Script developed to encrypt your messages on the client side before sending them to a discord channel. This way, discord only see encrypted data and cannot decrypt them without the secret key. Of course, users should also have this script and the secret key to decrypt the data. The script is intended to be used with tampermonkey or greasemonkey addon on Discord for browser.
This script play with the DOM of the document, checking on modifying element on the client side before beeing sended to the server.
The script is pure Javascript, no external librairies are loaded
Tested on Firefox with Greasmonkey and Chrome with Tampermonkey
- You can join this Discord and follow the inscruction to add the keys into tampermonkey https://discord.gg/g9teQ2N
- Add the
discord-e2e.jsto tampermonkey or greasemonkey - Once the script is installed you should be able to decrypt the data
- Type some text
- Press ENTER, you should see that now the text is encoded in base64
- Press SPACE then ENTER on the keyboard
- Done
- Install the addon Tampermonkey for Chrome or Greasemonkey for Firefox
- Open the Dashboard addon
- Click on the button "+" or "Add script"
- Copy past the content of the file
discord-e2e.js - Go to discord and test the demo !
The data are encrypted with the librairy CryptoKey with the algorithm AES-GCM. The secret key is generated by window.crypto.subtle.generateKey with a length of 256. Everytime your type something on the textarea and press ENTER, the content of the textarea is encrypted, then the value of the textarea is modify with the encrypted data and encoded in base64. Therefore Discord only see when you are typing but not the content.
Only people with the same key can decrypt the data.
Yes, you can set as many keys you want. A key is linked to channel like this
var keyStorage = [{
'channel':'channel/path/',
'key': 'YOUR_KEY',
'iv': iv
}]Yes, this is also working for private message :)
There isn't good solution on the client side to store sensitive information. The keys are stored in the tampermonkey script itself. It shouldn't be possible to retrieve the keys directly without an access to the computer (or browser exploit ?). If anyone has a better idea, submit an issue or come chat to Discord.
Currently attachements are not encrypted, if anyone has an idea, I'm curious :)
- Open your browser
- Display to Developer Console: F12 or Ctrl-Shift-I
- Copy-Past the content of
generate-key.js
- Copy the key paramter (in blue on the screenshot)
- Open the script in tampermonkey and add the key into the array
keyStorage:
var keyStorage = [
{
'channel':'/channels/495699373863338003/533030226402476032', // replace by your channel path
'key': 'YOUR_KEY',
'iv': new Uint8Array([188, 185, 57, 146, 246, 194, 114, 34, 12, 80, 198, 77])
},
{
'channel':'/channels/495699373863338003/533248362879778818', // another channel
'key': 'YOUR_KEY_2',
'iv': new Uint8Array([188, 185, 57, 146, 246, 194, 114, 34, 12, 80, 198, 77])
}
]- Add the channel path
- Share securely the key with others
Note: you can set different key for different channel. If a key is lost, the data cannot be retrieve.
Tow solutions:
- If you give the keys to someone but you don't want him to be able to decrypt the data, just simply change the key. But you will be not able to view the data encrypted with the previous key.
- Remove the user from the Discord channel, simple and efficient
This is only for Discord on browser https://discordapp.com with Chrome for Firefox and addon tampermonkey/greasemonkey
- Encrypt attachement
- Better key management (any idea)
- Check if DOM changed before anything else
