What is end-to-end encryption?

End-to-end encryption (E2EE) is a model for secure data transmission in which confidentiality, integrity and authenticity are preserved across the entire transmission path. To achieve this, sender and recipient use a symmetric key that has been exchanged in advance, typically using methods like RSA or Diffie-Hellman. The sender encrypts the data with this key and the recipient decrypts it. Because only the sender and recipient know the key, intermediary nodes, such as network operators, ISPs or attackers, cannot access the communication. This prevents data-in-motion from being manipulated or extracted.

Unlike end-to-end encryption, transport encryption – also called point-to-point encryption – does not secure data across the full path from sender to recipient. Instead, data may appear in plain text at one or more nodes, such as servers or network elements. This method is used in older chat applications or unencrypted email. While the connection between the user and the service provider is often protected and network operators have no access to the data, the service provider can access and, in theory, modify it.

Even with end-to-end encryption, metadata cannot be fully protected because certain information – such as routing or path selection – is necessary for basic network functionality. However, combining encryption across multiple protocol layers can significantly reduce the volume of exposed metadata. A multi-layer approach – from OTNsec at the optical layer to MACsec at the Ethernet level and VPN solutions like IPsec – helps protect both user data and metadata. This strategy minimizes the attack surface by leveraging multiple independent encryption technologies. Adva Network Security provides robust, multi-layer encryption solutions that support end-to-end security across optical and packet networks.