What is End-to-End Encryption?

End-to-end encryption differs from transport encryption (like TLS) in a critical way: with transport encryption, the server receives your data in plaintext and re-encrypts it before forwarding. The server operator can read everything. With E2EE, the server only ever handles encrypted data it cannot read.

The concept gained mainstream awareness through messaging apps, but it applies to any system where data passes through an intermediary. Email, file storage, secret sharing, and collaboration tools can all implement E2EE. The key challenge is key exchange — how do the sender and recipient agree on encryption keys without the server being able to intercept them?

Different systems solve the key exchange problem differently. Messaging apps typically use public-key cryptography and key agreement protocols. Simpler systems may embed the key directly in a shared URL or derive it from a shared password. The common thread is that the server never has access to the decryption key at any point in the process.

How Vaulted uses End-to-End Encryption

Vaulted implements end-to-end encryption by performing all cryptographic operations in the browser. The sender's browser generates an AES-256-GCM key, encrypts the secret, and embeds the key in the URL fragment. The recipient's browser extracts the key from the fragment and decrypts the ciphertext retrieved from the server. The Vaulted server is an intermediary that stores and delivers encrypted data but never has the ability to decrypt it.