Search

How To Enable Encryption For Chat

End to end encryption (e2ee) is available for the chat server. However, only for the desktop app and in the browser.

On this page:

There is also excellent rocket.chat documentation available here!

Why Do We Need This?

This part is for those who do not know how e2ee works. You can skip it, but it is good to know the basis 🙂

Before encryption

We want to use this because, well let us consider the situation without e2ee:

Normal situation, without e2ee

Lets say Alice (pictured as A) wants to send a message to Bob (pictured as B). They type out the message, in this case “Secret mission starts @ 20:00!”. The message is send from Alice’s phone over the internet to the rocket.chat server. So far so good. But when Bob comes online the chat server needs to what messages to send to them! This is why the chat server maintains a database of all the messages. Then, when Bob comes online the message is send to their device where Bob can read it.

Now let us consider the case of e2ee

Alice and Bob both activate e2ee. Now Alice sends an update:

More secure situation, with e2ee enabled

Alice writes their new message “Actually @ 19:00!”. BEFORE it is send this message is encrypted at her end for Bob specifically. The message turns into “fjioa29jkrafds-jq[fgh32” which is unreadable. Again this is send over the internet to the chat server. The chat server again stores a copy of this message (next to the old message) in its database. Then when Bob comes online it sends the new message to them. Bob receives the message at their end and decrypts it.

In this scenario if the server is compromised (for example when the cops subpeona our hosting company, or it is hacked) they will have to throw massive resources at the problem of deciphering the message “”fjioa29jkrafds-jq[fgh32″”. This is good.

Note:

  • Every message is encrypted for each person separately
  • You can’t use the search function anymore
  • All devices you use have to have your key/password in order to use e2ee. Devices without the key/password can not decrypt “fjioa29jkrafds-jq[fgh32” into the actual message (just how the server can’t either).

So lets get going

First time set up – e2ee password

When you log in you might have noticed a blue banner:

If you click this banner it will generate a password for you. This password is used to encrypt and decrypt messages. In other words, without this password you can not use e2ee. So save it in your password manager!

If you forgot to save it the first time or have forgotten it, contact one of the admins through the #tech-public channel.

If you log out and log in, you need to enter your e2ee password again:

It asks for your e2ee password separately because your log in password is known by the server (because then it can check if you actually know your password and that you are who you say you are). The e2ee password should not be known by the server thus it asks for it separately.

If you do not enter your e2ee password (or enter the wrong one), you can not decrypt messages.

Your messages are not yet encrypted!!

Turn on e2ee for channels/direct messages

You can turn on e2ee for different channels/groups or direct messages. To do so for a channel/direct message, click on the top right on the three vertical dots and select e2ee. Below you can see my conversation with Mike:

Now that you clicked it you will see a green key left of the symbols on the top right. Anything you type now is encrypted. Clicking the key will turn off encryption again.

Now lets take a look at Mikes point of view. When they log on they can see the message that was send unencrypted. But because they did not enter their e2ee password they can not see the second message that was send encrypted.

Messages you send are only encrypted when both the key is shown AND no blue/red banner is shown telling you have to enter your e2ee password. In the example above the key is shown but messages typed by Mike will not be encrypted.

So they enter their e2ee password and then they can read all the messages:

Now that it shows the key and no banner is shown all messages Mike sends now will be encrypted.

Note that the browser and the desktop app turn the encrypted message into ******. The apps for the phone do not have support for e2ee at all, here you can see how encrypted messages look for the server:

Changing or resetting your e2ee password

To change your e2e password or to reset it (if you’ve forgotten it), click on your avatar (top left corner), click on “My Account” and then select the Encryption tab.