Explain manual and automated key backup better #1886
Comments
|
It also needs to be more clear that key backups to the server are stored on your homeserver. Not some central matrix.org server. |
|
Agree clarify of remote storage in use would be nice in description, also taking on mind if that some kind of private kinda keys would be nice as well get possibility of gpg/passphrase/one time paste style send to email address protection type i guess (theoretically speaking only, bc not checked/searched for type of data send by this feature). |
|
I just tried setting up automatic key backup and found that there's a lot of stuff that's not really well-explained through the UI. Here's some questions that crossed my mind:
I don't think all of these questions should be answered in the interface directly, but perhaps the UI could be changed to support a more useful mental model of what goes on in the background, and perhaps also link to more complete documentation (I just found https://about.riot.im/help#end-to-end-encryption which has some info already). |
|
Agreed - we're trying to strike a balance between informative and overwhelming, and to provide enough information to reassure encryption/privacy novices, experts and everyone in between. This list of questions is very useful - we can take another look at the wording/UX with this in mind and see what we can change to answer more of these questions as you work your way through setup. |
lampholder
added
T-Defect
P1
S-Major
|
This is becoming more prevalent thanks to recent events. There's numerous reports of people taking their exported keys from months/years ago and trying to import them, expecting that to work. We should fix the messaging so that in N years we don't have to tell people that export !== backup. |
|
I will admit when I first turned on key backups I went to read the MSC to make sure I understood how the system actually worked -- which is far from ideal if we want the security of the system to be self-apparent (as an aside I think the design is really brilliant). I think the simplest way to improve people's understanding of how key backups work is to apply a couple of helpful tips (which might help some of @matthijskooijman's questions):
|
|
Perhaps we could restructure some of our in-app messaging to show first the simplified explanation for everyone, but then add a disclosure something like: More detailsAdvanced encryption explanation details go here.so that we can still offer more detail for those who want without overwhelming those you don't. |
|
That would be a good stop-gap to at least provide some sort of information to those who should be aware of things, but I think that all the E2E messaging needs to be made layperson-friendly if we want people to turn it on (or make it the default) without being surprised when the last 12 months of chat history with their loved ones has gone up in smoke (I'm a technical user and this happened to me, but it's a painful mistake to make). I'm aware (and really grateful) that the technical side of this is being worked on very hard (and the results speak for themselves -- the new e2e features are really top-notch), but making a good on-boarding experience with encryption (or even Matrix in general) would really help users avoid some pitfalls. I'm fairly convinced the best shot of making it reasonable is to do it graphically (I'm really not an artist but I could knock up some mock-ups to hopefully show why graphical explanations would help). Unfortunately you'd need a designer to actually make them usable -- and they are painfully hard to find within free software communities (despite how desperately we need them in most free software projects). |
Is this a thing embedded into the client (such as Riot) or does this happen at the protocol level (Matrix)? |
The protocol defines how key backups work. Basically, your "recovery key" is the private half of an X25519 keypair. All new session keys get encrypted by clients using the public key (so you only need the private half when you first import your keys). Optionally, you can symmetrically encrypt the X25519 private key with a passphrase, and then that encrypted private key gets stored on the server. But since the private key is generated on your client, if you don't set a passphrase then the server never sees the private key.
There's a "delete backup" button in the key backup settings. I don't think you can currently delete only the passphrase (while keeping the backup), but if you delete the backup and then create a new one it will contain all of your keys (and you can not add a passphrase). |
|
@cyphar I'm having trouble understanding how it works. Whether I encrypt the backup with a passphrase or skip the passphrase and go directly for the recovery key, the backup status shows Moreover when restoring a backup protected with a passphrase I get the passphrase prompt, but if I can't remember it I can skip to the recovery key without providing the passphrase, but then where does it retrieve the backup from? If it's on the device's internal storage then skipping the passphrase and inserting the recovery key on another device added for the first time should not recover any key, is this correct? |
I think it should say that too, that might be a bug, I'm not sure.
The actual session keys (the keys you are backing up) are always stored on your homeserver, encrypted using a asymmetric Curve25519 keypair. If you enter the "recovery key" you are actually entering the private key for a Curve25519 keypair (the server keeps the public half, and gives it to your devices -- so they can add entries to your key backup without storing or prompting for the private key). However if you add a passphrase then your homeserver also stores a copy of the Curve25519 private key (the "recovery key"), encrypted with the passphrase you chose. From my understanding this design has changed somewhat since the introduction of SSSS (which is how cross-signing has been implemented), but the broad strokes should be the same. |
|
@cyphar And that IF you choose a strong passphrase the history is safe, but if the passphrase is weak then you might potentially compromise the security of all your messages? So if I lose access to all my devices, and I only have my passphrases, I add another device without any trace of previous local activities/backups, would I be able to recover all my encrypted history by only providing the recovery key? Would the only difference be inserting the recovery key by myself instead of inserting the passphrase to decrypt it and letting the homeserver insert it for me? |
Yes, though in order to exploit this you'd need to either be a homeserver owner or have the users' password to get access to the key backup.
Yes. This is what I do, and I have lost my devices before (both before and after the introduction of key backup -- it was much easier to deal with when key backup was added).
Yes, though the server doesn't do the decryption of the recovery key or key backup for you (for obvious reasons) -- it's done client-side. Aside from that, that is correct. |
|
@cyphar |
It's hard to guess what you're not seeing. The pros are:
The cons are:
It's not clear why you think that storing a recovery key or recovery passphrase in a password manager is a bad thing. |
|
@ara4n To be fair, they're arguing that recovery passphrases are a "bad feature" because if the user could pick a strong passphrase they're probably using a password manager and thus could just store the recovery key. If they can't store a recovery key, then their recovery passphrase is probably weak and we shouldn't encourage them to use passwords if they're likely to be weak. Not to mention that most users (sadly) do not use password managers. My view is that it's a trade-off which is entirely up to the user, and the pain of losing messages with your loved ones is much more likely to disenfranchise users than any system which permits weak passwords. (Not to mention losing your messages was basically guaranteed with the old key backup system, because you had to constantly keep backing it up -- something that even more technical users like myself managed to misunderstand.) Personally I think we could do more to make authentication less vulnerable to bad passwords (such as having 2FA support 😉), but this is perhaps an example where explaining to users that the password is optional (and should be very strong) but that it requires more work on their side is probably a good idea. |
|
oh, okay. yeah, we could forbid recovery passphrases and just mandate recovery keys. |
|
@ara4n I apologize if I came across as dismissive, it was not my intention. @cyphar made an excellent job explaining my concern and providing the reason I was not able to see, that there are users who care more about preserving message history than security. Then yes, it makes sense passphrases should stay, but should be explained better to make as clear as possible the risks stemming from a weak passphrase, and above all the fact that providing the passphrase itself is not mandatory, nor added security and that it means the recovery key will touch the server if provided. It should also be the other way around, the recovery key should be provided at first with a secondary toggle to enable passphrase backup. |
I agree with this suggestion -- I struggled to understand what was going on with the key backup setup flow until I looked up the MSC. If it was explained as "here is the important secret, and if you can't remember it safely you can store it on the server by encrypting it with a passphrase" it would be much more approachable -- right now it looks more like the recovery key is a randomly-generated passphrase because you have to click away from a password dialogue to get it. |
The same thing I suggested is already used by Firefox sync: https://hacks.mozilla.org/2018/11/firefox-sync-privacy/ |
|
And deriving both the account key and the recovery key from the user entered password would allow completely getting rid of recovery key management and device verification, since it could establish trust using the derived recovery key just logging in, which would significantly reduce friction for new users. Having to explicitly verify devices to establish trust could then be an advanced option most users wouldn't need. Add TOFU to that, and most people would never to bother with device verification. |
|
@LinAGKar it would also be incompatible with LDAP auth and SSO/SAML |
|
Apparently they are planning to allow using a single password for both: https://github.com/vector-im/roadmap/projects/1#card-48806427 |
|
do we really want our private keys on a server only protected by a password where the eu is planning to install backdoors in our end to end encryption?
i would really love to see good local backups or support to backup to an ssh or webdav server. for crypto currency we use hardware wallets and say "not your keys not your coins" and in communication it is ok to auto backup the keys to the cloud without a different option? |
|
You are not at all forced to backup your keys to the cloud. You have manual export functions inside Element. Keep in mind that due to Perfect Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy - you will need to backup very frequently if you do not want to lose your messages. Element as a thing which runs inside a web environment cannot make SSH connections so that's simply out of the question. |
|
What about automatic backup to a local file (which can then be synced/backed up some other way)? Also, WebDAV ought to be simple for a web app, and SSH (presumably SFTP) should be doable in the desktop app, albeit not in a web browser. |
|
well i felt really forced to use cloud backup with this nag screen comming up every time i started riot (where i asked for clear description in the app element-hq/element-web#13685). *: i really miss a feature to permanent decrypt a message locally. i someone is on my system where they keys reside the encrypted db wont really help |
Web apps can't automatically write to your files, you can only trigger file downloads upon an explicit user action.
Web apps can't check how much space is left on your device. |
|
does both of your comments also apply to the desktop app (i only use the desktop and there is no issue tracker for the desktop app)?
maybe trigger onclick & onfocus & onmessage ,... with enough trigger which trigger a "cron manager" which backups the keys around every x days? of course it still can happen that no backup occurs but it is still better than no backup (or remote backup)
oh. that's really bad but then there really should be a much better, for not tech people understandable info what no backup means and what can happen if no manual backup is made. |
In the desktop app these limitations are not present but require much more additional work.
The user experience this creates will be awful, the app randomly downloading files and your Downloads folder having a lot of random looking files. |
I'm pretty sure you can trigger a file download autmatically from JavaScript, but the user would get a file download dialog each time. It can't be hidden. The desktop app should be able to backup to a local file file automatically (or over SSH, though that seems redundant), but in a web browser the simplest option would probably be WebDAV. If you're running in a web browser, your already have to trust whoever serves the client though, since they can just add something to it at any time. |
|
first of all thank you at @t3chguy, i haven't seen such a good community manager and supporter in all the years. your answers come fast and are technically backedup. your endless patience and knowhow are awesome. big applause for you here and again thank you. to clearify i am talking about the desktop app only. i don't use the webapp in the browser.
it would be very good to have at least a "space left on device"-check. killing the keys because of missing device space is really a terrible UX. i don't know how the key rotation work at all but a full harddisk should never lead to the deletion of existing keys, so at least all existing messages should be accessible/decryptable. |
|
/me is not a Community Manager but a dev - but thanks :D I think valid concerns and limitations are listed in this issue sufficiently for the Product team to plan a solution for. |
aaronraimist
changed the title
|
Would there be a way to simply back up the conversations and get them when you log in into new devices. I am really not concerned about security and this huge complexity I find. I only would like to be able to keep the whole history of messages all the time, and this seems to be impossible right now to be done on a human way, not having to export files with encrypted keys now and then. |
|
@brumasribera Yes. That is what the Secure Backup feature does. It automatically backs up your keys. As long as you provide your Security Key (or Security Phrase) each time you login, your keys will be automatically backed up and restored. |
SimonBrandner
added
O-Frequent
|
@aaronraimist Backing up key means also backing up messages, I am more concerned with messages and not so much on those keys. For me, it would be just more simple to recover the messages normally once reconnected to your account and have this extra safety layer optional. Or at least be able to disable it, as I find it a bit cumbersome for my normal use. I am of course only talking about UX experience for the user. Thank you for your time! |
Well that's a different problem. If you don't trust your homeserver to not delete your messages then you probably want to be using the export chat feature. Go to the Room info page and then click Export chat. There is no feature to automatically do that though, that would be #1388.
Encryption makes it very difficult to automatically restore messages. If you want messages to be automatically visible with no action other than logging in, your only real option today is to not encrypt the room. In the future matrix-org/matrix-spec-proposals#3265, matrix-org/matrix-spec-proposals#2957, or matrix-org/matrix-spec-proposals#3262 may solve this. |
Lots of people tend to think manual key backup is something like GPG, ie if you export the key as soon as you create your account you'll be able to decrypt all future messages that are sent after you exported the keys.
The text was updated successfully, but these errors were encountered: