End-to-End Encryption User Guide

End-to-End Encryption (E2EE) is a secure communication method that ensures only message senders and recipients can read the content of messages and files. Rocket.Chat enhances security by supporting E2EE for private and direct conversations.

To enable this feature, a workspace administrator must activate E2E Encryption in the workspace settings.

IMPORTANT: Consider the limitations of E2E Encryption before enabling it:

• Encrypted messages will not appear in search results

• Encrypted content cannot be audited

• Bots may not be able to access encrypted messages unless explicitly supported

Found a bug? Please report it to Rocket.Chat.

Save your encryption password

Once E2EE is enabled, a “Save your encryption password” banner will appear at the top of your screen.

To save the password:

1. Click the Save your encryption password banner. A modal will appear displaying your encryption password.

2. Click Copy to securely save your password.

3. Click I saved my password to confirm and complete the process.

Note that this password is shown only once and is not stored on Rocket.Chat servers.

Make sure to store it securely, you'll need it to decrypt messages from any client.

Once your encryption password is saved, you can start creating encrypted rooms and direct messages to communicate securely with participants.

Enter your E2E encryption password

Whenever you log in to your account, an “Enter E2EE password” banner will appear at the top of your workspace.

To unlock access to your encrypted rooms and messages:

1. Click the Enter E2EE password banner.

2. A modal will appear prompting you to enter your encryption password.

3. Enter the password you saved earlier.

4. Click Enable encryption to confirm.

Create an encrypted room

End-to-End Encryption (E2EE) is supported only for:

• Direct Messages (DMs)

• Discussions

• Private channels

• Private teams

To enable E2E:

• Direct Messages: Enable E2EE from the options menu (⋮) in the DM window.

• Discussions: While creating a discussion (from either a public or private channel), toggle the Encrypted option directly in the Create Discussion modal.

• Channels and Teams: While creating a private channel or team, open the Advanced Settings section in the Create Channel or Create Team modal and enable the Encrypted toggle.

Export encrypted room conversation

Rocket.Chat allows end users to export messages from encrypted rooms directly from the client (web or desktop). To protect message privacy, only users with decryption rights can perform exports.

Make sure you've entered your E2EE password before exporting, or the messages cannot be decrypted.

To export messages from an encrypted room:

1. In the encrypted room, click the kebab menu (⋮) and select Export messages.

2. Select the messages you want to export by clicking the checkboxes next to each message.

3. Click Select X messages in the footer to proceed.

4. In the right-hand Export messages panel, configure the export:

   1. Method: Download file

   2. Output format: JSON or PDF

5. Click Download.

6. Check your device's default download location for the exported file.

Exported messages are decrypted and saved locally. Store and share them responsibly.

Enable and disable E2E in an existing room

You can enable or disable E2EE in an existing private room, provided that E2EE is supported for that room type.

To do that:

1. Ensure you have entered your E2E encryption password.

2. Click the kebab menu from the room header.

3. Select Enable E2E or Disable E2E.

Change the encryption password

To change your E2E encryption password or reset your encryption key, refer to the Manage your account settings documentation. You can change your E2E password only if your current encryption key has already been loaded into the workspace (i.e., you've previously entered your password in this session).

Explore the E2EE specification guide for deeper insight into Rocket.Chat’s encryption model.

FAQ