Encryption means scrambling a message in such a way that only those knowing the secret key can unscramble it. We use encryption to keep your messages and files private.

End-to-end encryption means your messages and files are encrypted before they leave your device, and stay encrypted until they reach the other participants' devices. End-to-end encrypted messages can only be read by the participants in the conversation.

Thanks to end-to-end encryption, your messages can only be read by the participants in the conversation and nobody else. This means your messages can't be read by anyone at SafeMeet, or by any other third party. It also means that if you lose your keys, you won't be able to read your messages.

No, messages are only encrypted in rooms with encryption enabled. You can enable encryption by going to Room Settings.

If you can't read a message it's because your device doesn't have the right key. If your device doesn't have the right key, there are two ways you might be able to get hold of the key:

- Restore all of your keys from key backup
- Upload keys from a manual backup (advanced)

Before your cryptographic identity and message keys leave your device, they are always encrypted. No one other than you, not even your account provider, can access or use them to read your messages or send messages on behalf of you or add devices to your account.

A recovery key is a unique 48-character key that is generated for you when you first set up recovery, for example: EsTZ 4us6 nh29 89jk U1uH Zbae 4PuS QQC1 86pt em8o R8nb bdwQ.

It unlocks access to your identity and message keys in key storage, and can be used to verify your new devices in order to access message history and to use your identity to send messages.

On SafeMeet mobile apps (iOS and Android): When you register a new account or reset your identity, the app automatically generates a recovery key and securely stores it in your device's secure storage (iOS Keychain or Android Keystore). You don't need to manually set it up.

If you have signed out of SafeMeet everywhere or lose all of your devices, your recovery key is the only option to get full access to your account and recover your message history.

On SafeMeet mobile apps (iOS and Android): Your recovery key is automatically stored in your device's secure storage (iOS Keychain or Android Keystore) when you register or reset your identity. This provides secure, encrypted storage that is protected by your device's security features.

For web and desktop apps, or if you want an additional backup: Store your recovery key in a safe location. Common options include a password manager, hardware-encrypted USB drive, or on a piece of paper stored in a secure physical location (e.g. a safe or locked drawer).

It's important to keep a backup of your recovery key in case you lose access to all your devices, as it's the only way to recover your encrypted messages and identity.

You will need to reset your cryptographic identity, thus your previous messages can not be decrypted and you'll need to verify yourself with other users again.

On SafeMeet mobile apps (iOS and Android): Recovery is automatically set up for you when you register a new account or reset your identity. The app generates a recovery key and securely stores it in your device's secure storage. You don't need to take any action.

On SafeMeet web and desktop apps: Go to User Settings → Encryption and click Set up recovery. You'll be given the option to either generate a recovery key or enter a security phrase.

The SafeMeet web and mobile apps monitor the health of the cryptographic identity by checking that all the keys that establish the identity are present in the device. This is necessary to discover potential problems as early as possible, and to ensure that messages can be correctly decrypted and encrypted.

When it is detected that one or more keys are missing, you are notified that "key storage is out of sync" and asked to enter your recovery key, in order to retrieve the missing identity keys from the key storage. In some cases it could happen that even the key storage does not have all the identity keys, and if so you will need to reset your identity.

This is not a common occurrence, and should happen rarely. The typical cause is use of an outdated or faulty Matrix client at some point in the past which the health check now has discovered.

Simply put, a device is your laptop, phone, tablet or desktop that you login to your account from or create your account from.

However, users who are logging in multiple times (e.g. from different browsers or using different mobile/desktop apps), should pay attention to the fact that each login requires a separate verification, even if it is on the same physical device. Every logged in session is listed as an independent 'device' under your account.

In end-to-end encrypted messaging, cryptographic identity is the foundation for ensuring that when Alice is sending a message to Bob:
– Only Bob can decrypt the message
– Bob can cryptographically verify that the message is from Alice.

In practice, the user's cryptographic identity is established as a cryptographic key pair that is generated locally within the laptop or phone of the user when they first log in to their account. However, a regular user normally does not see their identity anywhere on the screen nor has a need to see it.

If Bob wants to make sure that he is (still) messaging with Alice, he has to remember Alice's cryptographic identity. Similarly, Alice has to remember Bob's identity.

SafeMeet offers 2-level protection to remember the contact's identity:
– Identity pinning: the identity of Alice is automatically saved when Bob first starts conversation with her.
– User (identity) verification: Alice and Bob explicitly validate that they have both received the correct identity for each other. This is accomplished by comparing a set of emojis or scanning a QR code shared via some other channel, for example in a live video conference or by meeting in person.

Identity pinning is more convenient (as it works automatically from user's perspective) and sufficient for most use cases. Bob and Alice are notified when the identity of the other party has been reset but messaging is not blocked.

For more sensitive use cases, user (identity) verification offers additional protection against advanced man-in-the-middle attacks, wherein an attacker was actively interfering with Alice and Bob's communication from the start of their correspondence, replacing their identities with the attacker's and preventing them from ever observing each other's identities. User verification prevents this kind of advanced attack.

SafeMeet notifies you whenever a contact's identity has been reset, allowing you to verify your communication's privacy and guard against potential man-in-the-middle attacks.

The most common cause is a contact resetting their identity themselves, often due to losing all devices without a recovery method. However, whenever an identity reset occurs, it may also indicate an attempted eavesdropping attempt.

Device verification is required when Alice (or Bob) adds another device - they log in from somewhere else, e.g. from their other laptop or phone or even just from another browser on the same laptop.

After Alice logs in on a new device, she uses her cryptographic identity to demonstrate to Bob that the new device genuinely belongs to her, rather than being added by someone else with access to her account. She can do this either by entering her recovery key (which gives the new device immediate access to her cryptographic identity), or by carrying out an interactive verification from an existing verified device.

Search in encrypted rooms is only available on SafeMeet macOS, Windows and Linux, provided it's enabled in "Security & Privacy" settings on SafeMeet.