What is end-to-end encryption?
End-to-end encryption (E2EE) is a secure communication process that prevents third parties from accessing data transferred from one endpoint to another
Safe Deposit Boxes
What end-to-end encryption means

Data encryption is the process of using an algorithm that transforms standard text characters into an unreadable format. To explain, this process uses encryption keys to scramble data so that only authorized users can read it. End-to-end encryption uses this same process, too. However, it takes it a step farther by securing communications from one endpoint to another.

Learn more about data encryption
End-to-end encryption vs. encryption in transit

In many messaging services, third parties store the data, which is encrypted only in transit. This server-side encryption method secures the data from unauthorized viewers only. But as an effect of this method, the sender can view the information, too, which can be undesirable in cases where data privacy at all points is needed.

In the case of end-to-end encryption, encrypted data is only viewable by those with decryption keys. In other words, E2EE prevents unintended users, including third parties, from reading or modifying data when only the intended readers should have this access and ability.

Why end-to-end encryption is important

E2EE is used especially when privacy is of the utmost concern. Privacy examples include sensitive subjects such as business documents, financial details, legal proceedings, medical conditions or personal conversations. Consequently, failure to secure private data could result in damages to enterprise businesses and their customers.

End-to-end encryption can help secure data against cyber attacks. In 2020, for example, the average cost of a data breach was USD 3.86 million globally and USD 8.64 million in the United States. These costs include discovering and responding to the violation, the cost of downtime and lost revenue, and the long-term reputational damage to a business and its brand. And in the case of compromised PII, it can lead to a loss of customer trust, regulatory fines, and even legal action.

End-to-end encryption offers more than sending encrypted messages. It can also allow control to authorize user access to stored data. A centralized privileged user policy management system provides granular control over who has access to what information. Coupled with a centralized key management system that adheres to key management interoperability protocol (KMIP), organizations can encrypt and protect data at every level.

What is a cyber attack?
How end-to-end encryption is used
Secure communications

Messaging apps like Signal and a digital trunked mobile radio standard like TETRA use end-to-end encryption to keep conversations between its users private. Email systems can be figured for E2EE , too, but it requires Pretty Good Privacy (PGP) encryption configuration. Users can also use a service like ProtonMail and Tutanota, which have PGP built-in.

Password management

Password managers like 1Password, BitWarden, Dashlane and LastPass use E2EE to protect a user's passwords. In this case, however, the user is on both endpoints and is the only person with a key.

Data storage

Storage devices often provide E2EE at rest. However, service providers can also offer E2EE in transit in a cloud storage setting, safeguarding users' data from anyone, including the cloud service provider.

How end-to-end encryption works

End-to-end encryption begins with cryptography, a method for protecting information by transforming it into an unreadable format called ciphertext. Only users who possess a secret key can decipher, or decrypt, the message into plaintext. With E2EE, the sender or creator encrypts the data, and only the intended receiver or reader can decrypt it.

Asymmetric, or public-key cryptography, encrypts and decrypts the data using two separate cryptographic keys. The public key is used to encrypt a message and send it to the public key's owner. Then, the message can only be decrypted using a corresponding private key, also known as a decryption key. For example, the Transport Layer Security (TLS) encryption protocol keeps third parties from intercepting messages in transit.

In password management and terrestrial trunked radio (TETRA), the user is both the encryptor and decryptor. For example, with TETRA end-to-end encryption, the receivers generate the encryption keys using a key management center (KMC) or a key management facility (KMF). Then, they retrieve the encrypted data for decryption.

Symmetric encryption is a type of encryption where only one secret symmetric key is used to encrypt the plaintext and decrypt the ciphertext.

What is encryption?
Challenges with E2EE Endpoint security

E2EE only encrypts data between the endpoints. This fact means the endpoints themselves are vulnerable to attack. Therefore, enterprises implement endpoint security to protect data beyond in-transit.

Man-in-the-middle (MITM) attacks

Hackers can insert themselves between two endpoints, eavesdrop and intercept messages. They impersonate the intended recipient, swap decryption keys and forward the message to the actual recipient without being detected.

Backdoors

Whether or not companies intentionally build backdoors into their encryption systems, cyber attackers can introduce and use them to undermine key negotiation or bypass encryption.

Related solutions
Data encryption protection

Unprotected, enterprise data can be accessed, stolen, deleted or altered. But with IBM Security™, you can protect your data and organization from harm.

Discover encryption protection solutions
Homomorphic encryption services

Fully homomorphic encryption (FHE) can help you unlock the value of your sensitive data on untrusted domains without decrypting it.

Explore homomorphic encryption services
Data privacy solutions

Strengthen data privacy protection, build customer trust and grow your business with IBM data privacy solutions.

Browse data privacy solutions
Secure server and storage solutions

Falling behind on infrastructure refreshes can leave you vulnerable to threats. So apply a security-first approach to your hybrid cloud infrastructure.

Review infrastructure security solutions
Ransomware protection solutions

Ransomware is more sophisticated than typical malware, using strong encryption to exploit leaked vulnerabilities. Are you protected?

Protect your data from ransomware attacks
Pervasive encryption

Improve data protection and privacy by encrypting each stage of the data's lifecycle, transmission, storage and processing with IBM Z® solutions.

Explore pervasive encryption solutions
Centralized key lifecycle management

Centralize, simplify and automate encryption key management with IBM Security Guardium Key Lifecycle Manager.

Manage keys with centralized key lifecycle management
Flash storage solutions

Simplify data and infrastructure management with the unified IBM FlashSystem® platform family, which streamlines administration and operational complexity across on-premises, hybrid cloud, virtualized and containerized environments.

Explore flash storage solutions
Resources IBM Security Framing and Discovery Workshop

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

What is data encryption?

Learn what data encryption is, the types and benefits, and what it means to protect your data.

Latest on data protection

From complying with regulations such as the CCPA and GDPR to protecting assets through encryption, learn about the latest concerning data protection and privacy.

Why is data security important?

Learn what data security is, why it's important, the data security types and more.

X-Force Threat Intelligence Index

Understand your cyberattack risks with a global view of the threat landscape

Cost of a data breach

The Cost of a Data Breach Report explores financial impacts and security measures that can help your organization avoid a data breach, or in the event of a breach, mitigate costs.

Take the next step

IBM Security Guardium Insights offers a unified data security solution with both SaaS and on-premises capabilities to protect data where ever it lives. Improve you data security posture with centralized visibility, continuous data monitoring, and advanced compliance features with automated  workflows. Connect and protect data in 19+ cloud environments and detect data security vulnerabilities from a single location.

Explore Guardium Insights Book a live demo