In which cases do I activate end-to-end encryption?

Content of the article:
• Differences in encryption
• Advantages and disadvantages of end-to-end encryption
• When does end-to-end encryption make sense?
• How do I activate end-to-end encryption?
• Further information

Differences in encryption

By applying an encryption method, a plaintext is converted into a ciphertext (and vice versa). The decisive difference between the individual encryption methods is the point at which the data is encrypted and/or who holds the key for encryption.

Basis: HTTPS/SSL encryption

HTTPS/SSL encryption secures the transmission path between the end device and the server. During transmission over the Internet, the data remains encrypted. The data is transmitted along with the key to the respective service provider for storage. Therefore, before and after the transmission, the data is decrypted, i.e., stored on the server with plain text.

Note: Providers often claim this to be "End-to-end encryption".

Additional: End-to-end encryption

In addition to the HTTPS/SSL encryption, Stackfield allows you to activate end-to-end encryption on top, which is a unique combination of symmetric (AES) and asymmetric (RSA) encryption methods.

During the upload, the data will be encrypted directly in the browser (i.e. a password is generated automatically) and then transmitted using HTTPS/SSL encryption. With client-side encryption, the key that encodes the data never leaves the user's possession. This means that no one can decrypt the information between the two end devices. Only when downloading the data in the browser of the authorized recipient it will be decrypted, i.e. displayed as plain text.

Advantages and disadvantages of end-to-end encryption

If end-to-end encryption is enabled in Stackfield, no unauthorized third party has access to the information - neither the state / a court, nor Stackfield as the platform operator, nor our subcontractors. If an outsider were to obtain the data, it would merely be a chain of numbers and letters from which no information could be obtained. Only authorized people (i.e. members of a room with the appropriate rights) can access the information.

Due to early encryption, there may be some limitations in the daily work with encrypted rooms / direct messages:

Good password management is essential, as no one can gain access to lost rooms / direct messages without the right passwords. To prevent this, every user should know their own password for logging in. If two-factor authentication is enabled, the second factor must also be accessible at all times. The automatically generated passwords of the encrypted rooms / direct messages do not have to be remembered when logged in to access the data. However, the responsible room admin(s) should keep the password somewhere accessible.

No encrypted data is sent anywhere "outside", e.g. to external services as calendar subscription and notifications via email or the lock screen of the phone. Email notifications only reveal general information about the existence of the item / activity along with a note about the extra encryption and a link (i.e. a redirect to the relevant location within Stackfield).

The transfer of data through integrations / WebHooks (blog article: Automate your processes with Stackfield) can only be used in unencrypted rooms as the API does not have the respective key to encrypt/decrypt them. Note: Integrations where only a link is transferred (e.g. to files in Dropbox, OneDrive, Google Drive, and Box) and Giphy are generally supported.

The global search may be a bit slower, as it is not performed in one go but blocks due to the end-to-end encryption. The speed depends on the local device and the amount of data.

When does end-to-end encryption make sense?

Goal: Compliance with the General Data Protection Regulation (GDPR), professional obligations (e.g. § 203 – German penal code) and compliance guidelines.

Therefore, use encrypted rooms / direct messages with the additional end-to-end encryption for highly sensitive data (e.g., personal data and company internals).

How do I activate end-to-end encryption?

Precautions taken by admins of the organization

Admins of the organization can take precautions for encryption within the Organization Settings. Here, the following functions can be defined:

• Do you want to encrypt Direct Messages chats? (Choices: "Always unencrypted" / "Always encrypted")
• Do you want to encrypt all rooms? (Choices: "Always unencrypted" / "Always encrypted" / "Creator can choose"*)
• *Who is allowed to create unencrypted rooms? (Triggered by the previous option "Creator can choose") (Choices: "Admin" / "Admins & Members")

The creator can choose when creating a room

If users themselves can decide whether to use additional end-to-end encryption when creating a room, a lock icon is displayed in the input field of the "Room name". Simply click on it to activate the extra encryption. Note: The encryption of a room cannot be changed later.

Further information

Security standards

For further information on our security standards please visit: https://www.stackfield.com/de/security.

Password management

If your password for logging in to your account is reset, it must be "linked" to the keys of the rooms again to be able to access all encrypted data again. The transfer of the keys can either be performed by other members of the room through so-called "activation" or by manually entering the room passwords. However, it can become critical with rooms in which you are the only member. Therefore, a room admin should at least write the individual passwords down. You can find the password of an encrypted room within the tab General in the Room Settings. There, it is always displayed in encrypted form - protected from unauthorized access - until you click on the "Show" button.

How can I tell that a room is encrypted end-to-end?

Encrypted rooms are marked with a lock icon next to their room name and have an automatically generated password within the tab General in the Room Settings.