DiscordCrypt: Unofficial End-to-End Encryption for Discord has arrived

Riot (Matrix) is my favorite chat program but it suffers from one major issue, it’s slow and the user Interface is – I wouldn’t say horrible – but has ‘room for improvements’. So, overall most users using Discord instead wish is still not a bad client it has HTTPS but the server owner might see and sell your content (such as news links, ideas etc). The E2E idea and the ticket (feature request) in the meantime was already closed and the developers explained in their answer that this will not be implemented.

About DiscordCrypt

The project is right now in an earlier development status and not in any relationship to the official Discord project. It’s open source and licensed under the MIT license. You can help to support this project or contribute directly to it.

These guys have an official Discord Server channel if there are some questions.

Wait you said HTTPS – isn’t that already enough?

Discord claims that all its messages are encrypted, and while that is true to an extent as they are sent over an HTTPS connection, it does NOT mean that they cannot see the content of your messages. For anyone concerned about or valuing their right to privacy, this is an unfortunate caveat of using Discord. Messages sent to your friends or servers are encrypted before they’re sent out but are decrypted on Discord’s servers. Which means anything you’ve ever sent, typed, or spoken could have been recorded and logged by Discord’s owners. Other messenger applications (eg Signal, Riot etc.) have taken user’s privacy seriously and implemented end-to-end encryption so that no one, not even the platform’s owners, can see what users do.

The answer – a plugin called DiscordCrypt!

DiscordCrypt is an open source plugin (for BetterDiscord) which is hosted on GitLab. In order to get this working, you need to install BetterDiscord which in short is a little program which ‘tweaks’ various things and has the ability to load additional things, like DiscordCrypt.

The script (plugin) is available for Linux, Windows and MacOS it’s not available for Android (yet?) because BetterDiscord is right now not compatible.

Specs and Info

• There some known limitations and bug, see here.
• Rhe messages are not self-destructing or editable
• AES-256 encrypted database will be created
• A master password required to unlock the database (AES-CBC)
• More CPU then usually is required due to the encryption/decryption process (it’s normal)
• DiscordCrypt’s key exchange is vulnerable to Man-in-The-Middle attacks. There known vulnerabilities.
• Camellia-256 & AES-256 (Rijndael) are the default primary and secondary ciphers
• The default Cipher Mode is provided via Cipher Block Chaining
• The Cipher padding is established with PKCS #5/PKCS #7
• The key exchanges are done with Diffie-Hellman (DH)
• The default key size is set to 8192 Bits
• The project wasn’t audited yet because it’s pretty young and still unfinished
• The program can encrypt and decrypt personal conversations and Group Conversations / Channels
• Once the plugin is installed and running it regularly checks automatically for updates

You will find more technical specs and answers here.

Sound’s complicated is there a guide?

It’s not complicated and the installation of BetterDiscord (also open source and under 1 MB) and the plugin only takes not even 2 minutes.

• Start Discord as usual
• Install BetterDiscord, after it’s finished it will restart your Discord automatically
• Download the DiscordCrypt script plugin from [here](https://gitlab.com/leogx9r/DiscordCrypt/raw/master/src/discordCrypt.plugin.js) (Right Click -> Save As) ensure it’s correctly named “discordCrypt.plugin.js“
• Save the plugin under the following part “%APPDATA%\BetterDiscord\plugins“
• Restart your Discord Client with Ctrl + R
• Go into your Discord Settings and activate the plugin.

After you activated the plugin restart Discord once again via Ctrl + R and you will see a new Window which forces you to create a database.

After each Discord starts/restarts, you see this Window again which is needed in order to send and receive any encrypted messages.

You will see menu icons, I made a small demonstration video to give you an overview:

What if you forgot your master password?

You simply can reset your database (including the configuration) by deleting the file DiscordCrypt.config.json located in the same directory as the plugin that you went to during installation.

After this step, you’re forced to enter a new password. You however, will lose all your passwords of any of your conversations.

Final Words

The plugin works for me already really good, of course, it costs some more CPU power but you can tweak or lower/increase the encryption level like you want within the given settings.

The plugin gets my full recommendation since I see this as essential when it comes to privacy, it’s still beyond me why Discord is not implementing such thing natively so other people are needed to fix their mess.

I’m thankful that I can with such easy steps increase my privacy from zero to 100%. The server owner can’t read any content (only the names) and that’s really good too me. I’m curious if Discord will start blocking this project once it gets more attention or if they might end up supporting it (which would be the best solution for everyone).

Resource

• DiscordCrypt Readme (contains also an FAQ and Installation guidance)

• Implement WhisperSystems Encryption for Voice and Text (Discord User Feedback Program)

• End-To-End Encryption (Discord User Feedback Program)