What is end-to-end encryption and how does it work?

End-to-end encryption is the most secure way to communicate privately and securely online. By encrypting messages at both ends of a conversation, end-to-end encryption prevents anyone in the middle from reading private communications.

Until recently, end-to-end encryption (E2EE) was the sole domain of the tech savvy because of the complicated operations required to use it. However, recent technological advances have made end-to-end encryption much easier to use and more accessible. In this article, we will explain what is end-to-end encryption and what advantages it offers over regular encryption.

What is end-to-end encryption (E2EE)?

When you use E2EE to send an email or a message to someone, no one monitoring the network can see the content of your message — not hackers, not the government, and not even the company (e.g., ProtonMail) that facilitates your communication.

This differs from the encryption that most companies already use, which only protects the data in transit between your device and the company’s servers. For example, when you send and receive an email using a service that does not provide E2EE, such as Gmail or Hotmail, the company can access the content of your messages because they also hold the encryption keys. E2EE eliminates this possibility because the service provider does not actually possess the decryption key. Because of this, E2EE is much stronger than standard encryption.

How does end-to-end encryption work?

To understand how E2EE works, it helps to look at a diagram. In the example below, Bob wants to say hello to Alice in private. Alice has a public key and a private key, which are two mathematically related encryption keys. The public key can be shared with anyone, but only Alice has the private key.

First, Bob uses Alice’s public key to encrypt the message, turning “Hello Alice” into something called ciphertext — scrambled, seemingly random characters.

Bob sends this encrypted message over the public internet. Along the way, it may pass through multiple servers, including those belonging to the email service they’re using and to their internet service providers. Although those companies may try to read the message (or even share them with third parties), it is impossible for them to convert the ciphertext back into readable plaintext. Only Alice can do that with her private key when it lands in her inbox, as Alice is the only person that has access to her private key. When Alice wants to reply, she simply repeats the process, encrypting her message to Bob using Bob’s public key.

Advantages of end-to-end encryption services

There are several advantages of E2EE over the standard encryption that most services utilize:

  • It keeps your data safe from hacks. E2EE means fewer parties have access to your unencrypted data. Even if hackers compromise the servers where your data is stored (e.g., the Yahoo mail hack), they cannot decrypt your data because they do not possess the decryption keys.
  • It keeps your data private. If you use Gmail, Google can know every intimate detail you put in your emails, and it can save your emails even if you delete them. E2EE gives you control over who reads your messages.
  • It’s good for democracy. Everyone has the right to privacy. E2EE protects free speech and shields persecuted activists, dissidents, and journalists from intimidation.

These are the reasons we built ProtonMail. As the first and largest secure email provider, we protect millions of users every day. End-to-end encryption is the technological backbone of our vision for a more private and secure internet.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Proton Team

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

44 comments on “What is end-to-end encryption and how does it work?

  • In PGP messages subject lines are not encrypted (as far as I understand), how is this in Protonmail?

  • I just received my Protonmail account. Thank you! When I went through the account setup process I observed that my key pair was created. I have used Enigmail (gpg) in which I distribute my public key either manually or by use of a key server. I am responsible for maintaining and securing my private key locally.

    Am I correct in understanding that Protonmail serves the function of a public key server AND stores an encrypted copy of my private key (encrypted with my mailbox key)?


  • I have just registered with you after seeing the TED show. I want privacy. I will pay for or contribute for it. I succeeded in registering with you, but I am not sure. Could you confirm that i can now send an encrypted message-I think I sent one to my sister in USA- I am in the UK. My most important question to you is what do I have to do so that my recipient is able to reply safely as I did to him using my encrypted Proton mail ??? Please explain how I get the people I want on my encrypted contact list -do they have to register also like I did ? R Marbois

    • You can send an encrypted message to a non-ProtonMail user, but the easiest way is to also get your contacts to sign up for ProtonMail. Then all of the encryption is automatic and seamless.

  • Looking at the picture above, I am wondering if you, the ProtonMail staff, can read the Meta data such as the subject header, recipient as well as the sender data ?

  • Sincere Gratitude and Thanks for pushing the envelope of privacy and becoming the true innovators. Your/Our shared vision of securing privacy and promoting what should naturally be civil liberties is great respected and sincerely appreciated. During these tumultuous If times it refreshing to be on the right side of history. When it’s all done and said. The only true question will be how did we as individual make a positive impact in our lives. Did our lives make things better or worst for humanity? Did we help ease the suffering and push humanity to become better or not? Because at the end of the day, at the end of our time here in earth. We will be asked, did we help? And evolve as a species or did we fail as a species? May Peace Prevail On Earth.

  • Hello,

    Thank you again for the Development of Protonmail!
    I just have a quick question: is an email sent through protonmail to another email provider using the same end-to-end encryption technology still secured (i.e. without using a shared passphrase in a link)?

  • Hi
    I am using protonmail since a couple of months and think it’s great! Thx for the great work.

    What I couldn’t find explained on your website so far (maybe I missed it?) was an explanation about the encryption “mechanics” when a protonmail user sends an email to an arbitrary other email address (say gmail to be specific). I understand that on your server the email is encrypted and that for two protonmail users the end-to-end encryption works perfectly fine. However, when the content of the email is actually transferred to a third party email provider (say gmail), I reckon this would need to happen in plain-text (smtp / non-encrypted), and could in principle be eavesdropped by anyone. This is also confusing since it would imply that also you would need to have access to the un-encrypted email content, at least at the moment when you send the content to the third party email provider, contrary to what you claim.

    Thx Matthias

  • If I send a pdf document with PHI by just pressing SEND in protonmail to an email address that is supported by that person’s healthcare organization with whom they are employed, is it still secure?

    • Only if you remember the forgotten password. Unfortunately, we cannot help in this case, which is why it is very important to not forget the password you set for your ProtonMail account.

  • You have explained how the encryption works when both Bob and Alice use PKI but what happens if a Proton user wants to send email to an email system that does not use PKI (which must be the majority of email users today?)

    When I test the email arrives unencrypted.

  • Are my attachments also encrypted? I’m working with an attorney and need to send unredacted medical documents to the attorney. My Adobe Pro is not working well. Takes too long to upload and download. Even to load a document from the local file.

    • Hi Paul! Those messages are secured by TLS encryption in transit. At rest, the messages are secured on our servers with zero-access encryption, meaning we never have access to the message. However, Gmail or Hotmail would still be able to read your emails on the recipient’s end.

  • How are “regular” (i.e. non-ete-encrypted) stored? Can you access those? And what about the metadata? Can you see e.g. what banks, doctors etc. I am communicating with?