End-to-End Encryption

End-to-end encryption prevents third-parties from accessing data while it's transferred from one end system to another. In this scenario, even the operators of the network nodes that facilitate the communication cannot see the payload in plain text.

Here's how it works, enhanced by the use of secure enclaves and the AES key encryption scheme:


  • Your device generates a temporary AES key for symmetric encryption, ensuring that the message can be encrypted and decrypted quickly and securely.

  • The message is encrypted using this AES key, turning the plaintext into ciphertext.

  • The AES key is encrypted using a public RSA key that originates from a secure enclave. Consequently, only within the secure enclave, which possesses the matching private RSA key, can the AES key be decrypted.


  • The encrypted message (ciphertext) and the encrypted AES key are sent across the internet.

  • encrypted AES key is also sent through the x-encrypted-key header

  • Anyone who might intercept the message during transmission, including node operators, cannot decipher it because they don't have the necessary private RSA key to decrypt the AES key, and thus cannot decrypt the message itself.


  • Upon arrival, the receiver's device uses a secure enclave, a highly protected area in the processor, to safely use their private RSA key to decrypt the encrypted AES key.

  • The secure enclave then uses the decrypted AES key to decrypt the message, restoring it to its original, readable form.

The secure enclave ensures that the decryption process is isolated from the rest of the system, adding an extra layer of security. Even if the network is compromised, or the node operators are malicious, they cannot access the private RSA key or the unencrypted data. Only the intended recipient, with the private RSA key securely stored in their enclave, can decrypt and read the message.

Last updated