Key Management & Encryption

Key Custody by Design

Encryption at rest is rooted in your infrastructure. Use TPM 2.0 hardware when available, or configure PLEXICHAT_SYSTEM_KEY for containerized deployments that require software-backed keys.

Key SourceTPM 2.0 or Environment
Key Storagesystem_keyring.json
Data LocationYour Database & Storage

KEK Validation on Boot

Every configured key encryption key is validated before the server accepts traffic. Insecure keys are rejected with a clear, actionable error message rather than failing silently later.

Length Bounds32-64 bytes
Entropy Floor≥ 7.0 bits/byte
Weak PatternsBlocklisted
Passphrase DetectionArgon2 / PBKDF2 required
CompressibilityTrue random only
On FailureServer refuses to start

Server-Side Client Cache Management (Commercial)

On licensed installs, the server owns the per-channel key cache. Clients receive RATCHET_UPDATE broadcasts over the gateway and never sit on a long-lived key they can use after a deletion. On free tier the messaging service falls back to the v1/v2 keyring envelope and the client manages its own cache.

Free Tierv2 envelopes, client manages key cache
Licensedv3 ratchet, server owns key cache
Hard DeleteSplits the ratchet interval
Stolen DeviceLoses decrypt on next rotation
Rotation Cadence1,000 messages or 24h
Gateway SignalRATCHET_UPDATE opcode
Read Compatv1, v2, v3 all decode
Downgrade Safetyv3 row returns a sentinel
Licence Keychannel_ratchet_encryption

Threat model addressed: A stolen phone that pulled the active ratchet key while authenticated. A former employee who exported ciphertext out of band. An admin who copies channel content during a session and tries to decrypt it after deletion.

Commercial licence required. Contact [email protected] for deployment pricing.

KEK Auto-Migration

When a keyring is loaded with a dedicated KEK (e.g. PLEXICHAT_MEDIA_KEY) and decryption fails, the server falls back to PLEXICHAT_SYSTEM_KEY and re-encrypts on the next write. This makes it safe to roll forward a new KEK without a manual data migration window.

Identity Protection

Authentication & Sessions

Plexichat uses strong password hashing, multi-factor authentication, and tokenized sessions for secure access control.

Password HashingArgon2id
MFATOTP (2FA)
Session ModelToken-Based
Network Defense & Traffic Policy

Rate Limits & Abuse Controls

Traffic protection is enforced per route, per user, and per IP with configurable burst windows.

Route LimitsConfigurable
Per-UserConfigurable
Per-IPConfigurable

Media Proxy Validation

External URLs are validated through a media proxy to reduce SSRF risk from avatars, embeds, and remote assets.

Compliance & Data Subject Rights

GDPR Article 20 Data Export (DSAR)

The first-class DSAR / Harvester module packages every artefact associated with a user into a single export bundle. Account holders can self-serve the same bundle from the client's Data Export settings screen.

ScopeUsers, messages, attachments, sessions, voice, audit
Endpoint/api/v1/users/.../data-export
Rate LimitPer-user, configurable
Admin VisibilityFull request audit trail
Self-ServeClient Data Export UI
RetentionConfigurable

Audit Log Export (Commercial)

Licensed installs can stream the admin audit log to external SIEM-friendly sinks and produce signed export bundles for incident response. Free-tier installs retain the audit log in-database with admin UI access only.

Commercial licence required. Contact [email protected] for deployment pricing.