What is the server-side key backup?
The server-side key backup is an encrypted copy of your Matrix client’s message keys, securely stored on your Matrix homeserver. To ensure those keys can only ever be accessed by you, they are encrypted on your device, with a key that’s kept only on your devices and known as the backup key.
In order to use your backup, you must have access to either:
- An existing logged-in and verified session.
- Your Recovery Key (also sometimes referred to as a Security Key or Security Phrase/Passphrase).
Why reset your server-side key backup?
Resetting the server-side key backup is necessary only in a rare set of scenarios:
- Lost access to your backup. If you have lost your Recovery Key (aka Security Key, or Security Phrase) and have no other logged-in device with which to verify yourself, you may wish to reset the backup in order to create a fresh instance with a new Recovery Key.
- Backup key compromise: If a vulnerability results in the compromise of the backup key, resetting the backup is essential to issue a new key. This step is crucial to prevent potential exploitation and to secure your backup against unauthorized access.
- Recovery from critical bugs: If a significant bug impacts the backup system and recovery is not possible through other means, resetting the backup may be the only viable solution. This procedure ensures that the backup can be returned to an operational state without data loss.
The following steps cover how to do this in Element.
Overview of the reset process
- Ensuring you have a local copy of all your message keys. This is accomplished by forcing your Matrix client to download all message keys from your server-side key backup (if available).
- Exporting your message keys to a file. This ensures that even if something goes wrong during the procedure, you have a local copy of all your message keys which you can use to recover safely.
- Resetting the server-side key backup. This is accomplished by deleting the existing backup and creating a new one. As a side-effect of this, a new Recovery Key will be created for you, which you should write down and store safely. This Recovery Key will replace your previous one.
- Giving your other clients access to the new backup. Your other logged-in Matrix clients will now detect the new backup and begin uploading their locally-stored message keys to it. This upload process happens gradually in the background. Initially, your clients will have write access to the new backup, but not read access. To enable full functionality, you must manually enter your new Recovery Key into each of these clients. Therefore, the final step is to distribute your Recovery Key to all your existing Matrix clients to ensure they have complete access.
Resetting the backup from classic Element clients
Step 1: Ensuring you have a local copy of all your message keys
In Element Web, go to Security & Privacy, then select Restore from backup under the Secure Backup section.
On Element iOS, go to Settings > Security, then select Restore from backup under the Secure Backup section.
On Element Android, go to Settings > Security & Privacy > Encrypted Messages Recovery, then select the green Restore from backup button.
Step 2: Exporting your message keys to a file
As a result of this step, you will export an encrypted copy of your message keys to a file, acting as a safeguard to avoid message key loss.
On Element Web, go to Security & Privacy, then select Export E2E room keys under the Cryptography section.
You will be prompted to enter a passphrase. This passphrase is arbitrary and is only used for protecting your exported file—you will need it to restore your message keys from this file so store it securely somewhere.
On Element iOS, go to Settings > Security, then select Export keys manually under the Security section and follow the instructions.
On Element Android, go to Settings > Security & Privacy, then select Export E2E room keys under the Cryptography Keys Management.
Step 3: Resetting the server-side key backup
This is the step in which we actually reset the backup. At the end of the process you will have a new Recovery Key (also known as Security Key or Security Phrase). You must save this key since you will need it to access your backup in future (including on any other currently logged-in devices).
On Element Web, select the red Reset button and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase. We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.
You may then need to restart Element Web/Desktop to connect to the new backup.
On Element iOS, go to Settings > Security, then select Reset under the Secure Backup section and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase. We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.
On Element Android, there is an extra step before resetting: you first need to delete the existing backup. Go to Settings > Security & Privacy, then select Encrypted Messages Recovery and finally select the red Delete backup button. When prompted whether to really delete the backup, confirm by selecting Delete backup again.
Now select the back arrow to go back to the Settings > Security & Privacy screen. Then, select Reset Secure Backup and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase. We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.
Step 4. Giving your other clients access to the new backup
Finally, you need to enter the Recovery Key (or Security Key, or Security Phrase) that was generated in Step 3 in all of your other clients, in order to give them full access to the backup.
The simplest way to do it is to go to the Backup settings as in “Step 1” and then to try to import keys from the new backup. This will ensure that you can effectively decrypt keys from the new backup. You will be prompted to enter the newly generated Recovery Key (or Security Key, or Security Phrase).
Resetting the backup from Element X clients
It is not recommended to reset backup from Element X, as the app has no capability yet to download or export the entire backup before deleting it, which will lead to data loss; only the locally cached keys will be preserved. If this is your only option, the instructions are as follows:
Step 1: Turn off the backup
Go to Settings > Chat backup, then select Turn off backup. When prompted whether you are sure, confirm by selecting Turn off backup.
Step 2: Turn the backup back on
Still on the same screen, select Turn on backup.
Step 3: Set up recovery
Select Set up recovery and follow the instructions to obtain a new Recovery Key. You must save this key since you will need it to complete the next, final step.
Step 4: Giving your other clients access to the new backup
On your other devices, enter the newly obtained Recovery Key when either prompted for it (on Element X) or by following the “Giving your clients access to the new backup” for classic Element in the previous section. Note that on classic Element clients, you will need to enter the Recovery Key in the flow which is asking for the Security Key.