deploy: 052d42fca8b778bbf5ca4daa2d3ee008e37f3bd7

latest/advanced/encryption.html

@@ -151,25 +151,26 @@
                 <div id="content" class="content">
                     <main>
                         <h1 id="encryption"><a class="header" href="#encryption">Encryption</a></h1>
-<section class="warning">
-Encryption support is <strong>HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE</strong>. It should not be enabled for production workloads.
-For more details, see <a href="https://github.com/matrix-org/matrix-hookshot/issues/594">issue 594</a>.
+<section class="notice">
+Support for encryption is considered stable, but the underlying specification changes are not yet.
+<p>Hookshot supports end-to-bridge encryption via <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/3202">MSC3202</a>, and <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/4203">MSC4203</a>. Hookshot needs to be configured against a a homeserver that supports these features, such as <a href="#running-with-synapse">Synapse</a>.</p>
+<p>Please check with your homeserver implementation before reporting bugs against matrix-hookshot.</p>
 </section>
-<p>Hookshot supports end-to-bridge encryption via <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/3202">MSC3202</a>. As such, encryption requires Hookshot to be connected to a homeserver that supports that MSC, such as <a href="#running-with-synapse">Synapse</a>.</p>
 <h2 id="enabling-encryption-in-hookshot"><a class="header" href="#enabling-encryption-in-hookshot">Enabling encryption in Hookshot</a></h2>
 <p>In order for Hookshot to use encryption, it must be configured as follows:</p>
 <ul>
-<li>The <code>experimentalEncryption.storagePath</code> setting must point to a directory that Hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). Hookshot uses this directory for its crypto store (i.e. long-lived state relating to its encryption keys).
+<li>The <code>encryption.storagePath</code> setting must point to a directory that Hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). Hookshot uses this directory for its crypto store (i.e. long-lived state relating to its encryption keys).
 <ul>
 <li>Once a crypto store has been initialized, its files must not be modified, and Hookshot cannot be configured to use another crypto store of the same type as one it has used before. If a crypto store's files get lost or corrupted, Hookshot may fail to start up, or may be unable to decrypt command messages. To fix such issues, stop Hookshot, then reset its crypto store by running <code>yarn start:resetcrypto</code>.</li>
 </ul>
 </li>
 <li><a href="./workers.html">Redis</a> must be enabled. Note that worker mode is not yet supported with encryption, so <code>queue</code> MUST <strong>NOT be configured</strong>.</li>
 </ul>
-<p>If you ever reset your homeserver's state, ensure you also reset Hookshot's encryption state. This includes clearing the <code>experimentalEncryption.storagePath</code> directory and all worker state stored in your redis instance. Otherwise, Hookshot may fail on start up with registration errors.</p>
+<p>If you ever reset your homeserver's state, ensure you also reset Hookshot's encryption state. This includes clearing the <code>storagePath</code> directory and all worker state stored in your redis instance. Otherwise, Hookshot may fail on start up with registration errors.</p>
 <p>Also ensure that Hookshot's appservice registration file contains every line from <code>registration.sample.yml</code> that appears after the <code>If enabling encryption</code> comment. Note that changing the registration file may require restarting the homeserver that Hookshot is connected to.</p>
 <h2 id="running-with-synapse"><a class="header" href="#running-with-synapse">Running with Synapse</a></h2>
-<p><a href="https://github.com/matrix-org/synapse/">Synapse</a> has functional support for MSC3202 as of <a href="https://github.com/matrix-org/synapse/releases/tag/v1.63.0">v1.63.0</a>. To enable it, add the following section to Synapse's configuration file (typically named <code>homeserver.yaml</code>):</p>
+<p><a href="https://github.com/matrix-org/synapse/">Synapse</a> has functional support for MSC3202 and MSC4203 as of <a href="https://github.com/matrix-org/synapse/releases/tag/v1.63.0">v1.63.0</a>. To enable it, add the following section to Synapse's configuration file (typically named <code>homeserver.yaml</code>):</p>
+<p>You may notice that MSC2409 is not listed above. Due to the changes being split out from MSC2409, <code>msc2409_to_device_messages_enabled</code> refers to MSC4203.</p>
 <pre><code class="language-yaml">experimental_features:
   msc3202_device_masquerading: true
   msc3202_transaction_extensions: true

latest/print.html

@@ -425,6 +425,12 @@ can be tweaked to change the behaviour of your bridge. A bridge of the server is
 required to apply any changes made to this file.</p>
 <pre><code class="language-yaml"># This is an example configuration file
 
+logging:
+  # Logging settings. You can have a severity debug,info,warn,error
+  level: info
+  colorize: true
+  json: false
+  timestampFormat: HH:mm:ss:SSS
 bridge:
   # Basic homeserver configuration
   domain: example.com
@@ -436,12 +442,6 @@ passFile:
   # A passkey used to encrypt tokens stored inside the bridge.
   # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
   ./passkey.pem
-logging:
-  # Logging settings. You can have a severity debug,info,warn,error
-  level: info
-  colorize: true
-  json: false
-  timestampFormat: HH:mm:ss:SSS
 listeners:
   # HTTP Listener configuration.
   # Bind resource endpoints to ports and addresses.
@@ -568,10 +568,12 @@ listeners:
 #  #    For encryption to work, this must be configured.
 #  redisUri: redis://localhost:6379
 
-#queue:
-#  # (Optional) Message queue configuration options for large scale deployments.
-#  # For encryption to work, this must not be configured.
-#  redisUri: redis://localhost:6379
+#encryption:
+#  # (Optional) Configuration for encryption support in the bridge.
+#  # If omitted, encryption support will be disabled.
+#  storagePath:
+#    # Path to the directory used to store encryption files. These files must be persist between restarts of the service.
+#    ./cryptostore
 
 #widgets:
 #  # (Optional) EXPERIMENTAL support for complimentary widgets
@@ -2045,25 +2047,26 @@ yarn start:app
 </code></pre>
 <p>Be aware that you will need to start all worker types when running in worker mode, as the service does not allow a hybrid worker approach.</p>
 <div style="break-before: page; page-break-before: always;"></div><h1 id="encryption"><a class="header" href="#encryption">Encryption</a></h1>
-<section class="warning">
-Encryption support is <strong>HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE</strong>. It should not be enabled for production workloads.
-For more details, see <a href="https://github.com/matrix-org/matrix-hookshot/issues/594">issue 594</a>.
+<section class="notice">
+Support for encryption is considered stable, but the underlying specification changes are not yet.
+<p>Hookshot supports end-to-bridge encryption via <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/3202">MSC3202</a>, and <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/4203">MSC4203</a>. Hookshot needs to be configured against a a homeserver that supports these features, such as <a href="advanced/encryption.html#running-with-synapse">Synapse</a>.</p>
+<p>Please check with your homeserver implementation before reporting bugs against matrix-hookshot.</p>
 </section>
-<p>Hookshot supports end-to-bridge encryption via <a href="https://github.com/matrix-org/matrix-spec-proposals/pull/3202">MSC3202</a>. As such, encryption requires Hookshot to be connected to a homeserver that supports that MSC, such as <a href="advanced/encryption.html#running-with-synapse">Synapse</a>.</p>
 <h2 id="enabling-encryption-in-hookshot"><a class="header" href="#enabling-encryption-in-hookshot">Enabling encryption in Hookshot</a></h2>
 <p>In order for Hookshot to use encryption, it must be configured as follows:</p>
 <ul>
-<li>The <code>experimentalEncryption.storagePath</code> setting must point to a directory that Hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). Hookshot uses this directory for its crypto store (i.e. long-lived state relating to its encryption keys).
+<li>The <code>encryption.storagePath</code> setting must point to a directory that Hookshot has permissions to write files into. If running with Docker, this path should be within a volume (for persistency). Hookshot uses this directory for its crypto store (i.e. long-lived state relating to its encryption keys).
 <ul>
 <li>Once a crypto store has been initialized, its files must not be modified, and Hookshot cannot be configured to use another crypto store of the same type as one it has used before. If a crypto store's files get lost or corrupted, Hookshot may fail to start up, or may be unable to decrypt command messages. To fix such issues, stop Hookshot, then reset its crypto store by running <code>yarn start:resetcrypto</code>.</li>
 </ul>
 </li>
 <li><a href="advanced/./workers.html">Redis</a> must be enabled. Note that worker mode is not yet supported with encryption, so <code>queue</code> MUST <strong>NOT be configured</strong>.</li>
 </ul>
-<p>If you ever reset your homeserver's state, ensure you also reset Hookshot's encryption state. This includes clearing the <code>experimentalEncryption.storagePath</code> directory and all worker state stored in your redis instance. Otherwise, Hookshot may fail on start up with registration errors.</p>
+<p>If you ever reset your homeserver's state, ensure you also reset Hookshot's encryption state. This includes clearing the <code>storagePath</code> directory and all worker state stored in your redis instance. Otherwise, Hookshot may fail on start up with registration errors.</p>
 <p>Also ensure that Hookshot's appservice registration file contains every line from <code>registration.sample.yml</code> that appears after the <code>If enabling encryption</code> comment. Note that changing the registration file may require restarting the homeserver that Hookshot is connected to.</p>
 <h2 id="running-with-synapse"><a class="header" href="#running-with-synapse">Running with Synapse</a></h2>
-<p><a href="https://github.com/matrix-org/synapse/">Synapse</a> has functional support for MSC3202 as of <a href="https://github.com/matrix-org/synapse/releases/tag/v1.63.0">v1.63.0</a>. To enable it, add the following section to Synapse's configuration file (typically named <code>homeserver.yaml</code>):</p>
+<p><a href="https://github.com/matrix-org/synapse/">Synapse</a> has functional support for MSC3202 and MSC4203 as of <a href="https://github.com/matrix-org/synapse/releases/tag/v1.63.0">v1.63.0</a>. To enable it, add the following section to Synapse's configuration file (typically named <code>homeserver.yaml</code>):</p>
+<p>You may notice that MSC2409 is not listed above. Due to the changes being split out from MSC2409, <code>msc2409_to_device_messages_enabled</code> refers to MSC4203.</p>
 <pre><code class="language-yaml">experimental_features:
   msc3202_device_masquerading: true
   msc3202_transaction_extensions: true

latest/setup/sample-configuration.html

@@ -156,6 +156,12 @@ can be tweaked to change the behaviour of your bridge. A bridge of the server is
 required to apply any changes made to this file.</p>
 <pre><code class="language-yaml"># This is an example configuration file
 
+logging:
+  # Logging settings. You can have a severity debug,info,warn,error
+  level: info
+  colorize: true
+  json: false
+  timestampFormat: HH:mm:ss:SSS
 bridge:
   # Basic homeserver configuration
   domain: example.com
@@ -167,12 +173,6 @@ passFile:
   # A passkey used to encrypt tokens stored inside the bridge.
   # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
   ./passkey.pem
-logging:
-  # Logging settings. You can have a severity debug,info,warn,error
-  level: info
-  colorize: true
-  json: false
-  timestampFormat: HH:mm:ss:SSS
 listeners:
   # HTTP Listener configuration.
   # Bind resource endpoints to ports and addresses.
@@ -299,10 +299,12 @@ listeners:
 #  #    For encryption to work, this must be configured.
 #  redisUri: redis://localhost:6379
 
-#queue:
-#  # (Optional) Message queue configuration options for large scale deployments.
-#  # For encryption to work, this must not be configured.
-#  redisUri: redis://localhost:6379
+#encryption:
+#  # (Optional) Configuration for encryption support in the bridge.
+#  # If omitted, encryption support will be disabled.
+#  storagePath:
+#    # Path to the directory used to store encryption files. These files must be persist between restarts of the service.
+#    ./cryptostore
 
 #widgets:
 #  # (Optional) EXPERIMENTAL support for complimentary widgets