see the actual data. This includes my ISP, any network hop between myself and S3, the S3 admin, and anyone who can access the file in S3.

This usually means that the server is storing a random "blob" of data. It does not know how to read it, or what it is.