Encryption means scrambling a message so that only someone who knows the secret key can decrypt it. We use encryption to protect the privacy of your messages and files.
End-to-end encryption means that your messages and files are encrypted before they leave your device and remain encrypted until they reach the devices of the other participants. End-to-end encrypted messages can be read only by the participants in the conversation.
With end-to-end encryption, only the participants in the conversation can read your messages — and nobody else. This means your messages cannot be read by UCMeet staff or any other third party. It also means that if you lose your keys, you will not be able to read your messages.
No. Messages are encrypted only in rooms where encryption is enabled. You can enable encryption in Room settings.
Key storage is needed:
Key storage is enabled by default. To work properly, your device or devices store a copy of message keys on your service provider’s server.
Before your digital identity data and message keys leave your device, they are always encrypted. Nobody except you, not even your service provider, can access them or use them to read your messages, send messages on your behalf, or add devices to your account.
A recovery key is a unique 48-character key, for example: EsTZ 4us6 nh29 89jk U1uH Zbae 4PuS QQC1 86pt em8o R8nb bdwQ. It is generated so you can restore your chat backup and preserve your digital identity if you lose access to all your devices.
It can also be used to verify new devices that you add to your account.
If you are not signed in anywhere in UCMeet or have lost all your devices, the recovery key is the only way to preserve your digital identity and restore your chat history.
In a safe place. Typical options include a password manager, a hardware-encrypted USB drive, or a sheet of paper stored in a secure physical location, such as a safe or locked drawer.
You will need to reset your digital identity. Your previous messages will no longer be decryptable, and other users will see that you reset your digital identity. If you explicitly verified any contacts, you will need to verify them again.
Go to User settings → Encryption and click “Get recovery key”.
Key storage is the main technical method for sharing keys between your devices. A recovery key lets you access those keys even if you lose access to all your devices, ensuring that you can preserve access to your digital identity and chat history in such cases.
We give users full control over which keys, if any, leave their device. The table below summarizes different scenarios from a usability and privacy perspective. Note that no key ever leaves your device unencrypted.
| Key storage | Recovery key | Privacy | Usability and availability |
|---|---|---|---|
| Enabled | Active | Both digital identity and message keys leave the device. | Recommended for most users for the best experience. Chat history can be decrypted on new devices, and the recovery key can be used to verify new devices. Chat history can be decrypted and the digital identity can be preserved if access to all devices is lost. |
| Enabled | Inactive | Only message keys leave the device. | Message history can be decrypted on new devices. Chat history cannot be decrypted and the digital identity cannot be preserved if access to all devices is lost. |
| Disabled | Unavailable | No keys leave the device. | Chat history cannot be decrypted on new devices. Chat history cannot be decrypted and identity data cannot be preserved if access to all devices is lost. |
UCMeet web and mobile apps monitor the state of your digital identity by checking whether all keys that define the digital identity are present on the device. This helps detect potential problems early and ensure correct encryption and decryption of messages.
If one or more keys are missing, you receive a “key storage out of sync” notification and are asked to enter your recovery key to retrieve the missing identity keys from key storage. In some cases, key storage may also be missing all digital-identity keys; in that case, you will need to reset your digital identity.
This is uncommon and should happen rarely. A typical reason is previous use of an outdated or faulty UCMeet Chat client, which is detected during the health check.
Simply put, a device is the laptop, phone, tablet, or desktop computer from which you sign in to or create your account.
Users who sign in multiple times, for example from different browsers or different mobile or desktop apps, should note that each sign-in requires separate verification, even if it happens on the same physical device. Each authorized session appears as an independent “device” in your account.
In end-to-end encrypted messaging systems, digital identity is the foundation for ensuring that when Tatiana sends a message to Sergey:— only Sergey can decrypt the message;— Sergey can cryptographically confirm that the message was sent by Tatiana.
In practice, a user’s digital identity is established as a pair of cryptographic keys generated locally on the user’s laptop or phone when they first sign in to their account. However, an ordinary user usually does not see their digital identity anywhere on the screen and does not need to manage it directly.
If Sergey wants to make sure he is still communicating with Tatiana, he needs to remember Tatiana’s digital identity. Similarly, Tatiana needs to remember Sergey’s digital identity.
UCMeet provides two layers of protection for remembering a contact’s identity:— Identity pinning: Tatiana’s identity is saved automatically when Sergey first starts a conversation with her.— User identity verification: Tatiana and Sergey explicitly confirm that they both have the correct identity information for each other. This is done by comparing a set of emoji or scanning a QR code shared through another channel, such as a video call or an in-person meeting.
Identity pinning is more convenient because it works automatically from the user’s point of view and is sufficient for most use cases. Sergey and Tatiana receive a notification when the other person’s identity is reset, but communication is not blocked.
For higher-risk situations, user identity verification provides additional protection against sophisticated man-in-the-middle attacks, where an attacker actively interferes with Tatiana and Sergey’s communication from the beginning of their conversation, replacing their identities with the attacker’s identities and preventing them from ever learning each other’s real identities. User identity verification prevents such advanced attacks.
UCMeet notifies you whenever a contact’s digital identity has been reset, so you can check the privacy of your conversation and protect against possible man-in-the-middle attacks.
The most common reason is that the contact reset their digital identity themselves, often because they lost all devices without a recovery key. However, a digital-identity reset may also indicate an attempted interception.
We recommend checking with the contact whether they reset their digital identity intentionally. You can do this in person or through an alternative channel such as email or another messaging app.
If the reset concerns a previously verified contact, we strongly recommend verifying them again as soon as possible. Note that in this case communication with that contact will also be blocked. If you cannot re-verify immediately, you can withdraw verification to continue communicating with that person.
If you had not previously verified the contact’s identity, the new data will be accepted and saved automatically, so no additional action is required from you. We will notify you if the contact’s identity changes again in the future.
Device verification is required when Tatiana or Sergey adds another device — they sign in somewhere else, such as from another laptop or phone, or even from another browser on the same laptop.
After signing in on the new device, Tatiana uses her digital identity and the underlying cryptographic keys to show Sergey that the new device really belongs to her and was not added by someone else who has access to her account. She can do this either by entering her recovery key, which immediately gives the new device access to her digital identity, or by performing an interactive verification from an already verified device.
Search in encrypted rooms is available only in UCMeet for macOS, Windows, and Linux, provided it is enabled in Security & Privacy settings in UCMeet Chat.