Most information transmitted over the internet passes through many different systems on its way from sender to recipient. Without encryption, anyone along that path, internet providers, network operators, service companies, or someone who has compromised a system, could read it.

Encryption makes that interception useless. Even if someone intercepts the data, they can't read it without the key.

These terms come up frequently and are often confused

End-to-end encryption (E2EE)

End-to-end encryption means the data is encrypted on your device and only decrypted on the recipient's device. No one in between, including the company running the service, can read it.

This is what Signal and other private messaging apps use for messages. It means the messaging company cannot read your conversations, even if they wanted to or were required to hand them over.

End-to-end encryption is the strongest form for communications privacy, because it removes the service provider from the trust equation for content.

Encryption in transit (TLS/HTTPS)

Encryption in transit, the kind used by HTTPS, protects data while it's moving between your device and a server. The padlock icon in your browser indicates this is active.

This protects against eavesdropping on the connection. But the server at the destination can still read your data. The company running the server has access to what you sent, it's just protected from people watching the network in between.

This is how most websites, email providers, and cloud services work by default. It's much better than nothing, but it's not end-to-end encryption.

Encryption at rest

Encryption at rest means data is stored in encrypted form on a device or server. If someone physically steals the storage, they can't read the data without the key.

Full-disk encryption on your phone or laptop is an example. It protects your data if your device is lost or seized, but not from the operating system or apps while the device is unlocked and in use.

• Protecting messages and files from being read by people who intercept them in transit
• Making data unreadable if a device is physically stolen (encryption at rest)
• Keeping communication content private from service providers (end-to-end encryption only)
• Providing a meaningful baseline of protection against opportunistic interception

This is where many people have inaccurate expectations.

Encryption does not hide metadata. Who you communicated with, when, and from where are often not encrypted. A messaging app can encrypt every message while still recording exactly who talked to whom and when. See the Metadata page for more on this.

Encryption does not protect you if someone has access to your unlocked device. Once a device is unlocked, encrypted data is decrypted and accessible. Encryption protects against someone who gets hold of the physical device, not someone sitting next to you.

In-transit encryption doesn't keep data private from the server. HTTPS protects your data from your device to the server. After that, the server operator can see it. If you're using a service that doesn't offer end-to-end encryption, the company can read what you're storing or sending through them.

Encryption does not verify who you're talking to on its own. Encrypted communication can still be intercepted by someone who positions themselves between you and your intended recipient (a "man in the middle" attack). Certificate systems and key verification exist to address this, but they require some understanding to use correctly.

Encryption is not permanent protection. Data encrypted today could theoretically be decrypted in the future if encryption standards are broken or computing power advances sufficiently. This is a concern primarily for highly sensitive long-term secrets, not everyday communications.

Stronger encryption sometimes involves more complexity. End-to-end encrypted tools may require both parties to use the same app. Verifying encryption keys adds steps most people skip. Some features, like message search or backup, become harder or impossible when data is end-to-end encrypted, because the service can't access the data to index or store it.

"Military-grade encryption" is a marketing phrase, not a meaningful technical claim. The underlying encryption algorithms used by mainstream apps are generally well-studied and considered strong. The weak points are usually elsewhere, key management, device security, metadata, and how well the service actually implements what it claims.

• Check whether the apps you use for sensitive communication offer end-to-end encryption, and verify it's enabled by default, not an opt-in feature
• Enable full-disk encryption on your phone and laptop if it isn't already (most modern devices have this option in settings)
• Understand that HTTPS protects your connection but not your data from the service you're using
• If you need to share sensitive files, use a tool that encrypts the file itself, not just the connection

How encryption actually works (simplified). Modern encryption relies on mathematical problems that are easy to compute in one direction and practically impossible to reverse. Public-key encryption (used in HTTPS and end-to-end encrypted messaging) uses a pair of keys, a public key anyone can use to encrypt data, and a private key only you hold to decrypt it. This allows two parties to establish a shared secret even over an unsecured connection.

Key verification. End-to-end encryption systems generate key pairs on your device. When you communicate with someone, your app uses their public key to encrypt messages so only their private key can decrypt them. The risk is that someone could substitute a different public key, impersonating the recipient. Verifying safety numbers (in Signal) or fingerprints in other apps is how you confirm you actually have the real person's key.

Forward secrecy. Some systems generate new encryption keys for every session or even every message. This means that even if a private key is compromised later, past messages can't be decrypted. Signal uses this approach. It's a meaningful improvement in long-term security.

The limits of current quantum computing. There's ongoing work on quantum-resistant encryption algorithms in anticipation of future computing capabilities. For everyday use today, this isn't a practical concern, but it's an active area of research and will eventually affect what encryption standards are recommended.

• Metadata, what encryption doesn't protect
• What is privacy, the broader context
• Threat modeling, helps you decide what level of encryption matters for your situation
• Signal, an example of strong end-to-end encryption in practice
• Proton Mail, end-to-end encrypted email