Skip to content

Commit

Permalink
Spelling!
Browse files Browse the repository at this point in the history
  • Loading branch information
@telenieko
telenieko committed Jan 20, 2024
1 parent b293c47 commit e6e642a
Showing 1 changed file with 16 additions and 14 deletions.
30 changes: 16 additions & 14 deletions e2ee.org
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
*#+TITLE: Ement.el, End-to-End Encryption
#+TITLE: Ement.el, End-to-End Encryption

#+PROPERTY: LOGGING nil

Expand Down Expand Up @@ -33,7 +33,7 @@
:END:

* Introduction
Ement.el doesn't support encrypted rooms natively, but it can be used transparently with an E2EE-aware reverse proxy daemon like [[https://github.com/matrix-org/pantalaimon/][Pantalaimon]]. This software sits between your Emacs instance (running Ement.el) and you Matrix server, handling E2EE for clients that do not support it natively, like Ement.el.
Ement.el doesn't support encrypted rooms natively, but it can be used transparently with an E2EE-aware reverse proxy daemon like [[https://github.com/matrix-org/pantalaimon/][Pantalaimon]]. This software sits between your Emacs instance (running Ement.el) and your Matrix server, handling E2EE for clients that do not support it natively, like Ement.el.

Ement.el's only requirement is that you properly set up Pantalaimon. Thus:

Expand All @@ -46,15 +46,15 @@ Ement.el's only requirement is that you properly set up Pantalaimon. Thus:

3. Verify the Pantalaimon session from another device.

The rest of this document is all about how to setup and configure Pantalaimon and E2EE.
The rest of this document is all about how to set up and configure Pantalaimon and E2EE.
** Security Considerations
Pantalaimon works as a trusted [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack][man-in-the-middle]] by handling Matrix encryption for your client (Ement.el) and delivering it nice clear-text messages.

This means that *traffic between Pantalaimon and Ement.el is unencrypted!*

It is very important to understand this: the "end to end encryption" stops at your Pantalaimon daemon.

How to properly secure you Pantalaimon is out of the scope of this document.
How to properly secure your Pantalaimon is out of the scope of this document.

It is recommened to run it on the same host as your Ement.el/Emacs instance, bind to localhost (127.0.0.1) and be it a single user machine.

Expand All @@ -63,26 +63,26 @@ Please do not ever write "/ListenAddress = 0.0.0.0/" in your =pantalaimon.conf=.
* Installation
Pantalaimon is a Python package, and can be installed through pip.

Note that the package setup will attempt to compile the Olm C library so you need a minimal C toolchain available, at least a compiler like =gcc=.
Note that the package setup will attempt to compile the Olm C library, so you need a minimal C toolchain available, at least a compiler like =gcc=.

The pantalaimon package is also [available on several Linux distributions package managers](https://repology.org/project/pantalaimon/versions) which would make setup easier.

Once installed you should have the =pantalaimon= command available on your system.
Once installed, you should have the =pantalaimon= command available on your system.

** D-bus requirements
It may not be clear from the documentation but *pantalaimon requires d-bus in order to manage it*. In particular, the =panctl= tool only works through d-bus. This means that in order to achieve two-way verficiation you need to run it on Linux, unless you know a way (we do not) to issue commands to pantalaimon without =panctl=.
It may not be clear from the documentation, but *pantalaimon requires d-bus in order to manage it*. In particular, the =panctl= tool only works through d-bus. This means that in order to achieve two-way verficiation you need to run it on Linux, unless you know a way (we do not) to issue commands to pantalaimon without =panctl=.
** Systems without D-bus (macOS and Windows)
As noted above, you need =d-bus=.

Under macOS and/or Windows you have several options, all of which go beyond the scope of this document:
Under macOS and/or Windows, you have several options, all of which go beyond the scope of this document:

- Use Windows subsystem for Linux,
- Use homebrew, which can run d-bus and is documented in Pantalaimon's README.
- Use a virtual machine,
- Run pantalaimon on a remote host *under an encrypted channel* like an SSH tunnel, or a properly secured reverse proxy handling TLS termination.

* Configuration
Pantalaimon has a =pantalaimon.conf= file, and includes an example one. At the bare minimum you need a section for each homeserver you want to proxy to:
Pantalaimon has a =pantalaimon.conf= file, and includes an example one. At the bare minimum, you need a section for each homeserver you want to proxy to:

#+begin_src
[local-matrix]
Expand All @@ -106,14 +106,14 @@ Just ask Ement.el for a connection specifying the =:uri-prefix= parameter with y
#+END_SRC

** Session verification
In order for your pantalaimon-ement tandem to be able to decipher messages it needs key material to be delivered to it. In normal circumstances you will simply Verify the session from another client and be done with it.
In order for your pantalaimon-ement tandem to be able to decipher messages, it needs key material to be delivered to it. In normal circumstances, you will simply verify the session from another client and be done with it.

There are two main ways to verify a session. Which one to use depends mostly on your environment (your Matrix environment).

*** "Direct" verification
In any other of your devices you may be notified about a new unverified session and be given the opportunity to verify the session.
In any other of your devices, you may be notified about a new unverified session and be given the opportunity to verify the session.

You may also find the unverified session under your profile settings depending on your client software.
You may also find the unverified session under your profile settings, depending on your client software.

In any case: the verification is done on the other device. Nothing to do on Pantalaimon side.

Expand All @@ -122,7 +122,7 @@ So, once Ement.el has successfuly connected:
1. Go to any other of your devices and validate the Pantalaimon session.

*** "Two way" verification
You may need to verify both clients at once. That is, your current device shows you some phrase and you have to verify on Pantalaimon the same phrase.
You may need to verify both clients at once. That is, your current device shows you some phrase, and you have to verify on Pantalaimon the same phrase.

You need the =panctl= tool for this to work. Which requires d-bus.

Expand Down Expand Up @@ -165,8 +165,10 @@ This section is the /raison d'être/ of this document. What to do when things do

*If you have successfully setup pantalaimon and have reached this maybe you have had some experience that could be added to this document*, if so: please submit a PR.

You may also see [issues filed in GitHub in the past about e2ee](https://github.com/search?q=repo%3Aalphapapa%2Fement.el+pantalaimon+OR+e2ee+OR+encryption&type=issues) which often contain useful tips.

** Nothing happens
Rhere have been reported cases where messages suddenly decrypt. Like if pantalaimon needed its time to bootstrap itself and start getting keys. For "its time" we are talking a couple of hours, probably proportional to the number of encrypted rooms/chats you have.
Rhere have been reported cases where messages suddenly decrypt. Like if pantalaimon needed its time to bootstrap itself and start getting keys. For "it's time" we are talking a couple of hours, probably proportional to the number of encrypted rooms/chats you have.

So, *Troubleshooting Tip: if you are online and verified, give it time.*

Expand Down

0 comments on commit e6e642a

Please sign in to comment.