End-to-end encryption: How does it work?
With threats looming constantly in the digital world, using end-to-end encryption and digital signatures has become a necessity to protect your data online. Read this article to learn how these two work together in Mailfence.
What is end-to-end encryption?
Let’s first explain what are end-to-end encryption.
End-to-End Encryption (E2EE)
End-to-end encryption or E2EE is a method of securing data in transit (while moving from the source to its destination).
In simple terms, data in plaintext goes through an encryption algorithm, which produces a ciphertext. There are two types of encryption algorithms – symmetric and asymmetric encryption.
Symmetric encryption includes:
- AES
- DES
- RC4
- RC5
- RC6
- Blowfish
- Twofish
- Etc
Asymmetric encryption includes:
- RSA
- Elliptic Curve
- Diffie-Hellman
Here we explain how E2EE works in more detail.
With End-to-End Encryption, the sender encrypts the data on their system and only the intended recipient can decrypt it. If the recipient can’t decrypt the message then it remains stored on Mailfence’s server (still encrypted, we don’t have the key to decrypt your messages, only you do), at least until the sender deletes it on their end.
With the email thus protected nobody in between (an internet/application service provider, surveillance programs, or a hacker, …) can read or tamper with it – thus providing a great deal of confidentiality and protection to all communications.
How Mailfence does do it?
Mailfence’s secure and private email suite uses OpenPGP.
We leverage OpenPGP.js – a Javascript implementation of OpenPGP standard which is open-source and well-audited. It allows us to perform crypto-operations of en/decryption on the client side.
Every crypto process encapsulates a series of different steps working back and forth between the client and the server over TLS/SSL – in order to successfully carry out a particular operation. Below you will find a step-by-step linear diagram that illustrates how Mailfence End-to-end encryption and digital signatures function along with other relevant details.
Visit our knowledge base article for a summary of the benefits Mailfence offers
Mailfence to Mailfence

Mailfence to OTHER PROVIDERS

Key generation
- The client browser requests the specific key-generation code from the server after receiving a request from the user – and the server sends that specific code to the client’s browser.
- Next, the key is generated on the user’s device (in the browser) and encrypted with the passphrase via AES-256. The public key at this point also gets published on public key servers (the user needs to opt in for this).
- The encrypted key is then pushed onto the server from the user’s browser – so that a user can access it at any time from any device
Generate your keypair in 5 easy steps in our Knowledge base.
Passphrase Changing
- The client-browser requests the specific passphrase changing code along with the related encrypted key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- The user decrypts the key by providing the respective passphrase and encrypts it with the new one.
- The key is then pushed back to the server from the user’s browser.
Read how to change your passphrase here.
Key Revocation
- The client browser requests the specific key revocation code along with the related encrypted key from the server after receiving a request from the user. The server sends that specific code with the related encrypted key to the client’s browser.
- The user decrypts the key by providing the respective passphrase.
- The key then gets revoked and its revocation status also gets published on public key servers. The key then gets encrypted back with the user passphrase.
- The client browser then pushes the encrypted key back to the server.
Learn about key revocation in our dedicated support.
Key Exportation
- The client-browser requests the specific key exporting code with the related key from the server after receiving a request from the user and the server sends that specific code with the related encrypted key to the client’s browser.
- The user then exports (downloads) that encrypted key onto his device.
Here is how to export your keys.
Key Deletion
- The client-browser requests the specific key deletion code with the related key from the server after receiving a request from the user and the server sends that specific code with the related encrypted key to the client’s browser.
- Finally, the user can delete the key from their device.
Check out how to delete your keys easily in our Knowledge base
Key Expiration Date Modification
- The client browser requests the specific expiration date modification code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- The user decrypts the key by providing the respective passphrase and modifies the expiration date. The user then encrypts the key with their passphrase
- The client browser then pushes the encrypted key back to the server.
Learn how to modify the key’s expiration date in our Knowledge base.
How to Send a Digitally Signed Email with Mailfence?
Sending a digitally signed email is easy with Mailfence.
- The client browser requests the specific digital signing code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- The user decrypts the key by providing the respective passphrase.
- The email message gets digitally signed (PGP/MIME) and is then sent to the recipient.
- Finally, the user can encrypt the key with their passphrase and push it back to the server.
Check our dedicated knowledge base article to send digitally signed emails.
Sending an encrypted and digitally signed email
- The client browser requests the specific encryption and digital signing code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- The user decrypts the key by providing the respective passphrase.
- The email message gets digitally signed (PGP/MIME), encrypted with the public key of the recipient (OpenPGP), and then gets sent.
- Last, the user needs to encrypt the key with the passphrase and push it back to the server
For a detailed “How to” user manual regarding end-to-end encryption and digital signatures, please check our knowledge base.
Share This Article
Vlad has been writing online privacy and security-related content for companies in email privacy, VPN, cloud computing, DNS/WHOIS and other fields since 2014. He started working in email privacy in 2018 before joining Mailfence in 2021. You can follow him on LinkedIn @vladimircovic and on Twitter @covic_vladimir