# Send Encryption Process

All Sends are **automatically end-to-end encrypted**, which means that WALLIX Enterprise Vault **encrypts** the data in the Send Link and the client-browser uses the encryption key to **decrypt** the data once received.

### Send Link Anatomy

The Send Link is comprised of 3 elements:**

https://&lt;WALLIX Vault URL&gt;/#/send/&lt;send\_id&gt;/&lt;encryption\_key&gt;

1. **Secure HTTP Protocol:** https//:
2. **Vault URL:** &lt;WALLIX Vault URL&gt;
3. **URL Fragment:** /#/send/&lt;send\_id&gt;/&lt;encryption\_key&gt; which contains the &lt;send\_id&gt; and the &lt;encryption\_key&gt;

### Send Encryption

Here is how it works:

- When a Send is created a **128-bit secret key** is **generated** for that Send.
- A **512-bit encryption key** is **derived** from the 128-bit secret key.
- The Send is **AES-256 encrypted** using the derived 512-bit encryption. **Data** (plain text or file) and the **Metadata** (Name, Filenme, Notes, etc.) are **included** in the encryption.
- The Encrypted Send is **uploaded** to **WALLIX Servers**. The **Send ID** (used to identify the Send for decryption) is **included** in upload. The **Encryption Key** is **not included** in the upload.

### Send Decryption

Here is how it works:

- When a Send Link is accessed, the Web Browser requests the **Send Access Page** from WALLIX Servers.
- The Send Access Page is **returned** from WALLIX Servers as a **Web Vault Client**.
- The **URL Fragment** (containing **Send ID** and **Encryption Key**) is **parsed locally** by the Web Vault Client.
- Using the parsed **Send ID**, the **Data** is **requested** from WALLIX Servers by the Web Vault Client.
- The **Encryption Key** is **never** included in **Network Requests**.
- The **Encrypted Send** is **returned** from WALLIX Servers to the Web Vault Client.
- Using the **Encryption Key**, the Encrypted Send is **Decrypted locally** by the Web Vault Client.

### Send Security

In order to **improve Send Security**, **two additional steps** can also be taken when transmitting a Send. These steps are **optional**.

#### 1. Use Password Authentication

- When creating a Send, **set** a **Password**.
- Provide the **Password** to the Recipient via a **separate channel**.
- When the Recipient clicks the Send Link, they are obliged to successfully enter this password before accessing the Send.
- The Encrypted Send is then accessed and decrypted.

<p class="callout info">The Password is not included in Send Encryption or Decryption. It is only used for Authentication before the Encrypted Send can be accessed and decrypted.</p>

#### 2. Provide Encryption Key Separately

- Provide the Send Link **without** the Encryption key.
- Provide the **Encryption Key** via a **separate channel**.
- The URL should be **reassembled** to **include** the **Encryption Key**, as per the [**Send Link Anatomy**](https://vault-doc.wallix.com/link/99#bkmrk-send-anatomy).

<p class="callout warning">The fully **Reassembled Send Link** is **Required** to **Access** the **Send**.</p>