End-to-End Encryption (E2EE)
Encryption where only the sender and receiver hold the decryption keys — the service provider holds only ciphertext and cannot read your data even if compelled. The core security guarantee of every credible password manager.
Plain-English definition
End-to-end encryption (E2EE) means your data is encrypted before it leaves your device and decrypted after it arrives at its destination — with only you holding the keys. At no point in the middle can anyone read the data: not the service provider, not their employees, not an attacker who compromises their servers, not a government with a court order (assuming the service is legally structured to not hold your keys).
“End-to-end” means the encryption covers the full journey: from your device (one end) to the provider’s server and back to your device (the other end). The provider’s servers are in the middle of the journey but cannot read what passes through them.
How it differs from encryption in transit
You may have heard of TLS (Transport Layer Security) — the HTTPS protocol that encrypts your connection to websites. TLS encrypts data in transit between your browser and the server. But once data arrives at the server, TLS’s job is done. The server decrypts it and can read it.
Password managers with end-to-end encryption take an additional step: they encrypt your vault data before sending it to the server, using keys the server never sees. So the server receives ciphertext — garbled, unreadable data — and stores it. When you fetch your vault, you receive the same ciphertext and decrypt it locally on your device.
The practical difference:
- TLS (encryption in transit): Your data is secure while travelling from your device to the server. The company can read it once it arrives.
- E2EE: Your data is encrypted before it leaves your device and decrypted after it returns. The company never has access to the plaintext.
E2EE in password managers: the implementation
For password managers, E2EE is implemented via zero-knowledge architecture:
- Your master password is used to derive an encryption key (via PBKDF2 or Argon2id)
- Your vault data is encrypted with this key on your device
- The encrypted vault (ciphertext) is sent to the provider’s servers
- The provider stores ciphertext only — never the key, never the plaintext
- When you unlock your vault, the ciphertext is fetched and decrypted locally
The key never leaves your device. This is the core guarantee. If the provider is served a warrant to produce your vault, they can hand over the ciphertext and the recipient still cannot read it without your master password.
Where E2EE does and doesn’t protect you
E2EE protects you from:
- Attacker who compromises the provider’s servers and copies vault data
- Government compulsion (the provider cannot produce what it cannot read)
- Insider threat (a rogue employee cannot read your vault)
- Man-in-the-middle attacks on the data in storage
E2EE does not protect you from:
- A weak master password that is susceptible to brute-force attack against the stolen ciphertext
- Malware on your device that intercepts vault data after decryption
- An attacker who compromises the provider’s client-side code (the browser extension or app) — this is why external audits of the client code matter
- Legal compulsion to provide your master password directly to authorities (device-level legal access)
Practical implications for password manager selection
When a password manager claims E2EE or zero-knowledge, verify it with:
-
An independent audit that confirms the client-side encryption implementation. The audit should state that vault plaintext is never transmitted to the server.
-
Open-source code (optional but stronger). Bitwarden’s open-source codebase lets anyone verify the encryption implementation. For closed-source managers (1Password, Dashlane, NordPass), the audit reports are the verification mechanism.
-
A strong KDF. E2EE with a weak master-password KDF (like LastPass’s pre-2018 PBKDF2 at 5,000 iterations) is provably defeatable given the encrypted ciphertext and sufficient GPU time. E2EE with Argon2id (Bitwarden) or PBKDF2 at 650K+ iterations plus a Secret Key (1Password) is computationally infeasible to attack.
Common misconceptions
“E2EE means I’m unhackable.” False. E2EE protects your vault at rest on the provider’s servers. It doesn’t protect you from a phishing attack that steals your master password, or from malware on your device, or from a weak master password that can be brute-forced from the stolen ciphertext.
“If the provider says E2EE, it must be true.” Claims are not verification. Look for an audit report from a credible firm (Cure53, NCC Group, Trail of Bits) that explicitly confirms the zero-knowledge property.
“E2EE makes all password managers equally secure.” The key derivation function (KDF) is the differentiator. LastPass and Bitwarden both implemented E2EE, but LastPass’s pre-2018 PBKDF2 iteration count made the 2022 breach ciphertext tractable for GPU-based attack. Bitwarden’s Argon2id makes the equivalent attack computationally expensive.
Go deeper
- Stage 1 — Learn What is a password manager? The foundational guide — start here if you're new to the space. Read →
- Stage 3 — Commercial The 8 Best Password Managers, 2026 From foundation to pick — which manager has this feature verified? Read →
- Stage 5 — Tool Decision Wizard 5 questions, 60 seconds, your top-3 recommendation. Read →