End-to-End Encryption

Overview

End-to-End Encryption (E2EE) in UnoLock protects data while it moves between intended endpoints so that intermediaries, including UnoLock infrastructure, do not get plaintext access.

This is related to, but not identical to, client-side encryption:

Client-side encryption means the data is encrypted on your device before it leaves your device.
End-to-end encryption means the encrypted data stays protected all the way to the intended recipient or endpoint.

UnoLock does both:

Safe data is encrypted client-side before upload.
Messaging payloads are end-to-end encrypted between the sending and receiving endpoints.
API payloads are protected with end-to-end encrypted application-layer security in addition to transport security.

How It Works

Encryption starts on the client: Safe data is encrypted on the client before upload, so plaintext is not handed to the server as part of normal storage flows.
Endpoint-only decryption: for messaging and protected API exchanges, only the intended endpoints perform decryption of the protected payloads.
Transport protection still applies: TLS 1.3 protects network transport, but it is not the whole security story. UnoLock also protects payloads above the transport layer.
Client-held key material: cryptographic key material used for data protection stays under client control rather than being exposed to UnoLock as reusable plaintext secrets.
Access via WebAuthn, not passwords: normal Safe access relies on WebAuthn-based access keys rather than passwords.

Security Implications

Protection from intermediaries: end-to-end encryption reduces trust in the transport path and in service intermediaries because ciphertext remains protected between endpoints.
Server compromise resistance: encrypted payloads and client-held key material limit what a server-side breach can expose.
Separation of concerns: WebAuthn authenticates access, encryption protects data, and the PIN adds brute-force resistance and deniability controls. These are different layers, not one blended secret.

Use Cases

Safe storage: personal or business records are encrypted client-side before being stored in UnoLock.
Vault Messaging: messages and files exchanged through UnoLock are protected end-to-end between sender and recipient endpoints.
API use on hostile networks: application-layer protection plus TLS helps preserve confidentiality even when the network path is untrusted.

Why It Matters

People often use "end-to-end encrypted" and "client-side encrypted" as if they mean the same thing. They do not. UnoLock uses both, and that matters because it gives stronger protection for stored data, messaging flows, and API communications without relying on passwords as the root of trust.

FAQs

Is UnoLock only client-side encrypted, or also end-to-end encrypted?

Both. Safe data is encrypted on the client before upload, and UnoLock also uses end-to-end encrypted protection for messaging and protected API payloads.

Does TLS by itself make something end-to-end encrypted?

No. TLS protects transport between network peers. End-to-end encryption means the payload remains protected all the way between the intended application endpoints.

Does UnoLock use passwords for normal Safe encryption?

No. Normal Safe access is based on WebAuthn access keys, not passwords. The main password-style exception is optional Space backup files, which are intended for controlled migration and are not the recommended default operating model.

Compliance & Privacy Regulations

GDPR & HIPAA: client-side encryption and end-to-end encrypted payload protection help reduce unnecessary plaintext exposure of personal and sensitive data.

Integration with Other Features

Local File Encryption: extends the client-side encryption model to portable encrypted files.
Vault Messaging: applies end-to-end encrypted delivery to messages and files between endpoints.
Access Keys & Safe Access: uses WebAuthn-based access keys for authentication rather than password-based Safe access.