How End-to-End Encryption Works

What is End-to-End Encryption?

End-to-end encryption (E2E) is a security method where data is encrypted on the sender's device and can only be decrypted by the intended recipient. The server that stores and transmits the data cannot read it. Even if the server is hacked, attackers only get encrypted gibberish. EasySend uses AES-256-GCM encryption via the Web Crypto API built into modern browsers.

Most file sharing services can read your files. End-to-end encryption makes that impossible. Here is how it works in plain English.

The Problem: Who Can See Your Files?

When you upload a file to a typical service like Google Drive or WeTransfer, your file sits on their servers in a readable format. The company, their employees, law enforcement with a subpoena, or hackers who breach their systems can all potentially access your data.

Even services that advertise "encryption at rest" usually hold the decryption keys themselves. It is like locking your diary in a safe but giving the building manager a copy of the key.

Step 1: You Choose a Password

When you toggle encryption on in EasySend, you create a password. This password never leaves your device. We never see it, store it or have access to it.

Step 2: Your Browser Creates an Encryption Key

Your browser uses your password to derive a cryptographic key through a process called PBKDF2 (Password-Based Key Derivation Function 2). This takes your human-readable password and turns it into a 256-bit key suitable for encryption. The derivation process is intentionally slow to resist brute-force attacks.

Step 3: Files Get Encrypted in Your Browser

Using the derived key, your browser encrypts your file with AES-256-GCM. Breaking this down:

• AES (Advanced Encryption Standard) - the same encryption used by banks, governments and military worldwide
• 256 - the key length in bits. There are more possible keys than atoms in the observable universe
• GCM (Galois/Counter Mode) - provides both encryption and tamper detection

This all happens via the Web Crypto API built into your browser. No plugins, no downloads.

Step 4: Only Encrypted Data Gets Uploaded

The encrypted blob (unreadable gibberish) gets uploaded to our servers. We store it but we cannot read it. Our servers never touch the original file or the encryption key.

Step 5: Recipients Decrypt with the Same Password

When someone clicks your share link, they see a password prompt. They enter the same password you chose. Their browser derives the same key and decrypts the file locally. The decrypted file never touches our servers.

What is "Zero Knowledge"?

Zero knowledge means we have zero knowledge of your file contents. Mathematically, we cannot decrypt your files even if we wanted to. This protects you from:

• Employees at the hosting company viewing your files
• Government requests for your data (we literally cannot comply)
• Hackers who breach our servers (they get encrypted gibberish)
• Us changing our privacy policy in the future

Important: Share the Password Separately

Send the file link via one channel (email, for example) and the password via another (text message). This way, even if one channel is compromised, the attacker still cannot access your files.

What Happens If You Forget the Password?

We cannot recover your files. That is the entire point. If we could recover them, that would mean we have access to your data, which defeats the purpose of zero-knowledge encryption.