What is end-to-end encryption?

End-to-end encryption (E2EE) is a secure communication process that prevents third parties from accessing data transferred from one endpoint to another

Safe Deposit Boxes

What end-to-end encryption means

Data encryption is the process of using an algorithm that transforms standard text characters into an unreadable format. To explain, this process uses encryption keys to scramble data so that only authorized users can read it. End-to-end encryption uses this same process, too. However, it takes it a step farther by securing communications from one endpoint to another.

End-to-end encryption vs. encryption in transit

In many messaging services, third parties store the data, which is encrypted only in transit. This server-side encryption method secures the data from unauthorized viewers only. But as an effect of this method, the sender can view the information, too, which can be undesirable in cases where data privacy at all points is needed.

In the case of end-to-end encryption, encrypted data is only viewable by those with decryption keys. In other words, E2EE prevents unintended users, including third parties, from reading or modifying data when only the intended readers should have this access and ability.

Why end-to-end encryption is important

E2EE is used especially when privacy is of the utmost concern. Privacy examples include sensitive subjects such as business documents, financial details, legal proceedings, medical conditions or personal conversations. Consequently, failure to secure private data could result in damages to enterprise businesses and their customers.

End-to-end encryption can help secure data against cyber attacks. In 2020, for example, the average cost of a data breach was USD 3.86 million globally and USD 8.64 million in the United States. These costs include discovering and responding to the violation, the cost of downtime and lost revenue, and the long-term reputational damage to a business and its brand. And in the case of compromised PII, it can lead to a loss of customer trust, regulatory fines, and even legal action.

End-to-end encryption offers more than sending encrypted messages. It can also allow control to authorize user access to stored data. A centralized privileged user policy management system provides granular control over who has access to what information. Coupled with a centralized key management system that adheres to key management interoperability protocol (KMIP), organizations can encrypt and protect data at every level.

How end-to-end encryption is used

Secure communications

Messaging apps like Signal and a digital trunked mobile radio standard like TETRA use end-to-end encryption to keep conversations between its users private. Email systems can be figured for E2EE , too, but it requires Pretty Good Privacy (PGP) encryption configuration. Users can also use a service like ProtonMail and Tutanota, which have PGP built-in.

Password management

Password managers like 1Password, BitWarden, Dashlane and LastPass use E2EE to protect a user's passwords. In this case, however, the user is on both endpoints and is the only person with a key.

Data storage

Storage devices often provide E2EE at rest. However, service providers can also offer E2EE in transit in a cloud storage setting, safeguarding users' data from anyone, including the cloud service provider.

How end-to-end encryption works

End-to-end encryption begins with cryptography, a method for protecting information by transforming it into an unreadable format called ciphertext. Only users who possess a secret key can decipher, or decrypt, the message into plaintext. With E2EE, the sender or creator encrypts the data, and only the intended receiver or reader can decrypt it.

Asymmetric, or public-key cryptography, encrypts and decrypts the data using two separate cryptographic keys. The public key is used to encrypt a message and send it to the public key's owner. Then, the message can only be decrypted using a corresponding private key, also known as a decryption key. For example, the Transport Layer Security (TLS) encryption protocol keeps third parties from intercepting messages in transit.

In password management and terrestrial trunked radio (TETRA), the user is both the encryptor and decryptor. For example, with TETRA end-to-end encryption, the receivers generate the encryption keys using a key management center (KMC) or a key management facility (KMF). Then, they retrieve the encrypted data for decryption.

Symmetric encryption is a type of encryption where only one secret symmetric key is used to encrypt the plaintext and decrypt the ciphertext.

Related solutions

Data encryption protection

Unprotected, enterprise data can be accessed, stolen, deleted or altered. But with IBM Security™, you can protect your data and organization from harm.

Homomorphic encryption services

Fully homomorphic encryption (FHE) can help you unlock the value of your sensitive data on untrusted domains without decrypting it.

Data privacy solutions

Strengthen data privacy protection, build customer trust and grow your business with IBM data privacy solutions.

Secure server and storage solutions

Falling behind on infrastructure refreshes can leave you vulnerable to threats. So apply a security-first approach to your hybrid cloud infrastructure.

Ransomware protection solutions

Ransomware is more sophisticated than typical malware, using strong encryption to exploit leaked vulnerabilities. Are you protected?

Pervasive encryption

Improve data protection and privacy by encrypting each stage of the data's lifecycle, transmission, storage and processing with IBM Z® solutions.

Centralized key lifecycle management

Centralize, simplify and automate encryption key management with IBM Security Guardium Key Lifecycle Manager.

Flash storage solutions

Simplify data and infrastructure management with the unified IBM FlashSystem® platform family, which streamlines administration and operational complexity across on-premises, hybrid cloud, virtualized and containerized environments.