End-to-End Encryption

lock The Concept

Holos uses the Signal Protocol to encrypt your direct messages. This is the same protocol used by Signal, WhatsApp, and other secure messaging apps. Only the sender and recipient can read the message content - not the relay, not your internet provider, not even Holos developers.

enhanced_encryption

Messages are encrypted on your device before being sent. Only the recipient's device can decrypt them.

vpn_key Key Discovery via ActivityPub

E2EE requires exchanging public keys before communicating. Holos leverages ActivityPub's Actor object to publish encryption keys, making them discoverable across the fediverse.

ALICE (sender)

key Generates Signal keypair locally

send Wants to message Bob

swap_vert Fetch Actor

BOB'S ACTOR (ActivityPub)

"signalPreKeyBundle": {
  "registrationId": 1086,
  "identityKey": "BS/xL6K3...",
  "signedPreKey": {
    "keyId": 1,
    "publicKey": "BeGoxU1...",
    "signature": "GpREIG..."
  },
  "preKeys": [
    {"keyId": 1, "publicKey": "BWZi..."}
  ]
}

swap_vert Extract keys

ALICE'S DEVICE

download Gets Bob's public keys

lock Encrypts message for Bob

history Forward Secrecy

The Signal Protocol provides forward secrecy through the Double Ratchet algorithm. Even if your keys are compromised today, past messages remain unreadable.

sync_alt

Double Ratchet

Each message uses a unique key derived from the previous one. Keys constantly evolve, never going backward.

delete_forever

Ephemeral Keys

One-time keys are consumed and deleted after use. Past message keys no longer exist.

shield

Future Protection

If an attacker steals your key today, they cannot decrypt yesterday's messages - those keys are gone.

info This is the same security model used by Signal, WhatsApp, and other secure messaging apps.

send Sending an Encrypted Message

When you send a DM to another Holos user, here's what happens:

edit_note Your Phone

ciphertext

hub Relay

ciphertext

smartphone Recipient

1

You write your message. It's encrypted locally using the recipient's public keys before leaving your device.

2

The relay receives only ciphertext (encrypted blob). It forwards it without being able to read it.

3

The recipient's device decrypts the message using their private key. Only they can read it.

data_object ActivityPub Message Format

An encrypted DM is a standard ActivityPub Note with additional Holos-specific properties. Here's what it looks like:

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    {
      "holos": "https://holos.social/ns#",
      "holos:e2eeEnabled": {"@id": "holos:e2eeEnabled", "@type": "@id"},
      "holos:signalCiphertext": "holos:signalCiphertext",
      "holos:signalMessageType": "holos:signalMessageType"
    }
  ],
  "type": "Create",
  "id": "https://relay.domain/users/alice/statuses/123/activity",
  "actor": "https://relay.domain/users/alice",
  "to": ["https://relay.domain/users/bob"],
  "object": {
    "type": "Note",
    "id": "https://relay.domain/users/alice/statuses/123",
    "content": "[Encrypted message]",
    "holos:e2eeEnabled": true,
    "holos:signalCiphertext": "MwgBEiEF...",
    "holos:signalMessageType": 3
  }
}

holos:e2eeEnabled Indicates this message is end-to-end encrypted

holos:signalCiphertext The encrypted message content (Base64-encoded Signal Protocol ciphertext)

holos:signalMessageType Signal message type: 3 = first message (session setup), 1 = subsequent messages

info The content field contains a placeholder. Non-Holos clients will see "[Encrypted message]" instead of the actual text.

visibility_off What the Relay Sees

The relay server does not have the decryption keys. It is technically impossible for it to read your messages:

visibility Visible to Relay

Who is talking to whom (metadata)
When messages are sent (timestamps)
Encrypted blob size

visibility_off Hidden from Relay

The message content

hub Interoperability

E2EE only works when both parties support it. Here's what happens in different scenarios:

lock Full E2EE

Holos arrow_forward Holos

Both users have Signal keys published in their Actor. Messages are fully encrypted end-to-end.

lock_open Standard DM (no E2EE)

Holos arrow_forward Mastodon

The other platform doesn't support Signal Protocol. Messages are sent as regular ActivityPub DMs (visibility: direct).

warning Holos always warns you before sending an unencrypted message. You must explicitly consent to the fallback.

verified_user Verifying Identity

How do you know you're really talking to the right person? Safety Numbers let you verify cryptographic identity out-of-band.

Safety Number Example

00001 23456 78901 23456 78901 23456

78901 23456 78901 23456 78901 23456

1

Open the conversation menu and tap View Safety Number

2

Compare the 60-digit number with your contact (in person, phone call, or trusted channel)

3

If the numbers match, tap Mark as Verified to confirm their identity

info Visual Indicators

The app shows clear indicators so you always know the encryption status of your conversation:

verified

Verified

E2EE active and Safety Number verified. You've confirmed this contact's identity.

lock

Encrypted

E2EE active but not verified. Messages are encrypted, identity not manually confirmed.

lock_open

Not Encrypted

Standard DM without E2EE. The recipient doesn't support Signal Protocol.

code Technology

Signal Protocol Double Ratchet X3DH X25519 AES-256-GCM HMAC-SHA256 ActivityPub

open_in_new Holos E2EE implementation is open source. Audit the code, verify the cryptography, or contribute improvements.