IntroductionIn this tutorial, we will help you add end-to-end encryption to your product to secure your message and user data.How does E2EE work with Firebase?Firebase uses Google Cloud’s strong security features, including encryption in transit with HTTPS and encryption at rest. This means that if any unauthorized person were to listen in on the network calls to Cloud Firestore or break into one of Google’s data centers and make off with a hard drive, they’d only find useless strings of scrambled letters and numbers.But when it passes through frontend and backend servers, the data is vulnerable and unencrypted and also available in plaintext to admins and developers in the live database. This means that any internal developers or admins with view access to your Cloud Firestore database can see the user data. And if there’s an error in your Firebase Security Rules that allows rogue clients to illegitimately access your stored documents, they’ll be able to see the data contained in those documents.End-to-end encryption fills the gaps and creates a secure, unbreakable chain between two users using a private and public key for each user:The public key is published to Virgil Cards Service, part of the Virgil Cloud PKI. When your users want to send a message, the Virgil SDK uses the recipient's public key to encrypt the message data in a way that only the recipient's corresponding private key can decrypt it.The private key is kept on the end-user's device, enabling the user and only the user to decrypt any messages or data that other users sent to them. It's similar to the relationship between a public mailing address and a private mailbox. You look up someone's address to send them a letter, but only they can unlock their mailbox to open and read the letter.The address book (Virgil's Cards Service), mailing address (public key) and mailbox key (private key) are related to each other, but can't be traced to each other in any way that would compromise the security of the system. End-to-end encryption also locks the letter (message data), and only the recipient has the key to unlock it.This setup enables users to encrypt a message on their phone or computer, send it over the Internet to a recipient without any chance of another party reading it in transit or on the server, and have it be decrypted only by the recipient on their phone or computer. This all works seamlessly for the end-users and it only takes a few lines of code to implement using E3Kit.Key Features of Virgil Security's E3KitStrong One-to-one and group encryptionFiles and stream encryption. Encrypted data is not readable on the server side to anyone, including Google, hackers, third-party developers and internal team membersThe E3Kit signs and verifies data as part of the encrypt and decrypt functions. This confirms that data is actually coming from the user who encrypted it and that it hasn't been tampered with in transit or storageRecovery features for secret keysStrong secret keys storage, integration with KeychainIntegration with any CPaaS providers like Nexmo, Firebase, Twilio, PubNub, etc.Public keys cache featuresAccess encrypted data from multiple user devicesEasy setup and integration into new or existing projectsDoes your project need to be GDPR or HIPAA compliant?For GDPR compliance, just follow these guides as-is. Learn more about GDPR compliance here.For HIPAA compliance, you might need to build in message redaction functionality. Consult specific platform resources on our blog here.