End-to-End Encryption (E2EE)

Definition

End-to-End Encryption (E2EE) is a communication method in which data is encrypted on the sender's device and only decrypted on the recipient's device. Throughout the entire transmission, including storage on intermediate servers, the data remains encrypted. No third party, including the service provider itself, can read the contents in plain text.

E2EE relies on asymmetric cryptography, where a public key is used for encryption and a private key for decryption. In practice, a hybrid approach is commonly used: the actual content is encrypted with a symmetric key (e.g., AES-256), and this symmetric key is then encrypted with the recipient's public key for transmission. This combines the speed of symmetric encryption with the key distribution advantages of asymmetric encryption.

Simply Explained

Imagine you want to send a confidential letter to a business partner. You place the letter in a chest and lock it with a padlock to which only your partner has the key. Even the courier who transports the chest cannot open it. Even if someone intercepts the chest along the way, the contents remain protected.

That is exactly how end-to-end encryption works: your file is placed in a digital chest on your device and locked. Only the intended recipient has the matching digital key to open the chest. All intermediate stations, whether servers, networks, or cloud storage, see only the locked chest but never the contents.

Why Does It Matter?

In an era where cyberattacks and data leaks are everyday occurrences, end-to-end encryption is one of the most effective protective measures for confidential data:

• Protection Against Interception: Even if an attacker intercepts the data transmission (man-in-the-middle attack), they cannot read the encrypted contents.
• Protection Against Server Breaches: If a hacker breaks into the servers of a service provider, they find only encrypted data that is worthless without the users' private keys.
• GDPR Compliance: Article 32 of the GDPR requires appropriate technical measures to protect personal data. Encryption is cited as one of the most important measures.
• Trust Building: Clients and customers trust businesses more when they demonstrably use strong encryption for data exchange.
• Industry Requirements: In regulated industries such as healthcare, legal services, and financial services, encryption is often legally mandated.

The difference from simple transport encryption (SSL/TLS) is crucial: with SSL/TLS, the connection between two points is encrypted, but the server in the middle can read the data in plain text. With E2EE, even the server is blind.

Practical Example

A law firm regularly exchanges confidential client documents with courts, expert witnesses, and other law firms. Until now, the firm used a basic cloud storage system that offered an SSL/TLS connection for uploads but stored files unencrypted on the server.

A former employee of the cloud provider gained access to the servers and was able to view client files in plain text. Although transport encryption was intact, the data on the server was unprotected. The firm suffered a massive loss of trust and had to notify all affected clients in accordance with data breach reporting requirements.

With end-to-end encryption, this scenario would have been prevented: even with access to the server, the attacker would have found only encrypted data that was unreadable without the private keys of the firm and its partners.

How SendMeSafe Implements This

SendMeSafe implements multiple layers of encryption to ensure the highest level of protection for your files:

• Encryption in Transit: All file transfers use TLS 1.3 encrypted connections. The use of pre-signed URLs ensures that files are transferred directly and securely to the storage location.
• Encryption at Rest: All stored files are encrypted with AES-256 on the server.
• Access Control: Upload links can be password-protected so that only authorized individuals can submit files.
• Temporary Access Tokens: Pre-signed URLs have a limited validity period. After expiration, the file can no longer be accessed through that URL.
• No Third-Party Access: Since SendMeSafe is hosted exclusively on German servers, the data is not subject to access by foreign authorities or companies.
• Protected Share Links: When sharing files via share links, you can set password protection, download limits, and expiration dates to precisely control access.

Frequently Asked Questions

What is the difference between end-to-end encryption and transport encryption?

Transport encryption (SSL/TLS) protects data only during transmission between two points, for example between your browser and the server. On the server itself, the data is available in plain text. End-to-end encryption goes further: data is encrypted on your device and only decrypted at the recipient's end. The server in between sees only encrypted data. For maximum protection, both methods should be combined.

Does end-to-end encryption slow down file transfers?

Modern encryption algorithms like AES-256 are extremely efficient and are directly supported by current hardware (hardware acceleration). In practice, the speed difference compared to unencrypted transfer is barely measurable. At SendMeSafe, encryption occurs transparently in the background without any noticeable difference.

Can law enforcement access end-to-end encrypted data?

With true end-to-end encryption, even the service provider cannot decrypt the data because they do not possess the users' private keys. Handing over data in plain text is technically impossible. This is a deliberate design decision that prioritizes user privacy. Authorities can seize the encrypted data, but without the keys, they cannot read the contents.