End-to-End Encryption User Guide

Prev Next

End-to-End Encryption (E2EE) is a secure communication method that ensures only message senders and recipients can read the content of messages and files. Rocket.Chat enhances security by supporting E2EE for private and direct conversations.

To enable this feature, a workspace administrator must activate E2E Encryption in the workspace settings.

IMPORTANT: Consider the limitations of E2E Encryption before enabling it:

  • Encrypted messages will not appear in search results

  • Encrypted content cannot be audited

  • Bots may not be able to access encrypted messages unless explicitly supported

Found a bug? Please report it to Rocket.Chat.

Save your encryption password

Once E2EE is enabled, a “Save your encryption password” banner will appear at the top of your screen.

To save the password:

  1. Click the Save your encryption password banner. A modal will appear displaying your encryption password.

  2. Click Copy to securely save your password.

  3. Click I saved my password to confirm and complete the process.

Note that this password is shown only once and is not stored on Rocket.Chat servers.

Make sure to store it securely, you'll need it to decrypt messages from any client.

Once your encryption password is saved, you can start creating encrypted rooms and direct messages to communicate securely with participants.

Enter your E2E encryption password

Whenever you log in to your account, an “Enter E2EE password” banner will appear at the top of your workspace.

To unlock access to your encrypted rooms and messages:

  1. Click the Enter E2EE password banner.

  2. A modal will appear prompting you to enter your encryption password.

  3. Enter the password you saved earlier.

  4. Click Enable encryption to confirm.

Create an encrypted room

End-to-End Encryption (E2EE) is supported only for:

  • Direct Messages (DMs)

  • Discussions

  • Private channels

  • Private teams

To enable E2E:

  • Direct Messages: Enable E2EE from the options menu (⋮) in the DM window.

  • Discussions: While creating a discussion (from either a public or private channel), toggle the Encrypted option directly in the Create Discussion modal.

  • Channels and Teams: While creating a private channel or team, open the Advanced Settings section in the Create Channel or Create Team modal and enable the Encrypted toggle.

Export encrypted room conversation

Rocket.Chat allows end users to export messages from encrypted rooms directly from the client (web or desktop). To protect message privacy, only users with decryption rights can perform exports.

Make sure you've entered your E2EE password before exporting, or the messages cannot be decrypted.

To export messages from an encrypted room:

  1. In the encrypted room, click the kebab menu (⋮) and select Export messages.

  2. Select the messages you want to export by clicking the checkboxes next to each message.

  3. Click Select X messages in the footer to proceed.

  4. In the right-hand Export messages panel, configure the export:

    1. Method: Download file

    2. Output format: JSON or PDF

  5. Click Download.

  6. Check your device's default download location for the exported file.

Exported messages are decrypted and saved locally. Store and share them responsibly.

Enable and disable E2E in an existing room

You can enable or disable E2EE in an existing private room, provided that E2EE is supported for that room type.

To do that:

  1. Ensure you have entered your E2E encryption password.

  2. Click the kebab menu from the room header.

  3. Select Enable E2E or Disable E2E.

Change the encryption password

To change your E2E encryption password or reset your encryption key, refer to the Manage your account settings documentation. You can change your E2E password only if your current encryption key has already been loaded into the workspace (i.e., you've previously entered your password in this session).

Explore the E2EE specification guide for deeper insight into Rocket.Chat’s encryption model.

FAQ

How can I tell if the room is encrypted?

If a room is using end-to-end encryption, a key icon will appear next to the room or channel name.

How can I tell if a message is encrypted?

Encrypted messages display a key icon next to the sender’s username.

Can I enable or disable E2E after a room is created?

Yes, for supported room types, you can enable or disable E2E anytime via the room's kebab menu (⋮).

What happens if I lose my E2E password?

If you lose your encryption password, you won’t be able to decrypt existing encrypted messages. Admins can reset a user’s E2EE key by navigating to: Administration → Workspace → Users → (⋮) → Reset E2EE key. This allows recovery support when users lose access but still need to be managed centrally.

Learn more about resetting user keys in the Rocket.Chat documentation.

Is my encryption password stored anywhere?

No. The encryption password is never stored on Rocket.Chat servers. You must save it securely and enter it on every device where you want to access encrypted content.

Do bots and integrations work with E2E rooms?

Most bots and integrations cannot access encrypted messages unless they are explicitly built to support E2E encryption.

Why aren’t my encrypted messages showing up in search?

E2E messages are not searchable. This is a security limitation by design to preserve message privacy.