> For the complete documentation index, see [llms.txt](https://docs.ethsign.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ethsign.xyz/a-deeper-dive/technical-details/data-encryption.md).

# Data Encryption

At EthSign, we take data privacy extremely seriously. If document encryption is enabled, none of the encrypted data leaves the browser unencrypted. In other words, **if our users choose to encrypt their data, nobody aside from the intended recipients can decrypt it, not even us.**

## Encryption Methods

EthSign offers three different tiers of encryption:

1. **Unencrypted**
2. **AES-256-GCM:** Symmetric password; Advanced Encryption Standard with Galois Counter Mode
3. **AES-256-GCM + ECIES:** Asymmetric passwordless; Advanced Encryption Standard with Galois Counter Mode + Elliptic Curve Integrated Encryption Scheme

The encryption method used throughout a signing session is dictated by the initiator.

*Note: "Signing Session" refers to the process during which users send and sign a specific document.*

### Unencrypted

All data is viewable by anyone else. It is extremely important to keep in mind that unencrypted data can be seen by everyone and once submitted to Arweave, it will become permanently visible to the entire world. There are cases where transparency is needed, but to avoid users disabling encryption by accident, we display a stern warning if the user attempts to submit data unencrypted.

### AES-256-GCM - Password Encryption

AES-256-GCM is a symmetric encryption algorithm. It's been widely used and battle-tested over many years. When making use of this encryption method, all recipients must possess a copy of the passphrase that generates the AES key. This key must be kept secret and EthSign does not natively facilitate the key exchange.

### AES-256-GCM + ECIES - Wallet-based Encryption

**E**lliptic **C**urve **I**ntegrated **E**ncryption **S**cheme is an asymmetric encryption algorithm, meaning the information needed to perform encryption is different from the information needed to perform decryption. In this case, a public key is used to encrypt data while the corresponding private key is needed to decrypt data. In the context of EthSign, using ECIES means nobody needs to memorize any passwords of any kind since the data is locked to every recipient's public encryption key.

This is somewhat similar to [EthSign 4's 1-Tap Encryption](https://twitter.com/ethsign/status/1517023426073939969?s=20) which made use of MetaMask's [`eth_decrypt`](https://docs.metamask.io/wallet/reference/eth_decrypt/) API. However, this API is now deprecated, and although a [new encryption EIP](https://eips.ethereum.org/EIPS/eip-5630) has been submitted, it is still in the draft stage. In addition, we had to make encryption universal across different blockchains (secp256k1 + curve25519), so we decided to establish our own encryption system, branded as EthSign Password Manager.

To learn how EthSign Password Manager works in detail, refer to [How EthSign Handles Your Secrets](https://medium.com/ethsign/how-ethsign-handles-your-secrets-205f3f0a439b).

## Encryption Workflow

This is a sequence diagram showcasing the encryption workflow. The word ***gibberish*** simply means the data is encrypted and thus opaque to us and everyone aside from the intended recipients.

<figure><img src="/files/YVd9HIvlwHI02aZ9TjRj" alt=""><figcaption><p>Encryption Workflow</p></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.ethsign.xyz/a-deeper-dive/technical-details/data-encryption.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.