Encryption on Matrix

Matrix conversations on nether.im are end-to-end encrypted. This page explains what that actually buys you, what it costs you if you’re careless, and what it does not protect. No cryptography background needed.

What end-to-end encryption means

In most chat platforms, the server can read every message you send — the operator chooses not to look (you hope). With end-to-end encryption (E2EE), messages are encrypted on your device and only decrypted on the recipients’ devices. The server relays sealed envelopes it cannot open. Not us, not any other homeserver your conversation federates with.

The flip side: if the keys only exist on your devices, then losing your devices means losing your keys — and with them, the ability to read your own message history. Matrix solves this with the recovery key.

The recovery key

When you set up your first Matrix client, you’ll be prompted to set up recovery (sometimes called a security key or key backup). This generates a recovery key: a long string of letters and numbers that looks something like EsTc XKzB 7DZQ ....

This key is what lets a brand-new login — a new phone, a fresh laptop, a reinstall — decrypt your old messages. It is the master key to your encrypted history.

Three things to internalize:

Where to keep it

Put it in a password managerBitwarden is free and works everywhere; KeePassXC is a fine offline choice. Create an entry called “Matrix recovery key” and paste it in. A piece of paper in a drawer at home also genuinely works.

Wherever you put it, do it at signup, when the client shows it to you — not later. Later never comes, and the day you need the key is the day your phone is already at the bottom of a lake.

Device verification

Each device you sign in from (phone, laptop, browser) is a separate session with its own keys. When you sign in somewhere new, your client will ask you to verify the new session — usually by comparing a short list of emoji on both devices, or by entering your recovery key.

Verification is how your devices prove to each other (and to the people you talk to) that they’re really yours and not someone who stole your password. Unverified sessions may be locked out of encrypted history, and other people’s clients will mark them with a warning. Get in the habit: sign in, verify, then chat.

What encryption does not hide

We’d rather be straight with you than let you assume more protection than exists:

“Unable to decrypt this message”

Sooner or later you’ll see a message that renders as “unable to decrypt”. It’s the most common Matrix headache and it’s almost never data loss. Usual causes and fixes:

The pattern worth remembering: nearly every decryption problem traces back to an unverified session or a lost recovery key. Verify your sessions, keep the key in your password manager, and you will likely never see this page again.