Unable to decrypt previous messages on new devices

[J316]

In an encrypted chat or group, if a user is invited after a message was sent, or even if he is already present in the chat, but he adds a new device later in time, that device cannot decrypt previous messages because "the sender didn't share the keys". This happens on all operative systems (I tried Android, iOS, Linux, Windows) and with everyone I tried.

[lampholder]

The way in which the encryption works today means that you cannot decrypt messages which were sent before you joined the room.

When you add new devices after the point at which you had joined the room, your devices can share keys between themselves - when I go to a room in a session on a brand new computer, it will poll any other clients I have to see if they have a copy of the key, and if they do, the client with a copy will pop up asking if you're willing to share the key with a new devices (this confirmation is skipped if the devices are verified).

You can also export keys from one client and import them into another (I believe this works across different operating systems).

If there's no overlap of logged-in clients' sessions, and you don't save your keys when you log out, you will lose access to encrypted messages :(

[J316]

Why would the process be skipped if the devices are verified? That's the very first action that should be performed when a new device is added, before joining the room, so the key exchange should happen with verified devices too

[J316]

@lampholder Even after unverifying devices the process does not work because of #6593, #6838 and element-hq/element-meta#647.

[lampholder]

Why would the process be skipped if the devices are verified? That's the very first action that should be performed when a new device is added, before joining the room, so the key exchange should happen with verified devices too

The confirmation is what is skipped, not the key sharing. If your laptop has verified your desktop, then your laptop will share keys with your desktop without prompting for confirmation.

The way in which the encryption works today means that you cannot decrypt messages which were sent before you joined the room.

This is element-hq/element-meta#647. You can't decrypt messages from before your device was in the room, because that feature doesn't exist today. You can decrypt messages on devices that weren't in the room, if and only if your devices that were in the room at the time the message were sent a.) are online and b.) still have their copy of the keys.

[uhoreg]

Decrypting old messages on a new device is solved by key backups now.

No being able to decrypt messages from before you were in a room is somewhat purposeful, as if a user can join a room and read all past messages, that make end-to-end encryption much less secure. It is possible that someone may want to selectively share keys to a new user, as a cross between element-hq/element-meta#1287 and element-hq/element-meta#647, but we would need to be careful with the UI in order to ensure that people don't accidentally overshare.

[mrjohnson22]

In the meantime, the UI should make it clear to room admins that users won't be able to see messages from before they joined. How about restricting the "Who can read history" setting to only allow "Members only (since they joined") for encrypted rooms?

[janedough1331]

Why can't I decrypt a message that was started on my device? Someone sends me a message 1:1 and I get this warning instead of the message. I then verify his devices manually, and I still see the same message on the next message received.

[uhoreg]

As mentioned above, this issue in general is fixed by key backups and key sharing in the case of a user logging into a new device, and is expected behaviour in the case of a new user joining a room. So this issue can be closed.