End-to-End Encryption for Nexmo

In this guide you will learn about adding end-to-end encryption to your product to secure your messages and user data that you deliver using Nexmo In-App Messaging application.

• Full privacy: Only user can read their own messages; Nexmo, Virgil and other third-party services cannot decrypt and access messages and data.
• Complete end-to-end encryption: User's data is always encrypted and protected - at rest and in transit.
• Independent data protection: With E3Kit your data protection doesn't rely on any network and service providers, so any attacks on them won't influence the data integrity and confidentiality.
• Data integrity: The E3Kit signs and verifies data as part of the encrypt and decrypt functions. This confirms that data is actually coming from the user who encrypted it and that it hasn't been tampered with in transit or storage.

End-to-end encryption consists of securing data between two users or endpoints using a private & public key for each user or endpoint:

• Nexmo Client SDK on the Client side allows users to send and receive messages, join groups, and communicate with the Nexmo backend in other ways
• Virgil E3Kit SDK on the Client side allows you to generate a public and a private key for your users, encrypt and decrypt messages, and sign and verify messages
• The public key is published to Virgil Cards Service, part of the Virgil Cloud. When your users want to send a message, the Virgil E3Kit uses the recipient's public key to encrypt the message data in a way that only the recipient's corresponding private key can decrypt it.
• The public key is published to Virgil Cards Service, part of the Virgil Cloud PKI. When your users want to send a message, the Virgil E3Kit uses the recipient's public key to encrypt the message data in a way that only the recipient's corresponding private key can decrypt it.
• The private key is kept on the end-user's device, enabling the user and only the user to decrypt any messages or data that other users sent to them. It's similar to the relationship between a public mailing address and a private mailbox. You look up someone's address to send them a letter, but only they can unlock their mailbox to open and read the letter.

The address book (Virgil's Cards Service), mailing address (public key) and mailbox key (private key) are related to each other, but can't be traced to each other in any way that would compromise the security of the system. End-to-end encryption also locks the letter (message data), and only the recipient has the key to unlock it.

This setup enables users to encrypt a message on their phone or computer, send it over the Internet to a recipient without any chance of another party reading it in transit or on the server, and have it be decrypted only by the recipient on their phone or computer. This all works seamlessly for the end-users and it only takes a few lines of code to implement using E3Kit.

You must have a working Nexmo project with a conversation set up to send and receive messages. If you don't, please follow Nexmo's documentation.

In order to be able to encrypt/decrypt messages and use Nexmo API, your users have to be authenticated using JWT at Virgil and Nexmo services. So, you need a backend code that generates Virgil and Nexmo JWTs with the help of Virgil Core SDK and Nexmo SDK on your Server side.

For this tutorial we've created a sample backend code that demonstrates how to combine Virgil and Nexmo JWT generation. To setup and run the sample backend locally, head over to Nexmo-Sample-Backend-Java GitHub repo and follow the instructions in README. You can easily use it as an example to build own backend for a JWT generation. For details on generating a Nexmo JWT, take a look at this article.

Once you have a working Nexmo conversation and backend ready, you can follow our Get Started to set up E3Kit on client side in order to encrypt messages before you send them to Nexmo and decrypt the messages after you receive them.