Technical Encryption Overview

TLDR; In technical terms, we use PBKDF2 to encrypt your password and use it as a key to encrypt messages and conversations. The only way to decrypt those messages is to then use your password again as the key, along with a few other randomly generated numbers, called salts.

When an account is created, two salts are generated. One to use with authentication and one for end-to-end encryption.

The one that we use with login is straight-forward and normal, it is how all apps do authentication. A version of your password is stored, hashed against the first salt, is used for authentication. Your password is never stored on the server, that would defeat the point of end-to-end encryption and potentially compromise your accounts security.

For the encryption, on the client-side, we hash your password against salt #2 and store it locally on the device (computer/tablet/phone). When encrypting and decrypting, we use this password + salt 2 hash, combine it with your account id, then hash it again against the first salt to create the secret key. Having this key is the only way that you can decrypt messages (or any information at all that is stored on our server). Since no one else has the password that was hashed against the second salt, no one else will be able to decrypt anything.

So, your password is never stored anywhere - only hashed versions of it - and without that password, there is no way to create the secret key used for encrypting and decrypting the content stored in the backend.