Hush Chat Logo
hush.chat
Privacy-Focused. Encrypted. Anonymous.
Security

Security Overview

How hush.chat keeps your rooms private — even from us.

Hush chat is built on a simple principle: your room keys never leave your device.We provide routing and encrypted storage, but encryption and decryption happen entirely on your end. Even with full access to our systems, we can't read your conversations.

End-to-end encryption

Every message and attachment in hush.chat is protected using strong, modern cryptography. Content is encrypted before it leaves your device using a per-room symmetric key.

  • Each room generates its own unique encryption key.
  • AES-GCM with 256-bit keys secures messages and files.
  • A fresh IV is used for every encrypted payload.
  • Plaintext never touches our servers, storage, or logs.

Even if encrypted data is intercepted or our database is compromised, attackers cannot decrypt it without the room key—which we never possess.

Room keys & secure link sharing

Room keys are distributed through the invite links you share. The public portion of the URL identifies the room, while the secret key is held separately in a part of the link that never touches our servers.

Anyone with the full invite link can decrypt room content; anyone who doesn't have it can't.

Key rotation

Operators can regenerate keys at any time:

  • Future messages use the new key.
  • Old content remains encrypted under the previous key.
  • Anyone without the new key loses access instantly.

Encrypted attachments

Attachments follow the same flow as chat:

Files are encrypted locally with the room key, uploaded as ciphertext, and decrypted locally by participants. Downloads use short-lived signed URLs so blobs can't be reused elsewhere.

Ephemeral & persistent rooms

Hush supports two modes:

  • Ephemeral rooms self-destruct after a configured lifetime, wiping encrypted data and metadata.
  • Persistent rooms stay live until the operator destroys them, which nukes every encrypted object tied to that room.

Either way, once data is deleted and keys are gone, it's unrecoverable.

Metadata & minimal logging

We store only what's required to operate the service:

account identifiers, room identifiers, and coarse aggregate metrics.

No message contents, no encryption keys, no participant logs, no device IDs.

We can see that a room exists — not who's inside or what's being said.

Infrastructure security

Hush chat runs on hardened, access-controlled infrastructure. Data at rest sits on encrypted volumes, and every hop between clients and edge is wrapped in modern TLS.

Production access is tightly limited, monitored, and authenticated. Secrets never live in source control.

Threat model & limitations

Hush chat defends against:

  • Server breaches exposing encrypted data.
  • Passive network interception or metadata sniffing.
  • Curious insiders.

But no system can defend against:

  • Compromised participant devices or keyloggers.
  • People taking screenshots or copying plaintext.
  • Attackers who obtain the full invite link (including the key).

Security contact

Found something? Email security@hush.chat. We take reports seriously and respond fast.