Differences

This shows you the differences between two versions of the page.

--- services:matrix:encryption [2021/08/10 11:54] – Remove the (possibly outdated?) section on upgrading encryption behrmj87
+++ services:matrix:encryption [2021/08/10 14:39] – [The somewhat short story] behrmj87
@@ Line 11: / Line 11: @@
 ==== The somewhat short story ====
-When using encryption in a room (or direct chat) all messages in that chat will be encrypted. Everyone of your clients (e.g. the webclient at meet.physik.fu-berlin.de or Element on your phone) will have a session with its own keys. This is mostly transparent to you as a user, but you must always hold either of the following to be true:
+Some chats you encounter will be encrypted. Direct conversations are encrypted by default and encryption for rooms for multiple people can be switched on. When using encryption in a room (or direct chat) all messages in that chat will be encrypted. Each of your clients (e.g. the web client at meet.physik.fu-berlin.de or Element on your phone) will have a session with its own keys. This is mostly transparent to you as a user, but you must always hold either of the following to be true to keep access to your old encrypted messages:
     * Have one running session (in a browser on your computer, on your phone, wherever), so that new sessions can authenticate against the running session (cross-signing, described below), or
     * have access to your recovery passphrase (that you should create when you first log in) to recover your encryption keys when you log into a new session and have no other running sessions to authenticate against.
-If either of this is the case, you will keep access to your old encrypted messages, so generate a recovery passphrase and save it in your password safe.
+This means, that if you do have encrypted messages, e.g. in a direct chat, and you were only logged into one session, e.g. only in the web client, and you don't have a Security Phrase or Security Key set up, i.e. you log out and decline to set one up, when asked, you will lose access to those messages.
+This may sound difficult, but it's not. Read on for what you need to do.
 ==== Setting up encryption for the first time ====
@@ Line 33: / Line 35: @@
 ==== Verifying a session ====
-To access your encryption history and for other users to verify you it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session or enter your recovery passphrase.
+To access your messages from encrypted chats, e.g. direct conversations, it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session, which is the easiest way, or enter your recovery passphrase.
 When logging in with a new device you will get prompted to verify it.
-{{ :services:matrix:riot_e2e_verify_session_01.png?direct&800 |}}
+{{ :services:matrix:verifylogin.png |}}
+The three options:
+- **Use another login**, which will authenticate against a running session, e.g. on a phone or another computer.
+- **Use Security Key or Phrase**, which works without another session, i.e. without another device, but you will need the Security Phrase or Key that you set up earlier.
+- **Skip**, which skips authentication, but you won't be able to read encrypted messages that were sent to you earlier.
+=== Verifying a Sessin using a Security Phrase ===
+This is conceptually the easiest so, we'll discuss it first. Click **Use Security Key or Phrase** and in the screen that opens enter either your *Security Phrase* or your *Security Key*.
+{{ :services:matrix:securitypassphrase.png |}}
+If you enter either correctly, you will be greeted by this happy screen
+{{ :services:matrix:sessionverified.png |}}
+=== Verifying a Sessin using a Security Phrase ===
+If you are logged into another session, e.g. on your phone, it's easiest to click **Use another login**. There are multiple ways how this is handled, which depends on where the other session is running, e.g. Element on phones will allow you to do this via scanning a QR code. All methods do require, though, that you have the device where the other session is running on *at hand* otherwise the whole process will block waiting for you to do something on the other device, which is hard to do, if it's far away.
-If you are logged into another session there will be a popup asking you to verify the new session:
+One method that is always available is comparing emoji shown on both devices. First you will be asked on the device with an already authenticated session whether the new session is you and whether you want to authenticate it.
 {{ :services:matrix:riot_e2e_verify_session_02.png?direct&800 |}}
@@ Line 47: / Line 68: @@
 {{ :services:matrix:riot_e2e_verify_session_03.png |}}
-Select to continue and you will be asked for a verification method. Currently the only option is to compare a sting of emojis.
+Select to continue and you will be asked for a verification method.
 {{ :services:matrix:riot_e2e_verify_session_04.png |}}
@@ Line 57: / Line 78: @@
 {{ :services:matrix:riot_e2e_verify_session_06.png |}}
-Confirm the emojis match on both devices to complete verifying the session.
+Confirm the emojis match on both devices to complete verifying the session and you get the happy result of a verified session.
-Alternatively you can select to verify a session by using your recovery passphrase:
+{{ :services:matrix:sessionverified.png |}}
-{{ :services:matrix:riot_e2e_verify_session_09.png?direct&800 |}}
 ==== Deleting a session ====