X Outlines its Updated DM Encryption Process

With X’s new “XChat” messaging platform now rolling out to all X Premium subscribers, X has also updated its documentation on its DM encryption, and how it will work in the new chat experience.

As a recap, X launched message encryption for Premium subscribers last year, but it wasn’t as secure as X would like, with Musk even labelling it “clunky” and not functional for one-to-one messages.

Encryption on X’s audio and video calls works fine, as that was implemented after Musk took over at the app, but in order to enact full DM encryption, X apparently had to undergo a significant overhaul of its back-end messaging system.

Which it has now done, and it’s looking to roll out encrypted DMs to all users as the default.

Though there are some specifics worth noting within that system.

As explained by X:

“When entering Chat for the first time, a private-public key pair is created specific to each user. Users are prompted to enter a PIN (which never leaves the device), which is used to keep the private key securely stored on X’s infrastructure. This private key can then be recovered from any device if the user knows that PIN. In addition to the private-public key pairs, there is a per-conversation key that is used to encrypt the content of the messages. The private-public key pairs are used to exchange the conversation key securely between participating users.”

A four-digit PIN isn’t the most secure approach here, but it does give X users an easy means to use its encrypted DM feature.

X further notes that it utilizes:

“… a combination of strong cryptographic schemes to encrypt every single message, link, and reaction that are part of an encrypted conversation before they leave the sender’s device and remain encrypted while stored on X’s infrastructure.”

The encryption key in this instance seems like a potential weak point, but again, it’s a relatively standard approach, just with a simpler PIN lock than many other encryption systems.

In order to send and receive encrypted messages in the app, both the sender and the recipient will need to be using the latest X app on iOS (encryption isn’t available on Android or web as yet). The recipient will also have to follow the sender, have accepted a DM from the sender before, or have sent a message to sender previously.

So there needs to be some indicator of interest from both sides before you can implement encryption.

X also notes that group messages and media can now be encrypted, though there will be a record of any shared posts:

“The contents of an encrypted direct message are always encrypted, including any links, media, or files. Reactions to encrypted direct messages are also encrypted. It is important to note that while the message content itself is encrypted, associated metadata (e.g., recipient, creation time, etc.) is not. If posts are shared in an encrypted chat, X will have a record that those Posts were shared.”

Oh, also, if you log out of X, your DMs are auto-deleted from that specific device:

“If at any time you log out from X, all messages including encrypted direct messages on your current device will be deleted; this will not impact any other devices on which you are logged in. Upon logging out, X will erase any private keys and conversation keys. If you log back in on the same device, your device will be able to re-fetch and decrypt the encrypted conversations using the private key that the device had access to before logging out.”

So you’ll be able to get them back, but it could be a little weird, depending on implementation.

Overall, it’s a pretty straightforward implementation of basic encryption, though the 4-digit passcode seems less secure than I would like.

But it does give you a more secure option, and X is hoping that the added assurance will also eventually lead to more people transferring money in the app, once X Payments come around.

X says that it intends to open source its encryption system info later this year.