Skip to main content
threads

Encryption

Encryption in Threads

Each message is protected by a synchronous key, which is further secured using an asynchronous pair of public and private user keys. This dual-layer encryption ensures that the system remains both safe and efficient.

Encryption Scenario

Only an end user can create a Thread, by providing a set of public keys for the users who should have access to the Thread.

A symmetric key for the Thread (Thread Encryption Key) is then generated by the Thread author and securely stored on the server, encrypted using public keys of users assigned to the Thread. This ensures that only the authorized users have access to the Thread's Encryption Key. Unencrypted keys never leave User Endpoints.

When accessing a Thread, the encrypted Thread Encryption Key is sent to each user based on their assignment to the Thread. Only the users with proper Private Keys can decrypt Thread Encryption Key. Using the decrypted key, messages are encrypted and signed with the users’ Private Keys before being sent to the Bridge.

This process is handled by the PrivMX Endpoint Library and is completely seamless for Endpoint users.

Here's a visual reference for encryption in Threads:

privmx threads encryption