search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.53k stars 194 forks source link

where are my keys #2970

Closed michaelssingh closed 10 months ago

michaelssingh commented 11 months ago

The white paper stated that I could generate key pairs at any time. I am using Session Desktop, and I don't see that option.

Could you give me my keys?

Where are my key pairs stored?

Where are my messages stored?

Can the company/board members/investors/engineers/nodes behind Session decrypt my messages at rest?

KeeJef commented 11 months ago

Keys are stored locally on the device, they can be seen if at Settings -> recovery phrase. New keys can be generated by going to settings -> clear data. Once data is cleared when you start Session the next time you will generate a new keypair.

Messages are stored on the decentralised Service Node network for a period of 14 days (30 days in the case of configuration messages)

The only person who can decrypt and read your messages is the person who holds the private key for your Session ID, which is stored only on the local device where Session is installed. So no, the company/board members/investors/engineers/nodes cannot decrypt your messages

michaelssingh commented 11 months ago

Why are messages being stored in the first place?

KeeJef commented 11 months ago

To increase user experience. If messages aren't stored offline then both devices need to be online for a conversation to happen. Storing messages offline allows you to turn your device off after you send a message, and for the recipient to be completely offline for a period of time before they receive that message

michaelssingh commented 11 months ago

Why aren't messages stored until the client receives them if the use case is to provide a good experience?

michaelssingh commented 11 months ago

Is it currently possible for messages to be backed up and stored elsewhere?

beantaco commented 11 months ago

I have no insight into design decisions, but I'll attempt to answer some of your questions (note: most are already answered by @KeeJef).

Could you give me my keys?

Considering my understanding of how Session works, I don't know exactly what the question is trying to ask, but I would say no.

Where are my key pairs stored?

Where are my messages stored?

These are stored in ~/.config/Session in Linux operating system.

Can the company/board members/investors/engineers/nodes behind Session decrypt my messages at rest?

Not that I believe. My understanding is the user's private key is stored locally, messages are decrypted as they are received, and then the messages may be stored as plaintext on the user's device (depending on the account's password protection maybe?).

Why are messages being stored in the first place?

Messages are stored in the network (by Service Nodes) to allow asynchronous communication. Otherwise, users would need to be online simultaneously in order to exchange messages.

Why aren't messages stored until the client receives them if the use case is to provide a good experience?

I guess this is to reduce the storage capacity requirements on Service Nodes and prevent messages that will never be received from staying zombie inside Service Nodes, and there may be other reasons.

Is it currently possible for messages to be backed up and stored elsewhere?

You can copy ~/.config/Session elsewhere in order to back up your messages. However, if you copy it to another device and then use the same account on multiple devices, I don't know what would happen.