Element - Security Key Purpose, Use Case, Creation, Backup & Restoration Tests - No Personal Data: NOTE: https://github.com/vector-im/element-web/issues/22036 The file that is called "element-keys" is ONLY TO BE IMPORTED from the Element app Settings > Security & Privacy option called 'Import E2E room keys' NOTE: Importing such files mandatorily requires a pass phrase to be entered before the file is accepted When Element is first started: ------------------------------ Verify this device Verify your identity to access encrypted messages and prove your identity to others Verify with another device OR Verify with security key Settings > Security & Privacy Click on the small triangle pointing to the right in front of the word 'Advanced' underneath the heading 'Cross-signing' Backup key stored: in secret storage Backup key cached: not found locally Secret storage public key: in account data Secret storage: ready Backup version: 1 Algorithm: m.megolm_backup.v1.curve25519-aes-sha2 Backup has a signature from unknown session with ID blah blah blah Backup has a signature from unknown session with ID blah blah blah ABOUT SECURITY KEY - INFO GATHERED FROM BELOW LINK: --------------------------------------------------- 1: The "Security Phrase" / "Security Key" remains as only a "disaster recovery" option effectively: if you still have an existing session can access, the intended "happy path" is verify with that other session, and then there should be no need to enter the "Security Phrase" / "Security Key". The "Security Phrase" / "Security Key" is only needed for the special case where you are unable to access other sessions. 2: The manual import / export buttons were all we had for several years before the newer Secure Backup feature of encrypted server-side backups was added. If Secure Backup is enabled, there should be no need to use the manual import / export, and logging in on a new session automatically restores from the server-side backup (after you verify with an existing device). 3: see if my understanding is correct: security key is an alphanumeric string of 48 char-length, generated by the machine (and can be regenerated using the app) for account session verification. recovery key is a deprecated name of security key. security phase is a password created by the user which is mapped to a security key underneath.(so no need to remember the 48 chars) E2E room keys are a set of private keys generated by the machine, for content decryption/encryption in chats. passphrase, is a password created by the user, required when import and export the E2E room keys set. does the above make sense 4: If I understand it correctly, the security key or security phrase from Secure Backup is just a password for the E2E room keys stored in your Element profile. Backing up the E2E room keys makes sense if you want to be client independent. 5: I just had to search for this because I thought when it asked for security key, it meant my Yubikey, which obviously didn't work. Perhaps adding a little wording like "Security key (generated for you when you first created your account) might help? Also, if the "happy path" is to verify with an existing session, it is unintuitive current in having it default to asking for a security key with a button to switch to verifying using an existing session. It should default to the "happy path". What if it presented the user with a window like this with two buttons: Now we need to load the encryption key for your data, you can: Verify using an existing session (Recommended) Enter the security key generated when you first created your account 6: However, please note that there are actually only 3 types of hidden credentials that you must manage yourself: The password, which grants access to the account; The security key, which grants access to encrypted chats. This is automatically generated; and The security passphrase, which is an alternative to the security key, because it is able to be chosen manually, like the password. It is optional. If you enable Cross-signing and subsequently configure the consequently-available Secure Backup feature, your keys should also be duplicated to the server. Note that this shall grant you a new recovery key that replaces your old one. You need not retain the previous key when complete. 7: When you sign up, you are asked to save a security key. Find your security key. Enter this security key when asked. "Security key (generated for you when you first created your account) might help? Also, if the "happy path" is to verify with an existing session, it is unintuitive current in having it default to asking for a security key with a button to switch to verifying using an existing session. It should default to the "happy path". 8: If I get it right, the feature that we are discussing here is an encryption key for the messages and files, so that the client app could decrypt them and show as a proper human readable text. That is called security key. Historically users had to create, import and export that key between the devices manually. But not anymore. Matrix clients now can store that security key on the server in some encrypted enclave/storage. To make this secure, there is security passphrase which is used to encrypt and extract security key and then extract all of the messages and files with it to display a human readable content to the humans. https://github.com/vector-im/element-web/issues/15500 Connect this session to Key Backup - MANDATORILY REQUIRES YOU TO EITHHER PASTE OR UPLOAD A/THE SECURITY KEY - WHAT HAPPENS IF YOU CHOOSE THIS OPTION: ----------------------------------------------------------------------------------------------------------------------------------------------------- WORK-AROUND: See 'SETUP SECURITY KEY FOR AN EXISTING ELEMENT ACCOUNT:' and/or 'SETUP SECURITY KEY FOR A NEW ELEMENT ACCOUNT:' Choose option Settings > Security & Privacy 'Connect this session to Key Backup' WHAT CAN HAPPEN IF YOU CHOOSE THE ABOVE OPTION: Monday the 20th of March, 2023 TIME: 2.06 AM Enter passphrase: Mountains are what we move COLORED BUTTONS DISPLAYED IN FOLLOWING ORDER UNDER Heading 'Encryption - Secure Backup': GREEN RED RED Connect this session to Key Backup 'Delete Backup' 'Reset' Clicking on the 'Connect this session to Key Backup' button will very briefly bring up a window that sais 'Restoring keys from backup - Fetching keys from server' (for about 1/2 a second) Then this is replaced with another small window: "Security Key" Use your Security Key to continue. Copy/Paste your security key or Upload it If the 'Security Key' you either paste or upload is incorrect the words 'X Invalid Security Key' will be displayed in Red underneath the input field Warning: You should only set up key backup from a trusted computer. SETUP SECURITY KEY FOR AN EXISTING ELEMENT ACCOUNT: --------------------------------------------------- Settings > Security & Privacy Underneath the heading title 'Encryption - Secure Backup' Pressing the Red Reset button (the one on the TOP next to the Red 'Delete Backup' Button) - brings up a small window that provides 2 options to choose from: *** WARNING *** - DONT CHOOSE THIS OPTION UNLESS YOU HAVE FIRST used the 'Export E2E room keys' OPTION Generate a Security Key - We'll generate a Security Key for you to store somewhere safe, like a password manager or a safe. Enter a Security Phrase - Use a secret phrase only you know, and optionally save a Security Key to use for backup. Choose 'Generate a Security Key' (selected by default) Press Continue Button Window comes up: Save your Security Key Store your Security Key somewhere safe, like a password manager or a safe, as it's used to safeguard your encrypted data. Press 'Copy' Button bunch of numbers and letters Press Continue Button A window appears: Setting up keys with a small circle turning around showing that its performing an action A new window comes up: Secure Backup successful Your keys are now being backed up from this device. Press the Done button Back in Settings > Security & Privacy Underneath the Title 'Secure Backup' there should be a green tickmark in front of the words 'This session is backing up your keys.' Info displayed underneath the triangle in front of 'Advanced' Backup key stored: in secret storage Backup key cached: cached locally, well formed Secret storage public key: in account data Secret storage: ready Backup version: 3 Algorithm: m.megolm_backup.v1.curve25519-aes-sha2 All keys backed up Backup has a valid signature from this session This backup is trusted because it has been restored on this session LOGGING BACK INTO MY USER ACCOUNT - SECURITY KEY I SAVED ONTO MY PC WAS NOT ACCEPTED: ------------------------------------------------------------------------------------- I then logged out my my user account I then logged back into my user account Syncing... took place I presented with the window '!Verify this device' Verify your identity to access encrypted messages and prove your identity to others. Buttons: 'Verify with another device' and 'Verify with Security Key' I choose 'Verify with Security Key' I pasted the very Security Key i made prior into the field but it was not accepted - i got 'X Invalid Security Key' DIFFERENT COLORED BUTTONS DISPLAYED IN FOLLOWING ORDER UNDER Heading 'Secure Backup': GREEN RED RED 'Restore from backup' 'Delete Backup' 'Reset' It is now possible to successfully Sign out (log out) of your current account SETUP SECURITY KEY FOR A NEW ELEMENT ACCOUNT: --------------------------------------------- Settings > Security & Privacy Set up Secure Backup Generate a Security Key - We'll generate a Security Key for you to store somewhere safe, like a password manager or a safe. Save your security key Bunch of letters and numbers Settings > Privacy & Security Delete Backup Are you sure? You will lose your encrypted messages if your keys are not backed up properly. YES Goto log out of account Window brought up saying : You'll lose access to your encrypted messages "Encrypted messages are secured with end-to-end encryption. Only you and the recipient(s) have the keys to read these messages. When you sign out, these keys will be deleted from this device, which means you won't be able to read encrypted messages unless you have the keys for them on your other devices, or backed them up to the server. Back up your keys before signing out to avoid losing them." 1. I dont wan't my encrypted messages 2. Start using Key Backup Under 'Advanced' 3. Manually export keys Choose Number 3 'Manually export keys' Window: Export room keys This process allows you to export the keys for messages you have received in encrypted rooms to a local file. You will then be able to import the file into another Matrix client in the future, so that client will also be able to decrypt these messages. The exported file will allow anyone who can read it to decrypt any encrypted messages that you can see, so you should be careful to keep it secure. To help with this, you should enter a passphrase below, which will be used to encrypt the exported data. It will only be possible to import the data by using the same passphrase. Enter passphrase: a pass phrase Confirm passphrase: a pass phrase Press Export button NON-FUNCTIONAL METHOD OF MANUAL KEY EXPORTING WITH RECURSIVE ISSUE AND WORK-AROUND: ----------------------------------------------------------------------------------- Monday the 20th of March, 2023 TIME: 2.52 AM Goto Sign out (log out) of account Window brought up saying : You'll lose access to your encrypted messages "Encrypted messages are secured with end-to-end encryption. Only you and the recipient(s) have the keys to read these messages. When you sign out, these keys will be deleted from this device, which means you won't be able to read encrypted messages unless you have the keys for them on your other devices, or backed them up to the server. Back up your keys before signing out to avoid losing them." 1. I dont wan't my encrypted messages 2. Start using Key Backup Under 'Advanced' 3. Manually export keys Choose Number 3 'Manually export keys' Window: Export room keys This process allows you to export the keys for messages you have received in encrypted rooms to a local file. You will then be able to import the file into another Matrix client in the future, so that client will also be able to decrypt these messages. The exported file will allow anyone who can read it to decrypt any encrypted messages that you can see, so you should be careful to keep it secure. To help with this, you should enter a passphrase below, which will be used to encrypt the exported data. It will only be possible to import the data by using the same passphrase. Enter passphrase: pillows bikes are like clouds in our skies Enter passphrase field: pillows bikes are like clouds in our skies Confirm passphrase field: pillows bikes are like clouds in our skies Export room keys Press the Green 'Export' Button Browser Brave Element Web App Window brings up a requester 'Update password?' - Username: dragoncat7life - Password: ************************ (Clicking on the password-reveal icon displays the passphrase i entered up above) - OPTIONS: 'No Thanks' 'Update password' - Choose 'Update password' A File requester window comes up to save file called 'element-keys(1).txt', choose where to save the file and press the 'Save' button. NOTE: The original Window 'You'll lose access to your encrypted messages' briefly disappears and is replaced with another window. This new window is only on the screen for approxx 1/2 a second. The original window then re-appears again Closing the 'You'll lose access to your encrypted messages' window (Press on the top right-hand corner X) and then attempting to Sign out will result in the 'You'll lose access to your encrypted messages' window appearing again NOTE: It does not matter/make any differance if you decide to update the password in the Brave Browser or not AS OF DATE: Monday the 30th of March, 2023 - CONSIDERATIONS AS TO WHY THIS HAPPENS & WORK-AROUND: ------------------------------------------------------------------------------------------------- 1. Bug - Maybe it's meant to do/perform the exact same action (and sequence of events) as WORK-AROUND WORK-AROUND: Use User menu > Security & Privacy Green 'Export E2E room keys' Option Instead (underneath Title 'Cryptography')