Encryption

How End-to-End Encryption Works: A Simple Guide

2026-02-28 ยท 7 min read

End-to-end encryption (E2EE) is one of those terms that gets thrown around a lot but is rarely explained clearly. If you've ever wondered how services like Daily Noted can honestly claim "even we can't read your messages," this article will explain exactly how it works โ€” no computer science degree required.

The Core Idea: Locks and Keys

Imagine you have a lockbox. You put a message inside, lock it, and send the box to your friend. Only your friend has the key to open it. The postal service (the server) carries the box but can never see what's inside.

That's end-to-end encryption in a nutshell. The "lock" is an encryption algorithm, and the "key" is a cryptographic key that only the sender and recipient know.

AES-GCM: The Gold Standard

AES (Advanced Encryption Standard) is the encryption algorithm used by governments, banks, and security-conscious applications worldwide. GCM (Galois/Counter Mode) adds authentication โ€” it not only encrypts your data but also ensures it hasn't been tampered with.

When we say "AES-256-GCM," we mean:

  • AES โ€” The encryption algorithm
  • 256 โ€” The key size in bits (2ยฒโตโถ possible keys โ€” more than atoms in the observable universe)
  • GCM โ€” The mode that provides both encryption and integrity verification

The Web Crypto API: Encryption in Your Browser

Modern browsers include a built-in cryptography toolkit called the Web Crypto API. It provides hardware-accelerated, constant-time cryptographic operations right in JavaScript โ€” no external libraries needed.

Here's a simplified view of how Daily Noted uses it: 

// 1. Generate a random encryption key
const key = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  true, ['encrypt', 'decrypt']
);

// 2. Encrypt the message
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key, new TextEncoder().encode('My secret message')
);

// 3. The key goes in the URL hash, the blob goes to the server

The URL Hash Trick: Why the Server Can't Cheat

This is the clever bit. When you see a URL like: 

https://dailynoted.net/note/abc123#MySecretKeyHere

Everything after the # symbol is called the URL fragment (or hash). Here's the critical thing about URL fragments:

Browsers never send the URL fragment to the server. It's defined in the HTTP specification (RFC 3986). The fragment is processed entirely client-side.

This means when a recipient opens the link, the browser sends a request for /note/abc123 to the server, but #MySecretKeyHere stays in the browser. The server has no way to intercept it โ€” it's never included in the HTTP request.

The Complete Flow

Here's what happens when you create and share a self-destructing note on Daily Noted:

  1. You type your message into the form.
  2. Your browser generates a random AES-256 key and encrypts the message.
  3. The encrypted blob + IV are sent to the server. The key stays in your browser.
  4. The server stores the encrypted blob and gives back an ID.
  5. Your browser creates a link: dailynoted.net/note/[id]#[key]
  6. You share the link with the recipient.
  7. The recipient opens the link. Their browser extracts the key from the hash, fetches the encrypted blob from the server, and decrypts it locally.
  8. The server deletes the encrypted blob after it's been fetched. The note is gone forever.

What About the IV?

The IV (Initialization Vector) is a random value used to ensure that encrypting the same plaintext twice produces different ciphertext. It's stored alongside the encrypted data on the server โ€” but without the key, an IV is useless. It's not a secret; it's a safety mechanism.

Can This Really Be Trusted?

The beauty of this architecture is that you don't have to trust the server operator. The server only ever sees encrypted data. Even if the server were compromised, an attacker would get nothing but random-looking bytes with no way to decrypt them.

The security relies on well-audited, standard browser APIs โ€” not custom code. The Web Crypto API is implemented by browser vendors (Google, Mozilla, Apple) and has been battle-tested across billions of devices.

Try It Yourself

The best way to understand encryption is to use it. Create a note, inspect the URL, and see the architecture in action.

Create an Encrypted Note ๐Ÿ”’