End-to-end encryption (E2EE) is a secure communication method in which only the senders and recipients can encrypt and decrypt the messages and files. Rocket.Chat provides an additional layer of security with the E2EE feature. To use E2E encryption, your workspace administrator must enable the E2E Encryption feature in the workspace settings.
IMPORTANT: E2E encryption functionality includes notable restrictions that workspace owners should carefully consider before activating this feature. Here are what to keep in mind:
Encrypted messages of encrypted rooms will not be found by search operations.
Bots may not be able to see encrypted messages until they implement support for it.
Spotted a bug? Help us improve by reporting it directly to Rocket.Chat!
Save your E2E encryption password
Once E2E is enabled in your workspace, a Save your encryption password banner will appear at the top of the screen.
To save this password,
Click the Save your encryption password banner. It displays a modal with the encryption password.
Click copy password and save the password securely.
Finally, click on the I have Saved my Password button to confirm.
The encryption password is displayed only once. Therefore, it is essential to save it securely as you will require it to decode or encode encrypted messages on your workspace from any client.
After this, you can create encrypted rooms and communicate securely with the participants.
Enter your E2E encryption password
Now, whenever you log in to your account, an Enter E2E password banner appears at the top of your workspace.
To access your encrypted rooms and messages, enter your E2E encryption password by following these steps:
Click on the Enter E2E password banner.
A modal is displayed, prompting you to enter your encryption password.
Enter the password you saved earlier.
Click the Decode Key button.
Create an encrypted room
E2E is only available for DMs, private channels, and private teams. Enable the Encrypted option while creating the room to create an encrypted channel or team.
Export encrypted room conversation
Rocket.Chat allows end users to export conversations from encrypted rooms directly from the client (on web and desktop clients). To ensure privacy, only users with decryption rights can generate these exports. Make sure that you have entered your encryption password before exporting messages.
Click the kebab menu in the encrypted room and select Export messages.
Choose the specific messages you want to include in the export.
Choose the export options:
Method: Download file
Output format: Select JSON or PDF
Click Download.
Check your computer’s default download location for the exported messages in the selected format.
This feature ensures secure access to message exports while safeguarding user privacy.
Enable and disable E2E in an existing room
To enable/disable E2E in an existing private room,
Ensure you have entered your E2E Encryption password.
Click the kebab menu from the room header.
Select Enable E2E or Disable E2E.
Change the encryption password
To set a new encryption password or reset your E2E key, see Account - Security. You can only change your encryption password in a workspace where you have already entered the existing password.
Explore the E2EE specification to gain a deeper understanding of Rocket.Chat’s technical implementation of end-to-end encryption.
FAQ
How can I tell if the room is encrypted?
If the room is using end-to-end encryption, you should see a key icon by the channel name.
How can I tell if a message is encrypted?
You will see a key icon by the username.