What is End-to-End (E2EE) Encryption and how to use it (On-Premise)?


Currently, E2EE is available on On-Premise deployments only.

The primary objective of End-to-End Encryption (E2EE) is to enhance the data flow security, by combining envelope encryption with end-to-end encryption for all communications between the Agent and Server(s). If you want the most privacy for your data, you can consider E2EE.

When E2EE is enabled, the data will be encrypted at all points from its origin to its consumption or presentation. The data will only be viewable by those with decryption keys and passphrases. In other words, E2EE prevents unintended users, including privileged users, from reading or modifying data.

Key Benefits of Teramind E2EE

By integrating envelope encryption and end-to-end encryption alongside secure connectivity, Teramind E2EE provides multi-layered protection for your data:

  • Transport Layer Security (TLS 1.2 or higher): ensures a secure communication channel for data integrity, privacy, and authenticity.
  • Envelope Encryption: protects the encryption keys - by encrypting a key with another key, e.g., by encrypting the AES key with an RSA key.
  • End-to-End Encryption: safeguards the data itself with secure communications, key management, and encryption for offline data/encryption at rest.

This combined approach enhances the confidentiality, integrity, and control of sensitive information between the client and server components of your Teramind deployment.

How It Works

Here's a simplified diagram of the E2EE data flow:

e2ee overview diagram.png

How to Enable E2EE

You will need Agent Version 19.0 or above for E2EE to work.

We recommend you enable E2EE first on the server side. Because if you enable E2EE on the endpoint, the computer will go offline until keys are included in the server.

Once the keys are included, you can freely enable or disable E2EE from the endpoint (see Step 7 below). It will cause no disruption on the server.

Here are the steps:

  1. Generate a 2048-bit RSA Private Key file (.pem) by using a tool like openssl. For example:
    openssl genrsa -aes256 -out keypair.pem 2048
    Remember/store the passphrase in a secure place. You will need it to decrypt the data on the Teramind Dashboard.
  2. The private key ownership and permissions created with the above openssl command will give the Private Key file root:root UGO permissions 600. You will need to run the following commands to change it:
    # chown root:prod keypair.pem
    # chmod 440 keypair.pem
  3. Extract the Public Key file (.crt) from the Private Key file. For example:
    openssl rsa -in keypair.pem -pubout -out publickey.crt
  4. On your Teramind server, copy the Private Key file (e.g., keypair.pem) to /usr/local/teramind/conf/keypair.pem
  5. Copy the Public Key file (e.g., publickey.crt) to /usr/local/teramind/conf/publickey.crt
  6. Add the record to the encryption_kek table:
    insert into encryption_kek (active, priv_encrypted, pub_datafile, priv_datafile)
    values (true, true, '/usr/local/teramind/conf/publickey.crt', '/usr/local/teramind/conf/keypair.pem');
  7. Restart the server using the following command:
    sudo systemctl restart teramind
  8. You will now need to enable the encryption feature on the Agent/endpoint.
    If it's a new installation, you can use the TMENCRYPTION parameter with the installed. For example:
    msiexec /i teramind_agent_v0.1.260.3940_x64.msi TMENCRYPTION=1  
    If the Agent is already installed, you can enable the encryption feature from the Agent configuration file (config.cfg). And the following line to the file:
    Usually, the config.cfg file is located in one of the following locations:
    • Hidden Agent: C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}\<agent version>\{9168137C-D324-440D-85B4-1A554EAE6304}
    • Revealed Agent: C:\ProgramData\Teramind Agent\<agent version>\{551DD8F9-2009-4565-B57B-1390B7DA6AF0}
    Here, <agent version> is the Agent version, for example, 20.0.1084. Check out this article to learn how to find your Agent version. If the file doesn't exist, create one in a text editor.
  9. Create a new folder named certs in C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}\ and copy the publickey.crt you created in Step 3 to this folder and rename it to kek.pem. After you finish, it should look like this:
  10. Restart the Agent.
    To do so with a Revealed Agent, just quit the Agent and run it again.
    To restart a Silent/Hidden Agent, you can do the following.
    1. Run the this command on the Command Prompt as an administrator:
      sc stop tsvchst
    2. Check if the Agent stopped with this command:
      sc query tsvchost command
    3. If the Agent is stopped, use this command to restart it:
      sc start tsvchst
    You can also just restart the computer or use the Teramind Diagnostics tool (tmdiag) with the following command:
    tmdiag agent restart
  11. On your Teramind Dashboard, check to ensure that the Live View Mode on the Session Player shows "Encrypted".
  12. On the server, check to ensure that the encryption_dek table has some encrypted DEK data by using a command like this:
    SELECT * FROM public.encryption_dek order by creation_time desc
    You should see a result similar to the screenshot below:
Note that you will need to create unique keypairs for each Agent that requires E2EE. Follow Step 1-6 per Agent, as well as step 8 and 9, using unique filenames to avoid replacing an existing keypair.

Changes to the Dashboard

When E2EE is enabled, the Session Player, Monitoring > Screen Snapshots, BI Reports > Keystrokes, Monitoring > Keystrokes reports, and any widgets where screen recordings and keystrokes data are used (e.g., the Live Montage widget, Keystrokes Log widget, etc.) will show an "Encrypted", or "No preview is available" message, or simply hide the data.

On the reports, you will see a Decrypt button which will allow you to view the data.

Below are some examples of how it works.

E2EE works on an endpoint-basis. Only data from an encrypted computer will be masked on the Dashboard. Data from other, nonencrypted computers will show up as usual. If you have multiple users on a computer where E2EE is enabled, data from all users on that computer will be encrypted on the Dashboard. The same applies to a Terminal Server/VDI. Data of all users from the server will be encrypted.

Session Player

Here's how the Session Player will look with E2EE enabled:

Clicking the Decrypt button will ask you for the passphrase (see Step 1 in the How to Enable E2EE section):

After entering the correct passphrase, you will see the unencrypted video:

You might also need to enter the passphrase when exporting a video:

BI Reports > Keystrokes

Here's how the BI Reports > Keystrokes report will look with E2EE enabled:

Clicking the Decrypt button will ask you for the passphrase (see Step 1 in the How to Enable E2EE section):

After entering the correct passphrase, you will see the unencrypted keystrokes:

Dashboard > Live Montage Widget and Monitoring > Screen Snapshots Report

Here's how the Dashboard > Live Montage widget will look with E2EE enabled:

If you click on a video preview/thumbnail, it will launch the Session Player where you will be able to decrypt the video.

The Monitoring > Screen Snapshots will work similarly:

Features & Limitations

The current implementation of Teramind E2EE has the following features and limitations:


Ephemeral Cipher Key Customer can provide their own key pair generated for each execution, unique to each session.
Strong Encryption Strong envelop encryption using AES-256 + RSA-2048 (Public Key, Hybrid Encryption).
Certificate Pinning The Agent will force validation of server certificates for additional security, e.g., to prevent MITM attacks.
Secure Storage AES key material is generated on the client at service start-up and never written unencrypted to disk.
Low Resource Consumption Does not materially impact the performance of the endpoint or server.
No Dependency Teramind E2EE is not dependent on any external resources such as CDN libraries - making it suitable for air-gapped networks.
Just-in-Time Use The server holds the encryption passphrase & plaintext RSA keys in memory only when used to access encrypted content. Making it resilient against sniffing or other types of attacks.
Data Export Support Export options remain functional allowing unencrypted data to be exported from the server in the event this is required.


Envelop Encryption Currently, only Keystrokes and Screen Recordings are encrypted with envelop encryption. Other data stored at rest on the endpoint is encrypted using a server public key. We will bring other data types under envelope encryption in the future.
OCR OCR will not work if E2EE is enabled.
Key Management There is no automated or third-party key management feature available at the moment, but this can be added in the future.
Was this article helpful?
0 out of 0 found this helpful