User Tools

Site Tools


services:matrix:encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
services:matrix:encryption [2020/12/03 12:13]
hamiltoc97
services:matrix:encryption [2021/11/29 17:24] (current)
behrmj87 typo fix Sessin -> Session
Line 1: Line 1:
-This is a section of the manual on how to use the Matrix client Element. This section describes how to use Element's end-to-end-encryption.+This is a section of the manual on how to use Element's end-to-end-encryption. To see the rest of the manual, find the page [[https://wiki.physik.fu-berlin.de/it/services:matrix:start|here]]
  
 ===== End-to-End-encryption for Matrix on Element===== ===== End-to-End-encryption for Matrix on Element=====
- 
-<note important>End-to-End-encryption is currently enabled by default for direct chats. This has technical reasons.</note> 
  
 End-to-end encryption means that only the parties participating in a conversation are able to decrypt and read the messages that were send. Our server is not able to decrypt the messages that were sent, preventing third parties to read the messages. End-to-end encryption means that only the parties participating in a conversation are able to decrypt and read the messages that were send. Our server is not able to decrypt the messages that were sent, preventing third parties to read the messages.
Line 10: Line 8:
  
 <note warning>When logging into a new device (a different browser, a new phone, your fridge), you will only get access to your already encrypted messages //after// verifying the new session. This is explained below (and most easily done if you use Element on your phone).</note> <note warning>When logging into a new device (a different browser, a new phone, your fridge), you will only get access to your already encrypted messages //after// verifying the new session. This is explained below (and most easily done if you use Element on your phone).</note>
-==== Upgrading encryption ==== 
  
-This step is necessary if you have used encryption in the past on your matrix.physik.fu-berlin.de accountIf you have not used encryption previously, you can jump to the section [[services:matrix:start#setting_up_encryption_for_the_first_time | Setting up encryption for the first time ]]+==== The somewhat short story ==== 
 + 
 +Some chats you encounter will be encrypted. Direct conversations are encrypted by default and encryption for rooms for multiple people can be switched on. When using encryption in a room (or direct chat) all messages in that chat will be encrypted. Each of your clients (e.g. the web client at meet.physik.fu-berlin.de or Element on your phone) will have a session with its own keysThis is mostly transparent to you as a userbut you must always hold either of the following to be true to keep access to your old encrypted messages: 
 + 
 +    * Have one running session (in a browser on your computer, on your phone, wherever), so that new sessions can authenticate against the running session (cross-signing, described below), or 
 +    * have access to your recovery passphrase (that you should create when you first log in) to recover your encryption keys when you log into a new session and have no other running sessions to authenticate against.
  
-If you have used encryption before you will notice a small popup on the left side of the screenasking you to upgradeClick on the "upgrade" button to start the upgrade{{ :services:matrix:riot_e2e_upgrade_01.png?direct&800 |}} Next you will have to enter your ZEDAT-password… {{./riot-e2e-doku-pictures/riot_e2e_upgrade_02.png |}} and enter your recovery passphrase you set when you set up key backups for encryptionIf you can not remember your passphrase you can use the recovery key if you have still saved it somewhereAlternatively you can set up a new key recovery. Your previous encrypted messages will still be available if you are able to read them on the device you are using to perform the upgrade. {{./riot-e2e-doku-pictures/riot_e2e_upgrade_03.png |}}+This means, that if you do have encrypted messagese.gin a direct chat, and you were only logged into one session, e.gonly in the web client, and you don't have a Security Phrase or Security Key set up, i.e. you log out and decline to set one up, when asked, you will lose access to those messages.
  
-This concludes the upgradeYou can now on read how to verify users in //*Verify a user//, or use encrypted chats without verification.+This may sound difficult, but it's notRead on for what you need to do.
  
 ==== Setting up encryption for the first time ==== ==== Setting up encryption for the first time ====
  
-When you log in to Element, it will ask you to set up encryption recoveryThis step will make sure that you can share encrypted messages across all your devices and different sessions. If you do not wish to use encryption you can skip this stepHowever as encryption will be used by default we highly recommend setting up encryption.+When you haven't set up a //Security Phrase// or //Recovery Key// and are about to log out of your only session Element will ask you to set one up. You can also do this manuallyOpen the //Security & privacy// menu in the //Settings//.
  
-To setup encryption recovery you have to choose a secure passphrase.+Below the list of active sessions, you will find section //Secure Backup//, that will look like this, if you haven't set it up yet
  
-{{ :services:matrix:riot_e2e_setup_01.png |}}+{{ :services:matrix:prefskeybackup.png |}}
  
-**Optional** By default the server backs up your encryption keys, so you can recover your encrypted messages if you loose access to all sessions that had access to them. You can choose for the keys not to be saved on the server. They can still be transmitted from one active session of yours to another.+Click on **Set up** to start. You will be shown this menu
  
-Additionally you can download a recovery key, which you can use if you forget or loose the passphrase.+{{ :services:matrix:setupsecurebackup.png |}}
  
-{{ :services:matrix:riot_e2e_setup_03.png |}}+By default the upper point (//Generate a Security Key//) is selected, but it's better to choose //Enter a Security Phrase//What's the difference?
  
-==== Verification ====+  * A //Security Key// is a long random key, that you probably won't be able to memorise. It's purpose is to be stored somewhere safe, e.g. in a password manager like KeePassXC. 
 +  * A //Security Phrase// is that: a phrase, something that you will (hopefully) be able to remember, because you choose it, e.g. by a [[https://xkcd.com/936|method like this]].
  
-**This step is optional** **If you choose to not verify user there will be a black shield displayed next to their user icon** {{ :services:matrix:riot_e2e_verification_icon_1.png |}}+Also, when you generate Security Phrase, you will be offered to generate a Security Key as wellSo why not get both for the price of one?
  
-For end-to-end encryption to be really secure users have to verify they are talking to each other. To do this each user is verifying each their devices, and additionally verifies every user once. Every device another verified user verified themselves will be considered verified.+Once you click **Continue** you can enter your passphrase
  
-A user you did not verify will be displayed with a black shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_1.png |}}+{{ :services:matrix:setupsecurebackup.png |}}
  
-A user you verified, but who did not verify all of their devices will be displayed with a red shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_3.png |}}+which you then need to confirm
  
-A user you verified and who verified all of their devices will be displayed with a red shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_2.png |}}+{{ :services:matrix:setupsecurebackup2.png |}}
  
-Example: Alice and Bob start a conversation in their logged in sessions. For the encryption to be secure they have to verify they are actually talking to each other. In Element this is done by comparing a list of emojis that are shown to both users. Alice requests a verification with Bob and they verify they get shown the same string of emojis. When Bob starts using a new session (e.g. using a different Browser/Device) he can use the session that was verified with Alice's session to also verify his new session. Alice's session automatically sees that Bob verified the new session and accepts it into the encrypted conversation.+Afterwards you will be offered to also get your Security Key
  
-==== Verify a user ====+{{ :services:matrix:saveyoursecuritykey.png |}}
  
-For this step to make sense you have to be able to communicate with the other user in a way that makes sure you are actually talking to ****them****. For this we recommend video/audio-chat, or just sitting next to each other.+And to finish the setup, you need to confirm everything with your //ZEDAT password//
  
-To verify a user you open a chat you share with the user and click their name in the user side bar.+{{ :services:matrix:settingupkeysconfirmation.png |}}
  
-{{ :services:matrix:riot_e2e_verify_user_01.png?direct&800 |}}+After you're done with you can have a look at the settings again, where it will look like this if you were successful.
  
-Click on the verify link in the sidebar…+{{ :services:matrix:prefskeybackupafter.png |}}
  
-{{ :services:matrix:riot_e2e_verify_user_02.png?direct&800 |}}+This is also where you can start over - via the **Reset** button - if you forget your Security Phrase and/or lose your Security Key, but still have access to your session, because you never log out. 
 +==== Verifying a session ====
  
-and click on the "Start Verification" button.+To access your messages from encrypted chats, e.g. direct conversations, it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session, which is the easiest way, or enter your recovery passphrase.
  
-{{ :services:matrix:riot_e2e_verify_user_03.png?direct&800 |}}+When logging in with a new device you will get prompted to verify it.
  
-The user you want to verify will see the request as a popup on the left and in the chat.+{{ :services:matrix:verifylogin.png |}}
  
-{{ :services:matrix:riot_e2e_verify_user_04.png |}} {{./riot-e2e-doku-pictures/riot_e2e_verify_user_05.png |}}+The three options: 
 +- **Use another login**, which will authenticate against a running session, e.gon a phone or another computer. 
 +**Use Security Key or Phrase**, which works without another session, i.e. without another device, but you will need the Security Phrase or Key that you set up earlier. 
 +**Skip**, which skips authentication, but you won't be able to read encrypted messages that were sent to you earlier.
  
-You will then be presented with the verification options. Currently the only option is comparing string of emojis. When both users have agreed on verification method the verification process begins.+=== Verifying Session using Security Phrase ===
  
-If the user you are verifying with is shown the same string of emojis as you areyou can both click on "They match" to complete the verification.+This is conceptually the easiest sowe'll discuss it first. Click **Use Security Key or Phrase** and in the screen that opens enter either your //Security Phrase// or your //Security Key//.
  
-{{ :services:matrix:riot_e2e_verify_user_08.png |}}+{{ :services:matrix:securitypassphrase.png |}}
  
-==== Verify a session ====+If you enter either correctly, you will be greeted by this happy screen
  
-To access your encryption history and for other users to verify you it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session or enter your recovery passphrase.+{{ :services:matrix:sessionverified.png |}}
  
-When logging in with new device you will get prompted to verify it.+=== Verifying Session using a Security Phrase ===
  
-{{ :services:matrix:riot_e2e_verify_session_01.png?direct&800 |}}+If you are logged into another session, e.g. on your phone, it's easiest to click **Use another login**. There are multiple ways how this is handled, which depends on where the other session is running, e.g. Element on phones will allow you to do this via scanning a QR code. All methods do require, though, that you have the device where the other session is running on //at hand// otherwise the whole process will block waiting for you to do something on the other device, which is hard to do, if it's far away.
  
-If you are logged into another session there will be a popup asking you to verify the new session:+One method that is always available is comparing emoji shown on both devices. First you will be asked on the device with an already authenticated session whether the new session is you and whether you want to authenticate it.
  
 {{ :services:matrix:riot_e2e_verify_session_02.png?direct&800 |}} {{ :services:matrix:riot_e2e_verify_session_02.png?direct&800 |}}
Line 88: Line 95:
 {{ :services:matrix:riot_e2e_verify_session_03.png |}} {{ :services:matrix:riot_e2e_verify_session_03.png |}}
  
-Select to continue and you will be asked for a verification method. Currently the only option is to compare a sting of emojis.+Select to continue and you will be asked for a verification method. 
  
 {{ :services:matrix:riot_e2e_verify_session_04.png |}} {{ :services:matrix:riot_e2e_verify_session_04.png |}}
Line 98: Line 105:
 {{ :services:matrix:riot_e2e_verify_session_06.png |}} {{ :services:matrix:riot_e2e_verify_session_06.png |}}
  
-Confirm the emojis match on both devices to complete verifying the session.+Confirm the emojis match on both devices to complete verifying the session and you get the happy result of a verified session.
  
-Alternatively you can select to verify a session by using your recovery passphrase:+{{ :services:matrix:sessionverified.png |}}
  
-{{ :services:matrix:riot_e2e_verify_session_09.png?direct&800 |}} 
  
 ==== Deleting a session ==== ==== Deleting a session ====
Line 132: Line 138:
 {{ :services:matrix:riot_e2e_delete_session_04.png?direct&800 |}} {{ :services:matrix:riot_e2e_delete_session_04.png?direct&800 |}}
  
-===== Usage tips ===== 
  
-  You can search for other users by their display name or ZEDAT username, the display name is the person'name by default, but users may change it. +==== Verifying a user ==== 
-  You can highlight messages for certain users by mentioning them. You do this by typing ''@'' followed by their nameuse tab to autocomplete+ 
-  * The little symbols to the right of messages are read markers+**This step is optional** **If you choose to not verify a user there will be a black shield displayed next to their user icon** {{ :services:matrix:riot_e2e_verification_icon_1.png |}} 
-  * Messages can be formatted in Markdown (tables are unfortunately not supported in the current Markdown flavour)+ 
-  * You can share images and files+For end-to-end encryption to be really secure users have to verify they are talking to each other. To do this each user is verifying each their devicesand additionally verifies every user once. Every device another verified user verified themselves will be considered verified. 
-  * Emojis can be typed by starting with a colon '':'' followed by the name, choices will pop up+ 
-  * Messages can be edited after sending themUse the context menu when hovering over message+A user you did not verify will be displayed with a black shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_1.png |}} 
-  * You can reply to messages, quoting them thereby. Use the context menu when hovering over a message+ 
-  * You can react to messagesUse the smilie context menu when hovering over a message+A user you verified, but who did not verify all of their devices will be displayed with a red shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_3.png |}} 
-  You can add a [[services:jitsi:start|Jitsi]] widget using our Jitsi server to bind a fixed Jitsi room to your Matrix room via the Widget integration menu (the 2x2 squares on the upper right)Be advisedthe other integrations besides Jitsi use external resources.+ 
 +A user you verified and who verified all of their devices will be displayed with a red shield next to their user icon: {{ :services:matrix:riot_e2e_verification_icon_2.png |}} 
 + 
 +Example: Alice and Bob start a conversation in their logged in sessions. For the encryption to be secure they have to verify they are actually talking to each other. In Element this is done by comparing a list of emojis that are shown to both users. Alice requests a verification with Bob and they verify they get shown the same string of emojis. When Bob starts using a new session (e.g. using a different Browser/Device) he can use the session that was verified with Alice'session to also verify his new session. Alice's session automatically sees that Bob verified the new session and accepts it into the encrypted conversation
 + 
 +For this step to make sense you have to be able to communicate with the other user in a way that makes sure you are actually talking to ****them****For this we recommend video/audio-chator just sitting next to each other
 + 
 +To verify a user you open a chat you share with the user and click their name in the user side bar
 + 
 +{{ :services:matrix:riot_e2e_verify_user_01.png?direct&800 |}} 
 + 
 +Click on the verify link in the sidebar… 
 + 
 +{{ :services:matrix:riot_e2e_verify_user_02.png?direct&800 |}} 
 + 
 +and click on the "Start Verification" button
 + 
 +{{ :services:matrix:riot_e2e_verify_user_03.png?direct&800 |}} 
 + 
 +The user you want to verify will see the request as a popup on the left and in the chat
 + 
 +{{ :services:matrix:riot_e2e_verify_user_04.png |}} {{./riot-e2e-doku-pictures/riot_e2e_verify_user_05.png |}} 
 + 
 +You will then be presented with the verification optionsCurrently the only option is comparing string of emojis. When both users have agreed on a verification method the verification process begins
 + 
 +If the user you are verifying with is shown the same string of emojis as you are, you can both click on "They match" to complete the verification. 
 + 
 +{{ :services:matrix:riot_e2e_verify_user_08.png |}} 
 + 
 +==== I've lost all my keys! What now? ==== 
 + 
 +Sometimes it happens. Your computer and phone die at the same time and those were the only clients you were logged in at and you didn't save your passwordmanager database (hopefully you are using one) where you store your recovery keys or recovery passphrase to any other device. What now?  
 + 
 +Well, all your encrypted messages, i.e. messages in rooms or private discussions were encryption was enabled, are gone and you won't get them back, but you can make yourself new recovery keys for the future (and hopefully you will safe them redundantly)To this, just click **Use Security Key or Phrase** 
 + 
 +{{ :services:matrix:verifylogin.png |}} 
 + 
 +on the verification dialog after login and instead of entering your security phrase or key, which you've lost, click the **Reset all** link on the bottom, next to //Forgotten or lost all recovery methods?// 
 + 
 +You will then be asked to confirm 
 + 
 +{{ :services:matrix:reseteverything.png |}} 
 + 
 +And clicking **Reset** will sign out of all your old sessions and delete all keys, followed by guiding you through the procedure to generate new ones described above
 + 
 +==== I'm asked to authenticate every time I open my browser. What am I doing wrong? ==== 
 + 
 +You will need to reauthenticate (that means: type in your recovery passphrase or use another session to authenticate your new one) whenever you log out of [[https://meet.physik.fu-berlin.de]] or your browser loses its cached data and cookies. That means, if you are especially privacy conscious and configure your browser to delete cookies and caches on exit, your running session will die as well. 
 + 
 +[[https://meet.physik.fu-berlin.de]] only sets first party cookies and uses the local browser cache for some of its data. Whereas third party cookies are definitely are a privacy problem (and Firefox' Enhanced Tracking Protection can really help you with that out of the box even without [[https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/|uBlock Origin]]which is something everybody should use), can deleting first party cookies be a tad overzealous, since the server you are contacting sees everything you do with it anyway. Deleting the cookie and cached data interferes with how the client at [[https://meet.physik.fu-berlin.de]] operates. You can resolve this problem by granting an exception to deleting this data in your browser's preferences.
  
 +On Firefox you can do this on the //Privacy & Security// page of the settings in the section //Cookies and Site Data//. If you have checked //Delete cookies and site data when Firefox is closed//, this is the reason for needing to reauthenticate after every time you close Firefox. Click the //Manage Exceptions// button (//Manage Permissions// on older versions) and enter both [[https://meet.physik.fu-berlin.de]] and [[https://meet.physik.fu-berlin.de|http://meet.physik.fu-berlin.de]] and save your choice.
services/matrix/encryption.1606994032.txt.gz · Last modified: 2020/12/03 12:13 by hamiltoc97