End-to-End Encryption in Sparks for Teams
Sparks for Teams provides end-to-end encryption (E2EE) for chat messages (Matrix) as well as for 1:1 video calls and video meetings.
Group meetings: Unlike Microsoft Teams, meeting E2EE in Sparks is not limited to 1:1 calls. Group video meetings can also use end-to-end encryption when it is explicitly enabled (see the section below).
Sprache / Language: Deutsch
What is End-to-End Encryption?
With end-to-end encryption, content is encrypted before it is sent and only decrypted by the recipient. Only the conversation participants can read the data – no one else, including the infrastructure operators, has access.
E2EE for Chat Messages (Matrix)
All chat messages in encrypted rooms are end-to-end encrypted (Megolm protocol, Rust Crypto). Encryption is set up automatically:
Automatic Setup
When you first log in, SPARKS automatically sets up:
- Secret Storage – secure key management
- Cross-Signing – device verification
- Key Backup – backup of your encryption keys
No manual action required – everything happens in the background.
Encrypted Rooms
- New rooms can be created as encrypted (option when creating the room).
- Existing rooms can be encrypted later: Room settings → Privacy → “Enable encryption for this room”.
- In encrypted rooms, all messages are E2EE; only participants with the correct keys can read them.
Second Device (Desktop, Browser, Tauri)
When you sign in on an additional device, your encryption keys are automatically restored:
- The recovery key is securely fetched from the server
- Secret Storage is opened with the existing key
- All older messages become decryptable
- The new device is automatically verified
No manual action needed – your messages are readable immediately.
Recovery Key
The recovery key is your emergency key in case automatic restoration doesn't work:
- It is stored securely on the server by default (AES-256-GCM encrypted)
- You can optionally copy/save it during the setup wizard
- It is displayed in Element-compatible format (can be entered in Element)
Strict Device Verification (Admin Option)
Your organization administrator can require that the recovery key is not stored on the server. In that case:
- You must save the recovery key yourself when first setting up
- You must manually enter the key or verify via SAS/QR on each new device
- The wizard will display the key and require confirmation that you saved it
E2EE for 1:1 Calls
When E2EE is enabled for 1:1 calls:
- Audio: Your voice transmission is end-to-end encrypted.
- Video: Your video stream is end-to-end encrypted.
- Screen sharing: Shared view is also end-to-end encrypted when enabled.
Sparks uses an integrated video infrastructure for calls and meetings with support for end-to-end encryption.
Activation (1:1 Calls)
- Open Settings → Privacy
- Find the option End-to-end encrypted calls
- Toggle the switch on or off as desired
Important: For a 1:1 call to be end-to-end encrypted, both participants must have E2EE enabled.
E2EE for Video Meetings (Group Meetings)
Video meetings (group meetings) run by default without meeting E2EE. E2EE for meeting audio/video is only used when it is explicitly enabled – either via the calendar or via room settings.
When is a meeting E2EE-encrypted?
- Calendar appointments: When creating or editing an appointment, the organizer can set the option “Start encrypted” (or
startE2EEncrypted). The associated meeting chat is then created as an encrypted Matrix room, and the meeting uses a shared E2EE key (via Matrix room state). - Chat rooms (call from chat): In encrypted rooms, admins/moderators (power level ≥ 50) can enable or disable the option “Meeting end-to-end encryption” under Room settings → Privacy. Only when this option is on are calls/meetings from this room E2EE-encrypted.
Flow (calendar meeting with E2EE)
- Organizer creates an appointment with “Start encrypted”.
- When the meeting chat is opened for the first time, an encrypted Matrix room is created.
- When joining the meeting, the app fetches the shared meeting E2EE key from the Matrix room (or generates it on first join and stores it there).
- Audio and video in the meeting are then end-to-end encrypted.
Guests
Guests (participants without Matrix login, e.g. joining only via meeting link) have no access to the E2EE key. For them, the meeting runs without meeting E2EE (transport encryption still applies).
Where to find the settings
- Calendar: When creating/editing an appointment – option “Start encrypted” (if offered by the product).
- Chat room: Open room → Settings (gear) → Privacy tab → “Meeting end-to-end encryption” switch (only visible in encrypted rooms and only for admins/moderators).
Without E2EE
When E2EE is not enabled, calls and messages in Sparks are still transmitted with transport encryption. Your data is protected during transmission and at rest.