Differences in encryption
Using an encryption method, a plaintext is converted into a ciphertext (and vice versa). The decisive difference between the individual encryption methods is the point at which the data is encrypted, or rather who owns the key for encoding.
Basis: HTTPS/SSL encryption
HTTPS/SSL encryption secures the transmission path between the end device and the server. During the transmission through the Internet, the data remains encrypted. The data is transmitted along with the key to the respective service provider for storage. Before and afterward, the data is therefore decrypted, i.e. stored on the server with plain text.
Note: Providers often claim this to be "End-to-end encryption".
HTTP/SSL encryption only
Depending on the type of data, all data protection requirements under the General Data Protection Regulation (GDPR) may be met by Stackfield (with its technical and organizational measures) even with HTTPS/SSL encryption only (i.e., for our unencrypted rooms / Direct Messages).
Additionally: End-to-end encryption
In addition to the HTTPS/SSL encryption, Stackfield allows you to activate end-to-end encryption, which is a unique combination of symmetric (AES) and asymmetric (RSA) encryption methods.
During the upload, the data will be encrypted directly in the browser (i.e. a password is generated automatically) and then transmitted using HTTPS/SSL encryption. With client-side encryption, the key that encodes the data never leaves the user's possession. This means, that no one can decrypt the information between the two end devices. Only when downloading the data in the browser of the authorized recipient it will be decrypted, i.e. displayed as plain text.
HTTP/SSL + end-to-end encryption
This data is end-to-end encrypted
(Dis-) Advantages of end-to-end encryption
If end-to-end encryption is enabled in Stackfield, no unauthorized third party has access to the information - neither the state / a court, nor Stackfield as platform operator or our subcontractors. If an outside party were to obtain the data, it would merely be a string of numbers and letters from which no information could be obtained. Only authorized individuals (i.e. members of a room with appropriate rights) can access the information.
Due to the early encryption, there may be some limitations in everyday work with encrypted rooms / Direct Messages:
Good password management is essential, otherwise access cannot be restored in case of lost rooms / Direct Messages. Each user should therefore know their own login password at all times.
If two-factor authentication is enabled, the second factor also needs to be accessible.
Due to the encryption, no data is sent to the "outside", e.g. to external services such as a calendar subscription or notifications via email / on the lock screen of a cell phone. In email notifications, only general information about the existence of the item, including reference to the extra encryption, and link (i.e. a redirect to the relevant location in Stackfield) is disclosed.
Example: Email notification from an encrypted room
The transfer of data through integrations / WebHooks (blog article: Automating processes) can only be used in unencrypted rooms as the API does not have the respective key for (de-) encryption. Integrations where only a link is transferred (e.g. to files in Dropbox, OneDrive, Google Drive, and Box), as well as Giphy, are generally supported.
The global search may be a bit slower, since it does not run in one go due to the end-to-end encryption but in blocks. The speed depends on the local device and the amount of data.
Tip: Use an unencrypted room for non-sensitive data that is to be shared, for example, through calendar subscriptions / emails / integrations and WebHooks. By using a #-mention
or a link
, a reference to the storage location of the sensitive data in the encrypted rooms can be created.
In which cases is end-to-end encryption useful?
The top priority is to ensure compliance with the General Data Protection Regulation (GDPR), professional obligations (e.g. § 203 – German penal code), and compliance guidelines. We, therefore, recommend storing highly sensitive data (e.g. types of personal data and company internals) in our end-to-end encrypted rooms or private chats. Access here is restricted solely to the members of the room / chat with the appropriate rights.
Note: Further information on personal data and its processing can be found in particular in the Articles 4, 5, and 9 of the GDPR: General Data Protection Regulation
Want to learn more about end-to-end encryption?
How do I enable end-to-end encryption?
For encrypted rooms and chats, a separate password is automatically generated after its creation and "linked" to your personal login password in the background, see: Password Management
Arrangements made by the admin of the organization
Admins of the organization can make arrangements for the encryption in the "Organization Settings". The following functions can be defined here in more detail:
- Do you want to encrypt Direct Messages? (Options: "Always unencrypted" / "Always encrypted")
- Do you want to encrypt all rooms? (Options: "Always unencrypted" / "Always encrypted" / "Creator can choose"*)
- *Who is allowed to create unencrypted rooms? (Triggered by the previous "Creator can choose" option) (Options: "Admins" / "Admins & Members")
After the activation we recommend communicating the advantages and disadvantages and especially the proper password management to all users (see: Password Management).
All settings regarding the encryption are valid from the moment the settings are defined. Thus, the encryption of already existing Direct Messages
or rooms remains as it was before and cannot be changed retroactively.
Creator can choose when creating a room
If the users themselves can decide on the additional end-to-end encryption when creating a room, a lock symbol is shown in the input field of the "Room name". With a click on it, the extra encryption can be activated. Note: The encryption of a room cannot be changed later.
Option: Creator can choose during the creation
What do I need to do as an admin after enabling end-to-end encryption?
After enabling end-to-end encryption in the "Organization Settings", we recommend raising awareness of topics such as security, password management, and end-to-end encryption among all employees. Introduce mandatory (online) training and/or send out usage guidelines with links to relevant Learning Center articles:
In particular, address password management and the difference between login password and room / chat password. Make sure that for encrypted rooms / chats, the room / chat password is secured by at least one admin. To avoid the responsible people (e.g. everyone / admins / a certain person) forgetting the password backup, anchor it additionally as a rule in your organization's internal guidelines. A task can remind you and the affected users of the compliance.
For further information on our security standards please visit:
How can I tell that a room is end-to-end encrypted?
Encrypted rooms are marked with a lock icon next to their room name when open and have an automatically generated password in the General tab of the "Room Settings".
(Note: For an easier understanding, the correlations are greatly simplified here. The technical details can be found in our whitepaper).
Each encrypted room / group chat has its own password. The password is generated automatically and is not identical to your login password. To provide you with easy access to your encrypted rooms / chats, your login password is automatically "linked" to all room / chat passwords in the background. This way, you usually do not need to enter your password manually when opening the room / chat.
Pay attention: When resetting your login password, the "link" to the room / chat passwords gets lost (since the old and new login passwords do not "meet") and must be restored first. To regain access, you have to enter the room / chat password manually or have it activated by an admin (see: Password reset).
If your password is merely changed, the link remains intact, as it is automatically transferred from your old login password to the new one. A manual input of the room or chat passwords is therefore not necessary.
Always make sure to store the password of encrypted rooms / group chats / private chats in an additional (secure) place outside the encrypted environment. Especially for rooms / chats in which you are the only person or even the admin, you should write down the password. Since the passwords do not change, a one-time backup is sufficient.
The password of rooms / group chats can be found in the settings of the room / group chat. In the General tab, it is displayed in encrypted form until you click on the "Show" button - protected from unauthorized access.
You can find the room password in the room settings
To view the password of a 1:1 chat, open the corresponding chat and click on the name of your communication partner in the upper left corner. Now, select the option "Show encryption key" to show the password.
The password of a 1:1 chat is accessed via the name
Encrypting / Decrypting chats retrospectively
End-to-end encryption settings only apply to private chats that are created after the (de-) activation. Old chats remain (un-) encrypted. To adapt a private chat to the new setting, delete it and ask the other person to leave the chat as well. Note that deleting the chat will result in the loss of all chat content. Save important content separately if necessary.
Delete the chat
If the chat has been deleted by both communication partners, you can start the chat again.* Simply open it (e.g. via Global Search, Ctrl + k) and write a message. The new settings for end-to-end encryption have now been applied.
*If the chat is started before both people have exited, the settings will not be applied and the process will have to be restarted.