services:matrix:encryption
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
services:matrix:encryption [2020/12/04 15:58] – Reorder sections behrmj87 | services:matrix:encryption [2021/11/29 16:24] (current) – typo fix Sessin -> Session behrmj87 | ||
---|---|---|---|
Line 2: | Line 2: | ||
===== End-to-End-encryption for Matrix on Element===== | ===== End-to-End-encryption for Matrix on Element===== | ||
- | |||
- | <note important> | ||
End-to-end encryption means that only the parties participating in a conversation are able to decrypt and read the messages that were send. Our server is not able to decrypt the messages that were sent, preventing third parties to read the messages. | End-to-end encryption means that only the parties participating in a conversation are able to decrypt and read the messages that were send. Our server is not able to decrypt the messages that were sent, preventing third parties to read the messages. | ||
Line 10: | Line 8: | ||
<note warning> | <note warning> | ||
- | ==== Upgrading encryption ==== | ||
- | This step is necessary if you have used encryption | + | ==== The somewhat short story ==== |
+ | |||
+ | Some chats you encounter will be encrypted. Direct conversations are encrypted by default and encryption | ||
+ | |||
+ | * Have one running session (in a browser on your computer, on your phone, wherever), so that new sessions can authenticate against | ||
+ | * have access to your recovery passphrase (that you should create when you first log in) to recover your encryption keys when you log into a new session and have no other running sessions to authenticate against. | ||
- | If you have used encryption before you will notice a small popup on the left side of the screen, asking you to upgrade. Click on the " | + | This means, that if you do have encrypted messages, e.g. in a direct |
- | This concludes the upgrade. You can now on read how to verify users in //*Verify a user//, or use encrypted chats without verification. | + | This may sound difficult, but it's not. Read on for what you need to do. |
==== Setting up encryption for the first time ==== | ==== Setting up encryption for the first time ==== | ||
- | When you log in to Element, it will ask you to set up encryption recovery. This step will make sure that you can share encrypted messages across all your devices and different sessions. If you do not wish to use encryption you can skip this step. However as encryption will be used by default we highly recommend setting up encryption. | + | When you haven' |
- | To setup encryption recovery | + | Below the list of active sessions, |
- | {{ : | + | {{ : |
- | **Optional** By default the server backs up your encryption keys, so you can recover your encrypted messages if you loose access | + | Click on **Set up** to start. You will be shown this menu |
- | Additionally you can download a recovery key, which you can use if you forget or loose the passphrase. | + | {{ : |
- | {{ : | + | By default the upper point (//Generate a Security Key//) is selected, but it's better to choose //Enter a Security Phrase//. What's the difference? |
+ | |||
+ | * A //Security Key// is a long random key, that you probably won't be able to memorise. It's purpose is to be stored somewhere safe, e.g. in a password manager like KeePassXC. | ||
+ | * A //Security Phrase// is that: a phrase, something that you will (hopefully) be able to remember, because you choose it, e.g. by a [[https:// | ||
+ | |||
+ | Also, when you generate a Security Phrase, you will be offered to generate a Security Key as well. So why not get both for the price of one? | ||
+ | |||
+ | Once you click **Continue** you can enter your passphrase | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | which you then need to confirm | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Afterwards you will be offered to also get your Security Key | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | And to finish the setup, you need to confirm everything with your //ZEDAT password// | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After you're done with you can have a look at the settings again, where it will look like this if you were successful. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | This is also where you can start over - via the **Reset** button - if you forget your Security Phrase and/or lose your Security Key, but still have access to your session, because you never log out. | ||
==== Verifying a session ==== | ==== Verifying a session ==== | ||
- | To access your encryption history and for other users to verify you it is necessary to verify a new session. To verify a session you can either confirm a new session from an existing session or enter your recovery passphrase. | + | To access your messages from encrypted chats, e.g. direct conversations, |
When logging in with a new device you will get prompted to verify it. | When logging in with a new device you will get prompted to verify it. | ||
- | {{ : | + | {{ : |
+ | |||
+ | The three options: | ||
+ | - **Use another login**, which will authenticate against a running session, e.g. on a phone or another computer. | ||
+ | - **Use Security Key or Phrase**, which works without another session, i.e. without another device, but you will need the Security Phrase or Key that you set up earlier. | ||
+ | - **Skip**, which skips authentication, | ||
+ | |||
+ | === Verifying a Session using a Security Phrase === | ||
+ | |||
+ | This is conceptually the easiest so, we'll discuss it first. Click **Use Security Key or Phrase** and in the screen that opens enter either your //Security Phrase// or your //Security Key//. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | If you enter either correctly, you will be greeted by this happy screen | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | === Verifying a Session using a Security Phrase === | ||
+ | |||
+ | If you are logged into another session, e.g. on your phone, it's easiest to click **Use another login**. There are multiple ways how this is handled, which depends on where the other session is running, e.g. Element on phones will allow you to do this via scanning a QR code. All methods do require, though, that you have the device where the other session is running on //at hand// otherwise the whole process will block waiting for you to do something on the other device, which is hard to do, if it's far away. | ||
- | If you are logged into another session there will be a popup asking you to verify | + | One method that is always available is comparing emoji shown on both devices. First you will be asked on the device with an already authenticated session whether |
{{ : | {{ : | ||
Line 47: | Line 95: | ||
{{ : | {{ : | ||
- | Select to continue and you will be asked for a verification method. Currently the only option is to compare a sting of emojis. | + | Select to continue and you will be asked for a verification method. |
{{ : | {{ : | ||
Line 57: | Line 105: | ||
{{ : | {{ : | ||
- | Confirm the emojis match on both devices to complete verifying the session. | + | Confirm the emojis match on both devices to complete verifying the session and you get the happy result of a verified |
- | Alternatively you can select to verify a session by using your recovery passphrase: | + | {{ :services: |
- | {{ : | ||
==== Deleting a session ==== | ==== Deleting a session ==== | ||
Line 130: | Line 177: | ||
{{ : | {{ : | ||
+ | ==== I've lost all my keys! What now? ==== | ||
+ | |||
+ | Sometimes it happens. Your computer and phone die at the same time and those were the only clients you were logged in at and you didn't save your passwordmanager database (hopefully you are using one) where you store your recovery keys or recovery passphrase to any other device. What now? | ||
+ | |||
+ | Well, all your encrypted messages, i.e. messages in rooms or private discussions were encryption was enabled, are gone and you won't get them back, but you can make yourself new recovery keys for the future (and hopefully you will safe them redundantly). To this, just click **Use Security Key or Phrase** | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | on the verification dialog after login and instead of entering your security phrase or key, which you've lost, click the **Reset all** link on the bottom, next to //Forgotten or lost all recovery methods?// | ||
+ | |||
+ | You will then be asked to confirm | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | And clicking **Reset** will sign out of all your old sessions and delete all keys, followed by guiding you through the procedure to generate new ones described above. | ||
+ | |||
+ | ==== I'm asked to authenticate every time I open my browser. What am I doing wrong? ==== | ||
+ | |||
+ | You will need to reauthenticate (that means: type in your recovery passphrase or use another session to authenticate your new one) whenever you log out of [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | On Firefox you can do this on the //Privacy & Security// page of the settings in the section //Cookies and Site Data//. If you have checked //Delete cookies and site data when Firefox is closed//, this is the reason for needing to reauthenticate after every time you close Firefox. Click the //Manage Exceptions// |
services/matrix/encryption.1607097526.txt.gz · Last modified: 2020/12/04 15:58 by behrmj87