How to secure your chats with Matrix
Monday April 9, 2018
Privacy and security can be difficult to achieve, especially for your entire organization. It involves many factors and can be difficult to manage from the top. While you may not want to, or don’t have the ability to manage every aspect of your organization’s members there are some things you can do. One of the most important and sensitive factors would be how your organization’s members communicate about internal matters. While talking face to face is one of the more common ways, this is not always possible. More people than ever work remote. Especially in the IT industry. There is an obvious need for remote communication methods.
Instant messaging is probably one of the more popular ways to communicate. There’s many platforms like Skype, Slack, and WhatsApp that simplify this. While some of them may boast encryption from client to server or even end-to-end encryption, you’re still transferring trust to a 3rd party and their code. If this worries you, it may be best to run your own instant messaging server. Commonly, organizations and individuals who are concerned about this have setup XMPP servers (formerly known as Jabber). While this arguably isn’t a bad solution, XMPP can be tricky to work with compared to other more modern solutions.
One of the most notable competitors to the XMPP protocol would have to be Matrix Synapse. Matrix, like XMPP can be a decentralized (federated) but you can tweak it to your organization’s needs. For example, you can disable public registration, use LDAP for authentication and disable federation. Just like XMPP, there are many implementations of the Matrix protocol.
Matrix Tutorial
In this tutorial we will be going over how to setup your own Matrix Synapse server on GigeNET Cloud. This will show you the basics of how to run your own Matrix server. If you don’t have a GigeNET Cloud account, head over here and check out our plans. Synapse is the server created by Matrix developers and can be found here.
First, we’ll need to create a GigeNET Cloud machine. Once you’re logged in, it’ll look like this.
Click on “Create Cloud Lite”
Set a proper hostname for your new machine, select the desired location, zone and OS. For this tutorial we’ll be using Debian 9 (Stretch). You’ll then need to pick a plan that fits your needs. Matrix Synapse recommends at least 1GB of memory. We’ll go with GCL Core 2. After you’ve set everything to what you want press “Create VM”.
Now your cloud VM has begun spinning up on one of our hypervisors. It may take a bit, but you can ping the VM’s public IP until you see that it’s up. This page will show all of the details you’ll need to know to login.
Once the VM is up, you can SSH in with your favorite SSH client. I use Linux, so I’ll be using openssh-client. We’ll want to perform a full upgrade of all packages on Debian, so you’ll need to run this.
root@matrix-test:~# apt update && apt dist-upgrade
Once that has finished, reboot your VM.
root@matrix-test:~# reboot
Once you’re back in after the reboot. Let’s take a look at the available Matrix servers. There’s quite a few, but as mentioned, we’ll be using Synapse. Click Synapse.
If you’re interested in learning more about Matrix Synapse I highly recommend that you check out their GitHub repository.
Before you grab their repo key you’ll need to install apt-transport-https. This is required to use HTTPS with the apt package manager.
root@matrix-test:~# apt install apt-transport-https
When that finishes you can then grab their repo key, import it and add the repository into your sources file with the following commands.
root@matrix-test:~# wget -qO - https://matrix.org/packages/debian/repo-key.asc | apt-key add -
root@matrix-test:~# echo deb https://matrix.org/packages/debian/ stretch main | tee -a /etc/apt/sources.list.d/matrix-synapse.list
root@matrix-test:~# apt update
If everything checks out you’re now ready to install Matrix Synapse! We’ll also install a few extras.
root@matrix-test:~# apt install matrix-synapse certbot haveged
You’ll get an ncurses interface during the installation asking for a few configuration parameters. Make sure to set your FQDN here.
It’s up to you whether you want to send anonymous statistics. I chose not to.
If you have your own certificate you can simply copy over the certificate and private key in the same way. Now let’s get our Let’s Encrypt certificate!
A few more things to note.
- You’ll need to ensure your domain or subdomain points to your new server via a DNS A record or AAAA record if you want to use IPv6.
- You’ll need to enter an email address to receive certificate expiry notices.
- You’ll need to agree to the Let’s Encrypt terms and conditions.
root@matrix-test:~# certbot certonly --standalone -d matrix-test.gigenet.com
Once we have our certificate and private key we need to copy them over to /etc/matrix-synapse like so (change directory to your FQDN).
cp /etc/letsencrypt/live/matrix-test.gigenet.com/fullchain.pem /etc/matrix-synapse/fullchain.pem
cp /etc/letsencrypt/live/matrix-test.gigenet.com/privkey.pem /etc/matrix-synapse/privkey.pem
Next, we’ll need to generate a registration secret. Anyone who has this secret will be able to register an account. So you want to keep it safe.
root@matrix-test:~# cat /dev/random | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
Output should be a random string of 64 characters like: TDfdIXPBWDOqaVsR5erVJLKdqPqIAsrvfvEtgHfY8oZ06F5NMYnhdbHhVbneDiTF
Now we need to edit the config. You can use nano or your favorite text editor.
root@matrix-test:~# nano /etc/matrix-synapse/homeserver.yaml
Search for the parameter when you’re in nano with CRTL + W and enter registration_shared_secret
Ensure that the line looks like this:
registration_shared_secret: “TDfdIXPBWDOqaVsR5erVJLKdqPqIAsrvfvEtgHfY8oZ06F5NMYnhdbHhVbneDiTF”
We’ll also need to enable TLS support for the web client and add the paths for our certificate and private key.
Make sure the following line web_client looks like this.
web_client: True
Now we’ll add our certificate and private key to the config. The lines should look something like this.
tls_certificate_path: “/etc/matrix-synapse/fullchain.pem”
tls_private_key_path: “/etc/matrix-synapse/privkey.pem”
Save and exit your text editor after you’ve followed the steps above. We can now enable matrix-synapse to start on boot, and start the service!
systemctl enable matrix-synapse
systemctl start matrix-synapse
If everything checks out the service should have started successfully. If not you can check its status to see why it failed with.
systemctl status matrix-synapse
Now we’re ready to setup our first user. This command will allow you to register a user and make it the administrator. You can also use this command to register normal users. By default, Matrix Synapse is not configured to allow public registration.
register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml
https://localhost:8448
We’ve got our first user, now we’re going to have to pick a Matrix chat client. You can see a list of clients here but in this tutorial we’ll be using Riot on a Windows VM. It has very good support and is cross-platform. Chats can also be end-to-end encrypted with Riot! Go here to download it.
Once you have it installed for your platform of choice and launch it. You’ll be greeted with a similar window as the one below. Click “Login”.
You’ll then need to enter your server’s details along with the credentials you set for your administrator account.
After you’ve signed in you’ll be greeted with a similar interface. Let’s create our first room by pressing the + button on the bottom left of the window.
We’ll just name it “Admin Room” for this test.
Now we’ve got our own room that we can invite other users to!
Need to know how to do more with Riot? They have a great FAQ with a few video tutorials on how to perform some basic tasks.
While administering a Matrix server might be a bit of a learning curve it’s worth it if you value having control of your own data. If you want to dive more in-depth on how to setup other Matrix Synapse features I highly recommend that you head over to their GitHub page.
Sound like a bit too much? Let our team of experts manage your systems.