User Tools

Site Tools


services:matrix:encryption

This is an old revision of the document!


This is a section of the manual on how to use Element's end-to-end-encryption. To see the rest of the manual, find the page here

End-to-End-encryption for Matrix on Element

End-to-End-encryption is currently enabled by default for direct chats. This has technical reasons.

End-to-end encryption means that only the parties participating in a conversation are able to decrypt and read the messages that were send. Our server is not able to decrypt the messages that were sent, preventing third parties to read the messages.

If you enable end-to-end encryption for a room it cannot be disabled anymore later. If you lose your keys, you will lose access to your encrypted messages. Please make a backup of your keys / generate a recovery key.
When logging into a new device (a different browser, a new phone, your fridge), you will only get access to your already encrypted messages after verifying the new session. This is explained below (and most easily done if you use Element on your phone).

Upgrading encryption

This step is necessary if you have used encryption in the past on your matrix.physik.fu-berlin.de account. If you have not used encryption previously, you can jump to the section Setting up encryption for the first time

If you have used encryption before you will notice a small popup on the left side of the screen, asking you to upgrade. Click on the "upgrade" button to start the upgrade. Next you will have to enter your ZEDAT-password… and enter your recovery passphrase you set when you set up key backups for encryption. If you can not remember your passphrase you can use the recovery key if you have still saved it somewhere. Alternatively you can set up a new key recovery. Your previous encrypted messages will still be available if you are able to read them on the device you are using to perform the upgrade.

This concludes the upgrade. You can now on read how to verify users in *Verify a user, or use encrypted chats without verification.

Setting up encryption for the first time

When you log in to Element, it will ask you to set up encryption recovery. This step will make sure that you can share encrypted messages across all your devices and different sessions. If you do not wish to use encryption you can skip this step. However as encryption will be used by default we highly recommend setting up encryption.

To setup encryption recovery you have to choose a secure passphrase.

Optional By default the server backs up your encryption keys, so you can recover your encrypted messages if you loose access to all sessions that had access to them. You can choose for the keys not to be saved on the server. They can still be transmitted from one active session of yours to another.

Additionally you can download a recovery key, which you can use if you forget or loose the passphrase.

Verification

This step is optional If you choose to not verify a user there will be a black shield displayed next to their user icon

For end-to-end encryption to be really secure users have to verify they are talking to each other. To do this each user is verifying each their devices, and additionally verifies every user once. Every device another verified user verified themselves will be considered verified.

A user you did not verify will be displayed with a black shield next to their user icon:

A user you verified, but who did not verify all of their devices will be displayed with a red shield next to their user icon:

A user you verified and who verified all of their devices will be displayed with a red shield next to their user icon:

Example: Alice and Bob start a conversation in their logged in sessions. For the encryption to be secure they have to verify they are actually talking to each other. In Element this is done by comparing a list of emojis that are shown to both users. Alice requests a verification with Bob and they verify they get shown the same string of emojis. When Bob starts using a new session (e.g. using a different Browser/Device) he can use the session that was verified with Alice's session to also verify his new session. Alice's session automatically sees that Bob verified the new session and accepts it into the encrypted conversation.

Verify a user

For this step to make sense you have to be able to communicate with the other user in a way that makes sure you are actually talking to them. For this we recommend video/audio-chat, or just sitting next to each other.

To verify a user you open a chat you share with the user and click their name in the user side bar.

Click on the verify link in the sidebar…

and click on the "Start Verification" button.

The user you want to verify will see the request as a popup on the left and in the chat.

You will then be presented with the verification options. Currently the only option is comparing a string of emojis. When both users have agreed on a verification method the verification process begins.

If the user you are verifying with is shown the same string of emojis as you are, you can both click on "They match" to complete the verification.

Verify a session

To access your encryption history and for other users to verify you it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session or enter your recovery passphrase.

When logging in with a new device you will get prompted to verify it.

If you are logged into another session there will be a popup asking you to verify the new session:

Click on the green "Verify" button in the popup and an explaining popup will appear.

Select to continue and you will be asked for a verification method. Currently the only option is to compare a sting of emojis.

Compare the emojis in the two sessions.

Confirm the emojis match on both devices to complete verifying the session.

Alternatively you can select to verify a session by using your recovery passphrase:

Deleting a session

If you have old unverified sessions that you don't have access to anymore, it is best to delete them so that other users don't see you as unverified.

To find out if you have unverified sessions left, enter a chat in which you participate and find your name in the user sidebar on the left. If you have unverified sessions, there will be a red shield icon on your user icon.

If you have unverified sessions, click on your name in the sidebar. This will show you a list of your sessions and which of them are unverified.

Click on each of the unverified sessions which you can not access anymore and note down their session-ID. (In the picture below it is VBPCSWTETS)

To delete the session you noted down, click on your Name in the top left corner and select the settings.

In the settings menu select the section "Security & Privacy"

In the "Security & Privacy" setting select all the session you want to delete and click on "Delete sessions"

Usage tips

  • You can search for other users by their display name or ZEDAT username, the display name is the person's name by default, but users may change it.
  • You can highlight messages for certain users by mentioning them. You do this by typing @ followed by their name, use tab to autocomplete.
  • The little symbols to the right of messages are read markers.
  • Messages can be formatted in Markdown (tables are unfortunately not supported in the current Markdown flavour).
  • You can share images and files.
  • Emojis can be typed by starting with a colon : followed by the name, choices will pop up.
  • Messages can be edited after sending them. Use the context menu when hovering over a message.
  • You can reply to messages, quoting them thereby. Use the context menu when hovering over a message.
  • You can react to messages. Use the smilie context menu when hovering over a message.
  • You can add a Jitsi widget using our Jitsi server to bind a fixed Jitsi room to your Matrix room via the Widget integration menu (the 2x2 squares on the upper right). Be advised, the other integrations besides Jitsi use external resources.
services/matrix/encryption.1607097058.txt.gz · Last modified: 2020/12/04 15:50 by behrmj87

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki