End-to-end encryption (E2EE)

What is end-to-end encryption?

End-to-end encryption (E2EE) is a method of ensuring that data can only be read by the intended parties. The content of messages sent over a platform protected by E2EE can’t be read by a user’s internet service provider (ISP), network administrator, or even the platform itself.

How does end-to-end encryption work?

The first step is encryption, the process of scrambling data into an unreadable form. Under E2EE, this process occurs directly on the sender’s device. Once encrypted, data is transmitted through intermediate servers, like those run by a messaging app. Because the service does not have access to the private encryption keys, there is no way for anyone at the company (or a threat actor intercepting the data) to view the content.

When the message arrives at the recipient’s device, it is decrypted and simultaneously verified for integrity and authenticity using cryptographic mechanisms. Only if verification succeeds are the contents made readable. A visual representation of how end-to-end encryption works.

Why is end-to-end encryption important?

Many platforms are able to view all of the files and private messages that users send. For communication that needs to stay private, E2EE solves this problem.

Services offering this level of security and privacy build user trust. Further, E2EE may be required for protecting certain kinds of information due to data protection regulations. A visual representation of how messages protected by E2EE differ from other forms of communication.

Where is end-to-end encryption used?

E2EE is applied in many digital communication tools:

Messaging apps: Platforms like WhatsApp and Signal protect all chats with E2EE by default, offering users greater privacy.
Video conferencing: Some services, like Zoom, offer E2EE as an optional feature.
Email: Pretty Good Privacy (PGP)-based email providers like Proton Mail use E2EE between users on the same service; however, messages with outside providers aren’t E2EE by default.
File sharing: Certain cloud storage and file-sharing services protect stored data with E2EE.
Password managers: Password managers like ExpressVPN Keys employ E2EE to support a zero-knowledge architecture.

Benefits and limitations

E2EE offers strong privacy and protection against interception by cybercriminals, ISPs, and admins, ensuring that communication stays private and secure. Yet, it has limitations. For one, metadata is not covered by E2EE, so platforms and threat actors may be able to see basic information about messages even if the content remains hidden. Additionally, the encryption process adds overhead, which may have a small performance impact on tools that use the technology.

For users, a perceived limitation can be the inability to turn off E2EE on certain messenger services where it's the default, which can conflict with features like cloud backups. Also, E2EE can pose challenges for law enforcement when accessing communications during investigations

FAQ

What is the difference between end-to-end encryption and regular encryption?

Regular encryption methods usually protect data only while it is in transit. For example, traffic sent over HTTPS will not be readable by anyone intercepting the data, but it is decrypted as soon as it reaches a website’s server, at which point anyone with access can read the data. In contrast, end-to-end encryption (E2EE) protects data along its entire communication path, meaning only the intended recipient can read the message.

Can service providers access E2EE messages?

No, with true end-to-end encryption (E2EE), the service provider (like the messaging app company) cannot access private keys and is therefore unable to read the content of messages.

Which apps use end-to-end encryption?

Many popular apps use end-to-end encryption (E2EE), such as Signal and WhatsApp. Additionally, most password managers use the security feature, as do some email and cloud service providers. Some tools use E2EE by default, while with others it’s an optional feature that may only be available to certain users.

Is end-to-end encryption unbreakable?

While most end-to-end encryption (E2EE) implementations use algorithms that have never been cracked, E2EE doesn’t protect against vulnerabilities at the endpoints (the sender's or recipient's device). If a recipient’s device has been compromised by malware, cybercriminals may have access to messages even in apps that benefit from E2EE.