End-to-End Encryption (E2EE) provides secure communication by ensuring that only the message sender and intended recipients can read the content of messages and files. Rocket.Chat supports E2EE for private and direct conversations, offering enhanced privacy and security.
Enabling E2EE
To activate E2EE, a workspace administrator must enable it in the workspace settings:
Administration → Workspace → Settings → End-to-End Encryption
For additional details about configuration and behavior, see the Configure E2E Encryption guide.
Important considerations before enabling E2EE
Encrypted messages will not appear in search results.
Encrypted content cannot be audited or monitored.
Bots may be unable to access encrypted messages unless they explicitly support E2EE.
Found a bug? Please report it to Rocket.Chat.
Save your E2EE password
Once E2EE is enabled, a “Save your new E2EE password” banner appears at the top of your workspace.
Follow these steps to save your password:
Click the Save your new E2EE password banner. A modal opens displaying your new E2EE password.
Click Copy to securely save your password.
Click I saved my password to confirm and finish the process.
This password is shown only once and is not stored on Rocket.Chat servers. Store it securely, you will need it to decrypt encrypted messages on any device.
Once your E2EE password is saved, you can start creating encrypted rooms and sending encrypted direct messages.
Enter your E2EE password
Whenever you log in, an “Enter your E2E password” banner appears at the top of your workspace.
To unlock your encrypted rooms and messages:
Click the Enter your E2E password banner. A modal opens prompting you to enter your encryption password.
Enter the E2EE password you previously saved.
Click Enable encryption to confirm.
If the password is incorrect, an error appears:
“Wasn't possible to decode your encryption key to be imported.”
Your encryption password seems wrong. Click here to try again.
To retry, click the link in the banner and re-enter your password.
Change your E2EE password
You can update your E2EE password from your account settings. To access this setting, click your Profile icon, then go to Account → Security. You’ll see the Security page with options to change or reset your E2EE password.
To set a new E2EE password:
Under Change E2EE password, enter your new password in the New E2EE password field.
Make sure your password meets all of the following requirements:
At least 30 characters long
Contains at least one uppercase letter
Contains at least one lowercase letter
Contains at least one number
Contains at least one symbol
Once all requirements are met, click Save changes. After that, you’ll see a confirmation message saying “Your encryption key was saved successfully.”
Changing your E2EE password updates the key used to encrypt and decrypt your messages.
Reset your E2EE password
You can reset your E2EE password in two ways:
From the Security settings: Go to Profile icon → Account → Security, then click Reset E2EE password.
From the “Forgot E2EE Password?” option: To reset your password from the login prompt, click Forgot E2EE password? on the Enter E2EE password window. This will open a confirmation modal where you can proceed to reset your encryption password.
What happens when you reset your password
You will be logged out immediately.
After logging back in, Rocket.Chat generates a new E2EE password.
You must re-enable encryption on all your devices.
After you log in again, a banner will appear prompting you to Save your new E2EE password.
Create an encrypted room
End-to-End Encryption (E2EE) is supported only for:
Direct Messages (DMs)
Discussions
Private channels
Private teams
To enable E2E:
Direct Messages: Enable E2EE from the options menu (⋮) in the DM window.
Discussions: While creating a discussion (from either a public or private channel), toggle the Encrypted option directly in the Create Discussion modal.
Channels and Teams: While creating a private channel or team, open the Advanced Settings section in the Create Channel or Create Team modal and enable the Encrypted toggle.
Note
Depending on your workspace settings, new private channels may have encryption enabled automatically. You can still turn encryption off when creating the channel.
Encryption is not available for public channels. If you switch a room from Private → Public, encryption will automatically turn off and cannot be re-enabled.
Enabling or disabling Broadcast does not affect encryption.
Export encrypted room conversation
Rocket.Chat allows end users to export messages from encrypted rooms directly from the client (web or desktop). To protect message privacy, only users with decryption rights can perform exports.
Make sure you've entered your E2EE password before exporting, or the messages cannot be decrypted.
To export messages from an encrypted room:
In the encrypted room, click the kebab menu (⋮) and select Export messages.
Select the messages you want to export by clicking the checkboxes next to each message.
Click Select X messages in the footer to proceed.
In the right-hand Export messages panel, configure the export:
Method:
Download fileOutput format:
JSONorPDF
Click Download.
Check your device's default download location for the exported file.
Exported messages are decrypted and saved locally. Store and share them responsibly.
Enable and disable E2EE in an existing room
You can enable or disable E2EE in an existing private room, provided that E2EE is supported for that room type.
To do that:
Ensure you have entered your E2EE password.
Click the kebab menu from the room header.
Select Enable E2E or Disable E2E.
Additional E2EE guides
For more details on workspace configuration and the technical implementation of E2EE, see:
Configure E2E Encryption: A guide for administrators on enabling and managing End-to-End Encryption across the workspace, including default encryption settings and feature controls.
Manage Your Account Settings: Includes options for changing, resetting, and managing your personal E2EE password
Manage Your Workspace Users: Provides guidance on administering user accounts and security-related tasks. This includes how to reset a user’s E2EE key if they lose their previous one or require a security reset.
End-to-End Encryption Specifications: A deeper technical overview of Rocket.Chat’s E2EE implementation, including key generation, encryption workflows, and how encrypted data is managed.
FAQ
How can I tell if the room is encrypted?
If a room is using end-to-end encryption, a key icon will appear next to the room or channel name.
How can I tell if a message is encrypted?
Encrypted messages display a key icon next to the sender’s username.
Can I enable or disable E2E after a room is created?
Yes, for supported room types, you can enable or disable E2E anytime via the room's kebab menu (⋮).
What happens if I lose my E2E password?
If you lose your encryption password, you won’t be able to decrypt existing encrypted messages. Admins can reset a user’s E2EE key by navigating to: Administration → Workspace → Users → (⋮) → Reset E2EE key. This allows recovery support when users lose access but still need to be managed centrally.
Learn more about resetting user keys in the Rocket.Chat documentation.
Is my encryption password stored anywhere?
No. The encryption password is never stored on Rocket.Chat servers. You must save it securely and enter it on every device where you want to access encrypted content.
Do bots and integrations work with E2E rooms?
Most bots and integrations cannot access encrypted messages unless they are explicitly built to support E2E encryption.
Why aren’t my encrypted messages showing up in search?
E2E messages are not searchable. This is a security limitation by design to preserve message privacy.