What is end-to-end encryption and how does it work?

Share this page

The most private and secure way to communicate online is by using end-to-end encryption. If you send an end-to-end encrypted message, it is encrypted on your device (your iPhone, Android, or laptop), and it is not decrypted until it reaches the device of the person you sent the message to. This prevents anyone besides you and the person you are sending the message to from reading your private communications.

End-to-end encryption (E2EE) has historically been very complicated, which limited who could effectively use it. An early iteration of E2EE for email, known as Pretty Good Privacy (PGP), required you to handle the encryption keys yourself, making it notoriously difficult even for tech-savvy users.

However, recent technological advances (such as Proton Mail) have made end-to-end encryption much easier to use and more accessible. In this article, we will explain what end-to-end encryption is and what advantages it offers over other types of encryption.

What is end-to-end encryption (E2EE)?

Encryption is the process of scrambling human-readable data (for example, a plaintext email) into unreadable ciphertext that only authorized parties can only decode using the right cryptographic key.

End-to-end encryption is the term used for data that is encrypted at every stage of its journey from one device to another. “End-to-end” refers to the beginning of the data’s journey (in the case of email, this is the sender’s device) and where it ends its journey (the recipient’s device).

End-to-end encryption is a method of secure communication that prevents any third parties from accessing the contents of your message while it’s transferred from one device to another or while it is “at rest” on a server. When you use E2EE to send an email or message to someone, no one else can see the contents of your message — not your network administrator, not your internet service provider (ISP),  not hackers, not the government, and not even the company (e.g., Proton Mail) that facilitates your communication. This is because only the recipient has the key to decrypt the encrypted data.

How does end-to-end encryption work?

To understand how end-to-end encryption works for email, it helps to look at a diagram. In the example below, Bob wants to say hello to Alice in private. Alice has a public key and a private key, which are two mathematically related encryption keys. The public key can be shared with anyone, but only Alice has access to her private key.

First, Bob uses Alice’s public key to encrypt the message, turning “Hello Alice” into ciphertext — scrambled, seemingly random characters.

Bob sends this encrypted message over the public internet. Along the way, it may pass through multiple servers, including those belonging to their email service internet service providers. Although those companies may try to read the message (or even share it with third parties), it is mathematically impossible for them to convert the ciphertext back into readable plaintext. Only Alice can decrypt the message with her private key when it lands in her inbox, as Alice is the only person that has access to her private key. When Alice wants to reply, she simply repeats the process, encrypting her message to Bob using Bob’s public key.

What is the difference between E2EE and other types of encryption?

End-to-end encryption is unique in comparison to other types of encryption because only the sender and receiver are able to decrypt and read the data that has been encrypted. This differs from other types of encryption, such as Transport Layer Security (TLS. TLS is the encryption used in HTTPS, and is responsible for encrypting most of the internet, including your  connection to our blog right now. However, TLS  is only implemented between you and a server, rather than between you and your recipient.

This works fine if you are connecting to a website to read its blog, but it is a problem if you’re sending an email. When you use a standard email provider, such as Gmail or Hotmail, your emails will be protected in transit by (TLS). However, once an email arrives at these companies’ servers, it is decrypted. Most companies will then re-encrypt your message while it is stored on their servers, but using keys they control. This means that the company can decrypt and access the contents of your message at any time.

Services that use end-to-end encryption eliminate this possibility because the service provider does not actually possess the decryption key, making E2EE much more secure than other kinds of encryption. 

Advantages of end-to-end encryption services

End-to-end encryption offers multiple advantages over other types of encryption. Protecting your data with E2EE makes you less vulnerable to leaks or attacks, prevents your government or ISP from snooping on you, and even helps defend democracy.

E2EE keeps your data safe from hacks

When you use end-to-end encryption, fewer parties have access to your unencrypted data. Even if hackers compromised the servers where your encrypted data is stored (as was the case with the Yahoo Mail hack), they would not be able to decrypt your data because they would not possess the decryption keys.

E2EE keeps your data private

End-to-end encryption prevents anyone from accessing your data, including the email service you are using. In contrast, if you use an email service that does not use end-to-end encryption, such as Gmail, it can access every intimate detail stored in your emails at any time, for any reason, without you ever knowing. Using an end-to-end encrypted email service gives you control over who can read your emails.

E2EE is good for democracy

Everyone has a right to privacy. End-to-end encryption protects free speech by preventing governments from accessing its citizens’ data and using the information stored in their emails to persecute or intimidate them. This is particularly important for dissidents, activists, and journalists who are fighting oppressive regimes.

How to use end-to-end encryption

Although you can set up end-to-end encryption for some methods of communication by yourself, the easiest and fastest way to use E2EE is to use a service that implements it automatically for you.

As the first and largest end-to-end encrypted email provider, we protect millions of people every day. End-to-end encryption is the technological backbone of our vision for a more private and secure internet. When you use Proton Mail, your messages are automatically encrypted.

You can use end-to-end encryption for free by signing up for a free Proton Mail account. With Easy Switch, you can also transfer your emails and calendars to Proton from other, less private providers.

End-to-end encryption FAQs

What is ciphertext?

Ciphertext is unreadable encrypted data. An encryption algorithm scrambles plaintext (or human-readable data) into ciphertext, which can only be deciphered by a person or device that holds the unique decryption key. Without the decryption key, anyone who intercepted an encrypted message would only see ciphertext — an unreadable string of letters, numbers, and symbols.

What is encrypted with end-to-end encryption?

When you send an end-to-end encrypted message with Proton Mail, the message body and attachments are fully end-to-end encrypted.
If you send an email to a contact who is not using Proton Mail or PGP, the message is only encrypted if you use our Password-protected Emails feature. Otherwise, your message will be encrypted in transit (in most cases) with TLS and will be readable by the email provider of your recipient.
Proton Mail encryption explained

What are encryption keys?

An encryption key is a random string of bits that is used by an encryption algorithm to scramble plaintext into ciphertext. Some types of encryption use the same encryption key to encrypt and decrypt data, though end-to-end encryption uses one key to encrypt a message (a public key) and a different key to decrypt the ciphertext back into readable plaintext (a private key).

What is PGP?

The most popular email encryption system in the world is called PGP, which stands for Pretty Good Privacy. PGP is the encryption technique that transforms your messages into unintelligible ciphertext on your device before they are transmitted over the internet. Additionally, it authenticates the sender’s identity and verifies that the message was not altered while in transit.
Learn more about PGP

Share this page

Related articles

Since Proton began in 2014, we’ve focused on building a better internet where privacy is the default. While there’s still much work to be done, the inclusion of Proton CEO Andy Yen on TIME Magazine’s 100 NEXT list is a positive (and humbling) sign th
When Proton began in 2014, our only service was Proton Mail. Proton VPN, our second service, came out in 2017, and we recently released Proton Calendar and Proton Drive. As we grew and released new services, we realized we needed to unify the Proton
Since we launched Proton Mail in 2014 as the world’s first encrypted email service, Proton’s mission has been to make online privacy and freedom available for all. Today, we’re excited to take an important next step by launching Proton Drive as a fre