Currently, Vault Web stores chat messages encrypted using the JWT secret key. This approach has a critical security limitation: the server (or its owner) can decrypt and read all chat messages, which violates user privacy.
To enhance security, we need to implement for example end-to-end encryption (E2EE) for chat messages. With E2EE:
- Messages are encrypted on the sender’s client before being sent to the server.
- The server stores only encrypted messages and cannot decrypt them.
- Only the intended recipient(s) can decrypt the messages on their client side.
Goals / Tasks:
- Research suitable E2EE strategies for web-based chat (e.g., AES with user-derived keys, Signal Protocol, or other modern standards).
- Update the chat frontend to encrypt messages before sending.
- Update the backend to store encrypted messages without attempting to decrypt them.
- Ensure message delivery via WebSockets remains real-time while preserving encryption.
- Document the new workflow in the Server Docs repository under
vault-web/chats.
Benefits:
- Prevents server-side access to chat content.
- Increases user trust and privacy.
- Aligns Vault Web with best practices for secure communication.
Subfolder suggestion for documentation: vault-web/chats
Currently, Vault Web stores chat messages encrypted using the JWT secret key. This approach has a critical security limitation: the server (or its owner) can decrypt and read all chat messages, which violates user privacy.
To enhance security, we need to implement for example end-to-end encryption (E2EE) for chat messages. With E2EE:
Goals / Tasks:
vault-web/chats.Benefits:
Subfolder suggestion for documentation:
vault-web/chats