Nonintuitive workflow for setup and restoring secure backup - "Wrong Recovery Key"

[oxmie]

Description

(Previous) Element version (v1.7.16) has two options (Secure Key, Secure Phrase) to save your e2e room keys encrypted at your homeserver (named: Secure Backup).

I tried to figure out, how the Secure Backup works, because I get a message, that my last secure key is wrong (Wrong Recovery Key). During the research I totally lost my way, which new generated secure key is a valid one and which one not.

I think, that the current secure backup workflow is somehow broken or I really do not understand it 🤔

---

Steps to reproduce

Starting situation:
Login via an user account which does not have activated secure backup yet, but few sessions already exists. The synapse databases are as expected:

matrix-synapse=# SELECT * FROM e2e_room_keys WHERE user_id = '@trinity:************';
 user_id | room_id | session_id | version | first_message_index | forwarded_count | is_verified | session_data 
---------+---------+------------+---------+---------------------+-----------------+-------------+--------------
(0 rows)

matrix-synapse=# SELECT * FROM e2e_room_keys_versions WHERE user_id = '@trinity:************';
 user_id | version | algorithm | auth_data | deleted | etag 
---------+---------+-----------+-----------+---------+------
(0 rows)

matrix-synapse=# SELECT COUNT(*) FROM e2e_device_keys_json WHERE user_id = '@trinity:************';
 count 
-------
     4
(1 row)

And no recovery via secure backup is prompted. That is fine.

Within the settings I can verify that no secure backup was setup yet:

Starting conversation and backup e2e room keys

1. I write a message to someone (same HS), which is received
2. Afterwards I got to Settings > Security & Privacy > Secure Backup and setup my first Secure Backup via a Security Key
   
   
3. I will download the secure key-file
   Now element starts to backup my room keys, which can checked within synapse and via the element as well:

matrix-synapse=# SELECT * FROM e2e_room_keys_versions WHERE user_id = '@trinity:************';
        user_id         | version |               algorithm                |                                 auth_data                                                                                                                                   | deleted | etag 
------------------------+---------+----------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+------
 @trinity:************  |       1 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"Qou************smg","signatures":{"@trinity:************":{"ed25519:WtX************8Bk":"5f1************zCg","ed25519:JHB***QGA":"O0E************wDw"}}}     |       0 |     
 @trinity:************  |       2 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"ztA************9jc","signatures":{"@trinity:************":{"ed25519:JHB***KUHDQGA":"6mZ************MCg","ed25519:WtX************8Bk":"HjG************aDQ"}}} |       0 |    1
(2 rows)

(do not know, why there are two keys - maybe enc & sig or keys for session and user..?)

matrix-synapse=# SELECT * FROM e2e_room_keys WHERE user_id = '@trinity:************';
        user_id         |              room_id              |   session_id        | version | first_message_index | forwarded_count | is_verified |                            session_data                                              
------------------------+-----------------------------------+---------------------+---------+---------------------+-----------------+-------------+---------------------------------------------------------------------------------------
 @trinity:************  | !ceLuZGEPEACJKWzOjT:************  | qW0************mRJk |       2 |                   0 |               0 | t           | {"ciphertext":"SEQ1jNk************zRI","mac":"bSp****Ack","ephemeral":"0nE*******o20"}
(1 row)

Start "recovery":

1. I log out and than log in again
2. Now I will be asked for my recovery (secure) key and that is what I do: use recovery key
   
3. I will paste my copied secure key and this works. As well with my uploaded secure key file.
   
   !!But I will not continue, assuming I "forgot" my key 🙈 and Go back (3 times) an stuck in a loop ( ⚠️). After a refresh I am logged in
4. I cannot read the message (of course, because I skipped the recovery) and go to Settings > ... > Secure Backup
   
   (synapse tables are still not changed)
5. I choose Restore from Backup and paste my copied secure key and this works. As well with my uploaded secure key file again. I do not press continue, because I just want to see, if the key would be accepted..
6. But remember I "lost my" secure key. Therefore I Reset my Secure Backup and choose Security Key again
   
7. Afterwards I want to write a message (which was send) and get a warning that something is not save and attackers may get access (forgot to take a screenshot), but I went back up settings and see, that Secure Backup is not enabled for my user anymore.
   

The secure key was generated, but my message was not saved within the secure backup

matrix-synapse=# SELECT COUNT(*) FROM e2e_room_keys_versions WHERE user_id = '@trinity:************';
 count 
-------
     3
(1 row)

matrix-synapse=# SELECT COUNT(*) FROM e2e_room_keys WHERE user_id = '@trinity:************';
 count 
-------
     1
(1 row)

If I press Restore from Backup and do not have to entry any password and elements tells me, that it has restored 0 messages 🤔 and the settings looks like this:

If I write a message again and Reset my Security Key and than press Restore from Backup it will restore 1 message:

What is my situation at this moment:

• I generated 3 secure keys (1 initial and 2 via reset)

After I logout and login again: I am asked for the Secure key and: only my initial secure key is accepted o.O (but I "forgot" this one...)...
Okay this time I used it to see, which messages are restored, but than I will be asked for a another Secure Key and this time my last (3.) key works! o.O

I like to repeat this again:...

1. sign out
2. login
3. restore backup key
   1. secure key 1
   2. secure key 3
4. restoring successful ...

And again (but with skipping login recovery request):

1. sign out
2. login
3. skip secure backup restoring
4. successful login
5. settings > ... > secure backup
6. "Connect this session to Key Backup" -> Cancel
   Afterwards I am asked to "Enter recovery key" but I click:
   
   but cancel this as well
7. back to settings > ... > secure backup
8. "Connect this session to Key Backup": now I takes only my last (3.) key.. o.O (why did Element now forgot my initial one..)

I will press Reset key write a message. Logout (will be asked, to connect to the secure backup I decline.)
Login again, try to restore the keys, but not my last key is valid. some older key is valid...
I now have about 8 keys, and I really do not get it, when which key is valid. Even looking inside the synapse database do not gave me any hint...

What I expect:

• During the login:
  • If I reset my first key (in case I lost him), I would like to enter the new generated key (not at first the "lost" one and than the new one)
• Within settings (skipped the login recovery process)
  • If I click Restore from Backup, I will need to enter the key which fits to the e2ee room messages and receive them
  • If I click Connect this session to Key Backup, I will need to enter the key for a existing backup and the messages will be saved with this key
    (currently, I lost the path, when Restore from Backup and Connect this session to Key Backup appears...)
  • If I click Delete Backup I have to confirm with my account password and all messages and secure keys are deleted and I have to setup a new secure backup like during my first time
  • If I click Reset: It should actually perform the same steps as Delete Backup

What I wish:
I little documentation how the secure backup actually works, especially focused on loosing my secure key or secure phrase. Probably it is not that simple, because I did not think about the side effects on multi session situations where, maybe only some messages should be restored... (but this is probably not the normal use case for most users..)

(P.S.: During the research I saw some dialogs, which I never saw before and I have no clue how to reach them again: e.g. this dialog with the warning about attackers...)

---

Version information

• Platform: web (in-browser)
• Browser: via Firefox 84.0.2 (64-bit)
• OS: Linux
• URL: element version: v1.7.16, olm version: 3.2.1

[oxmie]

I guess #16118 describes the same behaviour / problem.

[DAlperin]

This workaround seemed to work in my case: #16118 (comment)

[oxmie]

I close this issues with reference to #16118 (comment) (thanks @DAlperin).