> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/drive-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/drive-support/concepts-in-1-minute/end-to-end-encryption-e2ee.md).

# End-to-End Encryption (E2EE)

**What it is:** All encryption and decryption happen **only on your device**. File contents, file names, folder structure, and vault names are encrypted before any write to disk or network. Each file gets its own key, and plaintext lives only in memory while a file is open — it's purged when you close the file or lock the vault.

**Why it matters:** The cloud (Oten Cloud) is **zero-knowledge** — it stores only ciphertext and a little non-revealing bookkeeping, and it holds no decryption keys. No one in the middle — not the network, not Oten — can read your files.

**Good to know:**

* Encrypted content is stored in an encrypted database on disk; even the file and folder names inside a vault are protected.
* Permanently deleting data securely wipes the keys involved, making that content **unrecoverable** by anyone.
* Oten Drive uses strong, modern, **post-quantum-ready** cryptography (KEM-based key handling). You don't configure any of it — it's on by default for everything you store.
* A published **cryptography white paper** describes the design for public review.

> Zero plaintext ever leaves your device — not in logs, crash reports, caches, or sync traffic. That's a hard product rule, not a setting.
