Definition
End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. No eavesdropper—including the service provider—can access the cryptographic keys needed to decrypt the conversation.
In E2EE, encryption and decryption occur only on the endpoints (sender and recipient devices). The data remains encrypted while in transit and at rest on servers.
How It Works
Key Generation
Each user generates a public/private key pair. The public key is shared, while the private key never leaves the device.
Key Exchange
Users exchange public keys, often verified through safety numbers or QR codes to prevent man-in-the-middle attacks.
Message Encryption
The sender encrypts the message with the recipient's public key (or a derived session key).
Decryption
Only the recipient's private key can decrypt the message.
E2EE Protocols
Signal Protocol
The gold standard for secure messaging, used by Signal, WhatsApp, and others. Features:
- Perfect Forward Secrecy
- Double Ratchet Algorithm
- Deniable Authentication
- Asynchronous Key Exchange
Other Protocols
- OMEMO: XMPP-based, similar to Signal Protocol
- Matrix/Olm: Used by Element and Matrix clients
- OpenPGP: Email encryption standard
- MLS: New IETF standard for group messaging
Popular Implementations
Signal
Open source secure messenger
MessagingUses Signal Protocol
MessagingProtonMail
E2EE email service
EmailElement
Matrix-based messaging
MessagingLimitations
E2EE Doesn't Protect Everything: While message content is protected, metadata (who talks to whom, when, how often) may still be visible. Additionally, if an endpoint device is compromised, encryption offers no protection.