What is end-to-end encryption? A plain-English explainer.
End-to-end encryption (E2E) means a message is sealed on your device and only opens on your recipient's device — no one in the middle can read it. Here's how it actually works.
End-to-end encryption (E2E) is the property that a message is sealed on the sender's device, travels through every server as ciphertext, and only opens on the recipient's device.
The cleanest analogy: imagine writing a letter, sealing it in an envelope, and handing it to a courier. The courier delivers it. The courier never opens it. That's end-to-end. With most workspace tools — Slack, Notion, Gmail, Drive — the courier reads every envelope, sometimes makes copies, and stores those copies forever.
Why workspace tools usually don't have it
End-to-end encryption is harder to build than server-side encryption. It changes the trust model: the vendor can't search your data, can't help you recover it if you lose the key, can't show you a preview in their server-rendered email digest.
Most workspace tools market themselves as encrypted — and they are, in transit and at rest. But the keys live on the vendor's servers. Their team has technical access. Their AI features can read your content. Any external request for your data yields cleartext.
What makes E2E real
Real E2E has three properties: keys are generated on your device, never transmitted to the server; encryption happens before the data leaves your device; decryption only happens on the recipient's device. If any of those three break, it's not E2E — even if a vendor calls it that.
Koaich uses nacl.box (X25519 + XSalsa20-Poly1305) for 1:1 messaging, MLS (IETF RFC 9420) for group messaging, and per-document symmetric keys wrapped to each recipient's public key. The server stores ciphertext and operational metadata. It never sees content or unwrapped keys.