End-to-End Encryption
Every message, call, and file you send through Varta is encrypted on your device before it ever leaves. Not even Varta can read your conversations — only you and your intended recipients hold the keys.
Everything is encrypted by default
There is no "enable encryption" toggle. Every form of communication on Varta is end-to-end encrypted automatically.
Under the Hood
Built on the Signal Protocol
Varta uses the Signal Protocol — the same open, peer-reviewed cryptographic protocol trusted by security researchers worldwide. Here is how each layer works.
X3DH Key Agreement
When you start a conversation, Varta uses the Extended Triple Diffie-Hellman (X3DH) protocol to establish a shared secret between you and the recipient. This happens even if the other person is offline, using pre-uploaded one-time prekeys.
Double Ratchet Algorithm
Each message is encrypted with a unique key derived from the Double Ratchet Algorithm. This combines a Diffie-Hellman ratchet with a symmetric-key ratchet, ensuring every single message has its own encryption key.
AES-256-GCM Encryption
Message payloads are encrypted using AES-256 in Galois/Counter Mode, providing both confidentiality and integrity. This is the same cipher standard used by governments to protect classified information.
Curve25519 Key Exchange
All key exchanges use Curve25519 elliptic-curve Diffie-Hellman, providing 128-bit security with excellent performance. Key pairs are generated on your device and the private key never leaves it.
Perfect Forward Secrecy
Even if an attacker somehow obtains your long-term identity key, they cannot decrypt past messages. Every message exchange ratchets the encryption keys forward, and old keys are immediately deleted.
This means a compromise today does not expose yesterday's conversations. Each session generates ephemeral keys that are used once and discarded, making retroactive decryption mathematically impossible.
Ephemeral session keys
New key pair generated for every message exchange, then securely deleted.
Break-in recovery
Even if a session key is compromised, subsequent messages use new keys and remain secure.
No key reuse
Encryption keys are never reused across messages, eliminating replay and known-plaintext attacks.
Comparison
Not all encryption is equal
Many apps claim to be "encrypted" but only protect data in transit to their servers. True end-to-end encryption means the server never has access to plaintext.
Transport Encryption (TLS)
Encrypts data between your device and the server. The server can read your messages.
Server-Side Encryption
Messages are encrypted on the server at rest. The provider holds the keys and can decrypt.
End-to-End Encryption (Varta)
Messages are encrypted on your device before sending. Only the recipient can decrypt. The server sees only ciphertext.
Verify your encryption keys
Varta lets you verify the identity of the person you are messaging by comparing device fingerprints. Each device has a unique fingerprint derived from its public identity key — you can compare these in person or over a trusted channel to confirm there is no man-in-the-middle.
Your conversations deserve real encryption
Start messaging with military-grade, end-to-end encryption that is always on and requires zero configuration.