How to enable End-2-End Encryption (E2EE)

KidLogger is the world’s first monitoring solution to offer End-to-End Encryption (E2EE). All data captured from a child’s devices is encrypted on the device itself and can only be decrypted by the account owner. Unlike SSL encryption, which protects data in transit, E2EE ensures that the data remains encrypted even after it reaches the KidLogger cloud servers. It stays encrypted in all database instances, execution environments, and processing algorithms within our cloud infrastructure.

When you log in to your KidLogger account, the data is delivered in its original encrypted form and decrypted on-the-fly directly in your web browser using JavaScript and the browser’s built-in cryptographic features. This guide explains how to install or update the KidLogger Agent and enable the E2EE feature.

We’re pleased to announce that End-to-End Encryption is now available in experimental mode for new user accounts. As with other time-tracking tools, KidLogger records how often and how long each application, document, or website is used, calculates the total time, and organizes the results into reports. What’s new is that with E2EE, this data is now fully encrypted—even from KidLogger’s own servers.
To try it, download the latest KidLogger Agent for Windows with E2EE support and follow the steps below.

Step 1: Enable Encryption in Your Profile

Go to your Profile page and click "Enable Encryption." Note that this setting applies only to new devices—it will not affect existing devices or data.

Enable Encryption

Then click "Backup Keys" to download a secure file containing your Master Encryption Key. This file is essential for offline access to your data and for account recovery if you forget your password.

Step 2: Install the New KidLogger Agent

Download the new KidLogger Agent.

To update: simply reinstall over your current version.
To perform a fresh install: install the new version and launch KidLogger to link it to your account. Learn how to link a device.

Initially, the newly added device will only upload anonymous activity data in unencrypted form. You’ll need to confirm encryption for the device in your account profile, as explained in the next step.

Step 3: Confirm Devices for Encrypted Data

After installing or updating the Agent, revisit your Dashboard. You’ll see a notification prompting you to confirm encryption for the new device. Follow the confirmation link.

Confirm Devices

On your Profile page, in the Encryption section, check the box for the new device and click "Confirm Encryption."

Confirm Encryption

That’s it. Within an hour, the KidLogger Agent on the device will receive confirmation and begin collecting and encrypting activity data based on your settings.

Step 4: View Encrypted Dashboard and Reports

Even though your data is encrypted, your Dashboard and reports will look largely unchanged. This is made possible by real-time decryption performed in your web browser using the Web Crypto API, supported by most modern browsers like Chrome, Firefox, Opera, and Safari. Our custom JavaScript runs in your browser and automatically decrypts all encrypted content received from KidLogger servers.

How Does E2EE Affect Time Tracking?

Encrypted data maintains the same structure as unencrypted data. For example, KidLogger might originally record “winword.exe” or “gmail.com” to calculate time spent in an app.
With encryption enabled, these values are transformed into encrypted tokens like “w6Wd4SSxgK9EqmHuR4EAWw==" or “UssM8UxGazi4kDxn5JDO4g==”.
Each account uses a unique encryption key, so identical input (e.g., an app or website name) will always generate the same encrypted token. This consistency allows KidLogger to track usage accurately while ensuring data privacy.

Encrypted Apps

Encrypted Email Reports

All email reports sent to your account will contain encrypted data. We’re working on a browser plugin that will enable decryption of KidLogger reports within any web-based email client like Gmail or Outlook.

Encrypted Backups

You can download a complete backup of data for any specific device or group. This includes detailed activity logs and screenshots. If encryption is enabled, the backup will be encrypted as well. To view it, you’ll need to use the SafeJKA browser plugin.

Technical Notes

The E2EE feature is open source and implemented in the jsec.js file, available on kidlogger.net. It uses the Web Crypto API and runs entirely within your browser’s memory. KidLogger servers only handle storage and key exchange—they do not perform any encryption themselves.

Summary of the KidLogger E2EE Implementation

  • Each user account and each installed Agent generates its own RSA key pair (2048-bit).
  • The account owner also generates a random 256-bit AES key called the Master Key.
  • The Master Key is encrypted with the account password using PBKDF and AES-256, then stored on the server as an encrypted blob.
  • The Master Key is also encrypted with RSA-SHA1 and sent to Agent devices via the KidLogger service.
  • Agents use the Master Key to encrypt all sensitive data: app names, window titles, URLs, keystrokes, clipboard content, chat text, document names, screenshots, photos, and audio recordings.
  • Non-sensitive metadata (e.g., timestamps, durations, action types) remains unencrypted to enable reporting.
  • Passwords are never sent to KidLogger servers in plain text.
  • Once E2EE is enabled, it cannot be disabled.
  • KidLogger does not store or access private keys, only public keys and encrypted data.
  • We are working to improve this further by storing encryption keys only in browser memory on trusted devices. A SafeJKA browser plugin is under development to enforce this model of secure authentication and key ownership.