Resetting the server-side key backup

May 15, 2024
Element app

What is the server-side key backup?

The server-side key backup is an encrypted copy of your Matrix client’s message keys, securely stored on your Matrix homeserver. To ensure those keys can only ever be accessed by you, they are encrypted on your device, with a key that’s kept only on your devices and known as the backup key.

In order to use your backup, you must have access to either:

  • An existing logged-in and verified session.
  • Your Recovery Key (also sometimes referred to as a Security Key or Security Phrase/Passphrase).

Why reset your server-side key backup?

Resetting the server-side key backup is necessary only in a rare set of scenarios:

  • Lost access to your backup. If you have lost your Recovery Key (aka Security Key, or Security Phrase) and have no other logged-in device with which to verify yourself, you may wish to reset the backup in order to create a fresh instance with a new Recovery Key.
  • Backup key compromise: If a vulnerability results in the compromise of the backup key, resetting the backup is essential to issue a new key. This step is crucial to prevent potential exploitation and to secure your backup against unauthorized access.
  • Recovery from critical bugs: If a significant bug impacts the backup system and recovery is not possible through other means, resetting the backup may be the only viable solution. This procedure ensures that the backup can be returned to an operational state without data loss.

The following steps cover how to do this in Element.

Overview of the reset process

  1. Ensuring you have a local copy of all your message keys. This is accomplished by forcing your Matrix client to download all message keys from your server-side key backup (if available).
  2. Exporting your message keys to a file. This ensures that even if something goes wrong during the procedure, you have a local copy of all your message keys which you can use to recover safely.
  3. Resetting the server-side key backup. This is accomplished by deleting the existing backup and creating a new one. As a side-effect of this, a new Recovery Key will be created for you, which you should write down and store safely. This Recovery Key will replace your previous one.
  4. Giving your other clients access to the new backup. Your other logged-in Matrix clients will now detect the new backup and begin uploading their locally-stored message keys to it. This upload process happens gradually in the background. Initially, your clients will have write access to the new backup, but not read access. To enable full functionality, you must manually enter your new Recovery Key into each of these clients. Therefore, the final step is to distribute your Recovery Key to all your existing Matrix clients to ensure they have complete access.

Resetting the backup from classic Element clients

Step 1: Ensuring you have a local copy of all your message keys

In Element Web, go to Security & Privacy, then select Restore from backup under the Secure Backup section.

Restoring from backup on Element Web

On Element iOS, go to Settings > Security, then select Restore from backup under the Secure Backup section.

Restoring from backup on Element iOS (classic)

On Element Android, go to Settings > Security & Privacy > Encrypted Messages Recovery, then select the green Restore from backup button.

Restoring from backup on Element Android (classic)

Step 2: Exporting your message keys to a file

As a result of this step, you will export an encrypted copy of your message keys to a file, acting as a safeguard to avoid message key loss.

On Element Web, go to Security & Privacy, then select Export E2E room keys under the Cryptography section.

You will be prompted to enter a passphrase. This passphrase is arbitrary and is only used for protecting your exported file—you will need it to restore your message keys from this file so store it securely somewhere.

Exporting message keys on Element Web

On Element iOS, go to Settings > Security, then select Export keys manually under the Security section and follow the instructions.

Exporting message keys on Element iOS (classic)

On Element Android, go to Settings > Security & Privacy, then select Export E2E room keys under the Cryptography Keys Management.

Exporting message keys on Element Android (classic)

Step 3: Resetting the server-side key backup

This is the step in which we actually reset the backup. At the end of the process you will have a new Recovery Key (also known as Security Key or Security Phrase). You must save this key since you will need it to access your backup in future (including on any other currently logged-in devices).

On Element Web, select the red Reset button and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase. We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.

Resetting the backup on Element Web
Setting a new Security Key (aka Recovery Key) / Security Passphrase on Element Web

You may then need to restart Element Web/Desktop to connect to the new backup.

On Element iOS, go to Settings > Security, then select Reset under the Secure Backup section and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase.  We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.

Resetting the backup on Element iOS (classic)

On Element Android, there is an extra step before resetting: you first need to delete the existing backup. Go to Settings > Security & Privacy, then select Encrypted Messages Recovery and finally select the red Delete backup button. When prompted whether to really delete the backup, confirm by selecting Delete backup again.

Deleting the backup on Element Android (classic)

Now select the back arrow to go back to the Settings > Security & Privacy screen. Then, select Reset Secure Backup and follow the instructions to obtain your new Security Key (aka Recovery Key) or Security Phrase.  We recommend creating a Security Key (aka Recovery Key) for maximum security. This will be the only supported mechanism in Element X going forward to eliminate the risk of users accidentally choosing low-security passphrases or confusing them with account passwords.

Step 4. Giving your other clients access to the new backup

Finally, you need to enter the Recovery Key (or Security Key, or Security Phrase) that was generated in Step 3 in all of your other clients, in order to give them full access to the backup.

The simplest way to do it is to go to the Backup settings as in “Step 1” and then to try to import keys from the new backup. This will ensure that you can effectively decrypt keys from the new backup. You will be prompted to enter the newly generated Recovery Key (or Security Key, or Security Phrase).

Resetting the backup from Element X clients

It is not recommended to reset backup from Element X, as the app has no capability yet to download or export the entire backup before deleting it, which will lead to data loss; only the locally cached keys will be preserved. If this is your only option, the instructions are as follows:

Step 1: Turn off the backup

Go to Settings > Chat backup, then select Turn off backup. When prompted whether you are sure, confirm by selecting Turn off backup.

Disabling the backup on Element X clients

Step 2: Turn the backup back on


Still on the same screen, select Turn on backup.

Enabling the backup on Element X clients

Step 3: Set up recovery

Select Set up recovery and follow the instructions to obtain a new Recovery Key. You must save this key since you will need it to complete the next, final step.

Setting up recovery on Element X clients

Step 4: Giving your other clients access to the new backup

On your other devices, enter the newly obtained Recovery Key when either prompted for it (on Element X) or by following the “Giving your clients access to the new backup” for classic Element in the previous section. Note that on classic Element clients, you will need to enter the Recovery Key in the flow which is asking for the Security Key.

Element Security

Related Posts

Releases
ESS 24.05: now with Element Desktop MSIs!
In our most recent version of ESS 24.05 we’re pleased to offer a Windows MSI (Microsoft Installer) build of Element Desktop. Many larger customers prefer MSI files for software installation.
Archie W
29/05/2024
Security
Security release: Element X Android (0.4.12) and iOS (1.6.7)
We have released security updates
Element Security
15/05/2024
Security
Meet Element R: our new unified crypto implementation
We’ve created a common cryptographic library implementation in Rust - codenamed Element R - for all our Element clients.
Archie W
27/02/2024
Security
Security release: Element Android 1.6.12
Hello, Today we have released
Element Security
20/02/2024

By the same author

Security
Security release: Element X Android (0.4.12) and iOS (1.6.7)
We have released security updates
Element Security
15/05/2024
Security
Security release: Synapse 1.105.1
Today we are releasing Synapse
Element Security
23/04/2024
Security
Security release: Element Android 1.6.12
Hello, Today we have released
Element Security
20/02/2024

Element is the fast, simple and private way to communicate with family, friends, teams, colleagues, organisations and the wider world.

Thanks for reading our blog— if you got this far, you should head toelement.ioto learn more!

Get started

For Web, Android, iOS, macOS, Windows & Linux