End-to-End Encryption¶
End-to-End (E2E) encryption is an advanced feature. While all information in Hourglass is always encrypted in transit and at rest, E2E encryption adds another layer of security by ensuring that personal information, such as names, birth dates, addresses, phone numbers, etc. is encrypted with a key that only authorized congregation members are able to obtain. Hourglass servers and administrators have no ability to decipher this information.
Once you enable E2E encryption, this personal information is no longer readable by anyone without your congregation’s master password. If your password is lost, there will be no way to recover the information. This also means that it is not currently possible to use the Transfer feature to send publishers from a congregation where E2E encryption is enabled, because the information would not be readable by the other congregation.
To enable E2E encryption, go to the congregation profile and click the button. You’ll be prompted to confirm that you understand the responsibility to safeguard the master password. Losing the master password is equivalent to deleting permanently all personal information for everyone in your congregation. At least two Elders, if not more, should always have administrator access to Hourglass and know the master password. Once enabled, you can go to the E2E Encryption item on the Congregation menu, which will allow you to encrypt all the existing personal information for your congregation. Any new information you add or change will automatically be E2E encrypted.
The rest of this help topic contains technical details about how E2E encryption works. When enabling E2E encryption for the first time, your browser (using the SubtleCrypto APIs) generates a master key for your congregation. This key is never transmitted anywhere. You are prompted to enter a master password, which is used as input to a key derivation function, and the resulting key is used to encrypt the master key. The encrypted (wrapped) key, which is useless without your master password, is then saved in Hourglass.
From this point on, whenever any personal information needs to be saved, it is first encrypted locally on your device using the master key, before being transmitted. Whenever anything is received, it’s decrypted locally on your device. Whenever you log in with your browser or launch Hourglass on a mobile device, you’ll be prompted to enter the master password. Without the correct master password, the master key cannot be obtained, and none of the information is readable.
E2E encryption is a powerful feature. It provides an extremely high degree of data privacy: no personal data is ever stored anywhere, only unreadable ciphertext is saved, which can only be read with your congregation’s master key. Not only do you need to authenticate with Hourglass to even obtain the encrypted key, you also require the master password to decrypt it. As a result of this, many features which once were implemented on the server side of Hourglass have been moved to the client, including generating PDF and CSV files and sending invitation emails, because the server has no access to the information required to complete these operations.
Exactly what information is encrypted? All fields related to addresses and emergency contacts are subject to E2E encryption. The following fields for individuals are encrypted: first, last, and middle name, suffix, pioneer number, birth and baptism dates, email address, all phone numbers, and comments. Note that the email address used to sign in to Hourglass cannot be encrypted.