End-to-end encryption works by encrypting data on the uploading device before it is sent out over the internet and decrypting it only after it has arrived on the downloading device. The client machines generate, exchange, and manage the encryption keys, and no usable encryption keys ever leave the client computers except for RSA public keys. This means all data uploaded or downloaded is encrypted both ways and can only be unlocked by the decryption keys on the client machines.