Missing Matrix room-specific E2E keys

This article explains how to proceed if you see messages like

** Unable to decrypt: The sender's device has not sent us the keys for this message. **

in an element session instead of a decrypted message in a Matrix room's chat history.
The message means you don't have the End to End (E2E) keys necessary to decrypt past messages of a room stored in the element session you're currently in.
The reasons are you're either in a new element session which doesn't have these keys stored, yet, or you are a new room member and therefore never posessed those keys.

New element session without keys

If you're in a new element session, make sure to verify it against another (verified) element session.
Once a device with a session on it is verified, it will be able to share its keys with your element sessions on other verified devices. After that, previous chat messages will be decrypted.
If you're unsure about what sessions you own and whether they're verified or not, check the list of your active sessions in your element settings under Security & PrivacyWhere you're signed in.

New room member without keys

Currently (January 2022), element does not provide a function to share the E2E keys of a room to its members.
Until this changes, you can ask in a room if anyone would help you out by following the procedure outlined below, which will provide you with the room's E2E keys.
When you received the key package for the room, import it as described at the end of this article.

Create E2E import file for a specific room

If a user asked you to provide him with the E2E keys for a Matrix chat room, these are the steps you need to undertake.
The summarized process is to

  1. export the complete package of all your E2E keys
  2. extract the package
  3. filter it for a specific room by its room ID

  4. and rebuild a filtered package
  5. to send back to the user who asked for it.

The export demands to secure the package with a first password, which only you need. You will have to define a second password to apply to the rebuilt package, which you have to send on to the user who asked for the package.
Don't send the package and the second password together, use a different means of commmunication for each. For example, send the package by email and the second password in an encrypted 1:1 chat in Matrix.

  1. Get the room ID of the room you want to export the keys for. The room ID is a string of 18 random upper- and lowercase letters like hOGouEeglkjOGzueog, starts after the exclamation mark ! and ends before the colon :

    • It is either displayed directly in the URL field of your browser: https://element.ee.ethz.ch/_matrix/client/#/room/!<room ID>:matrix.ee.ethz.ch

    • Or you find it listed in a room's settings (Right-click on a room's title) under AdvancedRoom information

  2. From element, export the package of all your E2E keys under SettingsEncryptionCryptographyExport E2E room keys to a file. Make sure to note the first password you entered here and the full path to the file. It will typically be saved in ~/Downloads/element-keys.txt, so we will use that path in this process.

  3. Create a python environment called megolm_backup with the necessary dependency pycryptodome for the script to decrypt the export and the tool used to filter JSON output jq, for example with conda:

    conda create --name megolm_backup pycryptodome jq
    
  4. Clone the repository of the script megolm_backup.py which allows you to modify the E2E key export:

    git clone https://github.com/cyphar/matrix-utils.git
  5. Activate the python environment

    conda activate megolm_backup
  6. For convenience, put the room's ID into a variable:

    ROOM_ID=<room ID>
    
  7. Run the following pipeline of commands.

    You will be asked to provide the first password to decrypt your E2E export and the second password to encrypt the package with keys filtered for <room ID>:

    ./matrix-utils/megolm_backup.py --from ~/Downloads/element-keys.txt | \
    jq 'map(select(.room_id == "!${ROOM_ID}:matrix.ee.ethz.ch"))' | \
    ./matrix-utils/megolm_backup.py --into > \
    ~/Downloads/${ROOM_ID}_E2E_keys.txt
    

You now end up with the package ~/Downloads/<room ID>_E2E_keys.txt which you can send to the user who requested it.
Remember to send the accompanying password on a different and secure communication channel as well.

Import a E2E key file

If you asked for a package of E2E keys and received it, as well as the password to decrypt it:

The E2E file

When you export or import an E2E file, make sure it includes both the BEGIN and END markers:

-----BEGIN MEGOLM SESSION DATA-----
...
-----END MEGOLM SESSION DATA-----

ChatExportRoomKeys (last edited 2022-02-24 13:23:31 by stroth)