Data is encrypted on the sender's device and only decrypted on the receiver's
End-to-end encryption (E2EE) means data is encrypted on the device that created it and only decrypted on the device that is allowed to read it — with no intermediate server, relay, or service ever holding readable plaintext.
In a backup context, the “ends” are your Mac and, later, any Mac you restore to. Between those two points — while data is being chunked, deduplicated, uploaded, stored, replicated, and retrieved — it stays ciphertext. A provider that stops at “encrypted at rest” and “encrypted in transit” is encrypting on their servers and between hops, but their servers still see plaintext at some point; they hold the keys. E2EE moves the encryption boundary all the way out to the device, so the keys never leave the endpoints that need them.
The distinction matters for threats you don’t control: a breach of the provider, a rogue employee, a lawful-access demand that asks the provider to produce readable data. None of those reach your files when the provider literally cannot decrypt them.
In macup, every byte of a backup set — whether it lands in macup Cloud, an external SSD, or a BYOS bucket — is encrypted on your Mac before upload. Restore reverses it on the target Mac once you enter your passphrase or recovery code.