--- title: "Note on E2EE" --- Each project in Infisical can have **End-to-End Encryption (E2EE)** enabled or disabled. By default, all projects have **E2EE** enabled which means the server is not able to decrypt any values because all secret encryption/decryption operations occur on the client-side; this can be (optionally) disabled. However, this has limitations around functionality and ease-of-use: - You cannot make HTTP calls to Infisical to read/write secrets in plaintext. - You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation. Example read/write secrets without client-side encryption/decryption Example read/write secrets with client-side encryption/decryption ## FAQ We recommend starting with having **E2EE** enabled and disabling it if: - You're self-hosting Infisical, so having your instance of Infisical be able to read your secrets isn't an issue. - You want an easier way to read/write secrets with Infisical. - You need more power out of non-E2EE features such as secret rotation, dynamic secrets, etc. You can enable/disable E2EE for your project in Infisical in the Project Settings. It is secure and in fact how most vendors in our industry are able to offer features like secret rotation. In this mode, secrets are encrypted at rest by a series of keys, secured ultimately by a top-level `ROOT_ENCRYPTION_KEY` located on the server. If you're concerned about Infisical Cloud's ability to read your secrets, then you may wish to use it with **E2EE** enabled or self-host Infisical on your own infrastructure and disable E2EE there. As an organization, we do not read any customer secrets without explicit permission; access to the `ROOT_ENCRYPTION_KEY` is restricted to one individual in the organization.