How true end-to-end encryption differs from common alternatives

A practical comparison of email, shared drives, chat apps, and true E2EE workspaces

In day-to-day work we usually share sensitive material in three ways: email, shared drive links, and chat apps. All three can be “secure enough” for normal use. But they are not the same thing as true end-to-end encryption (E2EE).

True E2EE means: the content is encrypted on our device and only decrypted on the recipient’s device. The service in the middle cannot read it.

A simple mental model

There are three levels we see in practice:

Transport encryption
Data is encrypted while it moves between servers (often TLS). The sender and receiver services can still read it. [1][2]
Provider-managed encryption at rest
Data is encrypted on the provider’s storage. The provider still controls the key chain needed to operate features like preview, indexing, scanning, recovery, and compliance tooling. [4][11]
True end-to-end encryption
Data is encrypted on our device and decrypted only by intended recipients. The service in the middle cannot read it. [8][9]

1) Email

What we usually get

Most modern email is protected mainly by TLS in transit between servers. That helps against passive interception while the message travels. [1][2]

But TLS is not true E2EE. Email is processed by mail systems on the sending and receiving sides, and messages may be stored in mailboxes, archives, backups, and forwarding chains.

What true E2EE email looks like (rare in practice)

End-to-end encrypted email exists (for example OpenPGP or S/MIME), but it requires setup, key management, and compatible tooling on both sides. That’s why many organizations don’t use it consistently with external counterparties. [3][12]

Practical takeaway: email is strong for coordination. It is not ideal for long-lived confidential document workflows unless we deliberately add end-to-end controls.

2) Shared drive links (Google Drive, OneDrive)

What we usually get

Mainstream business drives encrypt data in transit and at rest. That is good hygiene and reduces a lot of everyday risk. [4][11]

However, in default configurations this is not true E2EE. The provider can generally decrypt content as part of operating the service, because the provider controls the keys and must support server-side features (preview, indexing, scanning, recovery, etc.). [4][11]

The important nuance

Some providers offer client-side encryption modes where the customer controls keys and the provider cannot decrypt. This moves closer to true E2EE, but it typically introduces feature limitations compared to standard sharing. [5][6][7]

Practical takeaway: shared drives are convenient and familiar. They are not automatically a sealed boundary unless we enable a client-controlled encryption mode and accept the trade-offs.

3) Chat apps (WhatsApp, Signal)

What we usually get

Signal conversations are end-to-end encrypted. [8]
WhatsApp protects messages with end-to-end encryption using the Signal protocol. [9][10]

Why chat apps still struggle for document workflows

Chat streams are built for conversation, not structured production:

versions and approvals get buried in long threads
decisions are hard to anchor to a single file
access control is usually “member of the chat”
auditability and lifecycle controls are limited compared to a workspace model

Practical takeaway: chat apps are excellent for quick, confidential coordination. They are awkward for structured workflows where we need clear versions, decisions, and controlled access.

What “true E2EE” means in a workspace

A true E2EE workspace tries to combine:

the privacy model of secure messaging (provider cannot read content), and
the workflow model of professional work (documents, comments, decisions, permissions)

The trade-off is consistent: when the server cannot read content, it cannot perform server-side features that require cleartext.

Quick comparison

Mechanism	Encrypts in transit	Encrypts at rest	True E2EE by default	Best for
Email (typical)	Yes (often TLS) [1][2]	Provider-dependent	No	Coordination, external comms
Shared drives (typical)	Yes [4][11]	Yes [4][11]	No (unless client-side encryption mode) [5][6][7]	Collaboration, storage, sharing
Signal / WhatsApp	Yes	Yes (encrypted payloads)	Yes [8][9][10]	Confidential chat coordination
True E2EE workspace	Yes	Yes	Yes	Structured confidential work

References

[1] Google Workspace Admin Help — Send email over a secure TLS connection
https://support.google.com/a/answer/2520500

[2] Canadian Centre for Cyber Security — Email security best practices (ITSM.60.002), PDF
https://www.cyber.gc.ca/sites/default/files/ITSM.60.002-email-security-best-practices-en.pdf

[3] UK National Cyber Security Centre — Protect email in transit (notes OpenPGP / S/MIME and deployment considerations)
https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/protect-email-in-transit

[4] Microsoft Learn (Purview) — Data encryption in OneDrive and SharePoint (BitLocker + per-file encryption)
https://learn.microsoft.com/en-us/purview/data-encryption-in-odb-and-spo

[5] Google Drive Help — Get started with encrypted files in Drive, Docs, Sheets & Slides (Google Workspace client-side encryption)
https://support.google.com/drive/answer/10519333

[6] Google Workspace Admin Help — Client-side encryption FAQ
https://support.google.com/a/answer/14328489

[7] Google Developers — Google Workspace Client-side Encryption overview (explains that CSE prevents Google servers from decrypting)
https://developers.google.com/workspace/cse/guides/overview

[8] Signal Support — Is it private? Can I trust it?
https://support.signal.org/hc/en-us/articles/360007320391-Is-it-private-Can-I-trust-it

[9] WhatsApp — Answering your questions about privacy on WhatsApp
https://www.whatsapp.com/privacyquestions

[10] WhatsApp — Security Advisories
https://www.whatsapp.com/security/advisories

[11] Microsoft Support — How OneDrive safeguards your data in the cloud
https://support.microsoft.com/en-us/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1

[12] UK Information Commissioner’s Office — Encryption scenarios
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/encryption/encryption-scenarios/

Frequently Asked Questions

What is the difference between transport encryption and end-to-end encryption? ▼

Transport encryption (often TLS) protects data while it travels between services, but the services can still read it. End-to-end encryption means the content is encrypted on our device and only decrypted by intended recipients, so the service in the middle cannot read it.

Is email encrypted? ▼

Email is often protected by TLS while it moves between mail servers, which helps against interception in transit. But email is usually readable by the sending and receiving mail systems and may be stored in mailboxes, archives, and forwarding chains. True end-to-end encrypted email exists, but it is not commonly deployed consistently across organizations and counterparties.

Are Google Drive and OneDrive end-to-end encrypted? ▼

In standard configurations, they encrypt data in transit and at rest, but the provider controls the keys needed to operate the service. Some plans offer client-side encryption modes where the customer controls keys, but that typically changes which features work.

Are WhatsApp and Signal end-to-end encrypted? ▼

Yes, these apps are designed for end-to-end encrypted messaging. They are strong for confidential coordination, but chat streams can be inconvenient for structured document workflows with versions, approvals, and auditable decisions.

When is a true E2EE workspace the better choice? ▼

When we need a sealed boundary for structured work: documents, decisions, and permissions—while keeping content unreadable to the service provider. The trade-off is that some server-side features and integrations that require cleartext are limited.

Does E2EE mean we can ignore access control? ▼

No. E2EE protects content from being read by the service provider, but we still need strong workspace membership policies, admin hygiene, and device security. E2EE is most effective when combined with disciplined access management.

What is the main trade-off when the server cannot read content? ▼

If the server cannot decrypt content, it cannot reliably provide features that depend on cleartext, such as certain integrations, automated processing, or server-side indexing. E2EE shifts more work to our devices and more responsibility to workspace governance.