How encryption works in Shoal — strong, structural, and honest about its limits

How it works

Every Shoal family has its own AES-256-GCM key. Messages are encrypted on the sending device and decrypted on the receiving devices using that key. The server routes ciphertext.

Each member’s device holds the family key wrapped under that device’s own ECDH P-256 keypair. The private half of that keypair lives on the device, in IndexedDB. An encrypted copy of it is also stored on our servers under an environment secret — for resilience, not for any code path that currently exists. When a new member joins, a current member’s device wraps the family key for the new member’s public key.

What this means in practice

Messages are encrypted on the sending device. Our servers never see them in plaintext in transit, and the database stores ciphertext.
Almost everything else is encrypted at rest too. Display names, profile pictures, device labels, public keys, and routing metadata are all encrypted at rest under a server-side environment secret. The only personal data we hold in plaintext is your email address, which we need to send sign-in emails.
Lose a device, no problem. Revoking a device removes its access to future messages. The family key can be rotated.
Keys never travel in plaintext. Even during onboarding, key material is wrapped before it touches the wire.

Why we don’t call this “end-to-end encryption” without a qualifier

Pure end-to-end encryption — the Signal model — means only the participating devices ever hold the decryption keys, and even the operator can’t read messages. Shoal is almost that, but not quite: encrypted copies of device decryption keys are stored on our servers under the environment secret. We have no code path today that unwraps those copies, and no plans to write one. But it would be technically possible to do so in the future — for example, if a future Shoal team built device-recovery flows or were ordered to comply with a lawful disclosure request. We describe the implications fully on the privacy page and in the security page.

So: end-to-end in normal operation, with the at-rest caveat called out explicitly. That’s the framing we’re comfortable making.

Why we chose this model

Pure end-to-end encryption (the Signal model) is the gold standard for confidentiality. It also isn’t compatible with the parental oversight that Shoal exists to provide, and it makes recovery from total device loss impossible. Multi-recipient key wrapping gives us almost all of the cryptographic guarantees of pure E2EE while making oversight a structural property of the system; the encrypted server-side key backup is a deliberate trade-off that buys recovery and emergency-response capability at the cost of a precise architectural caveat. We’d rather be straight about that trade-off than describe ourselves as something we aren’t.

We wrote a longer piece on the threat model if you want the gritty details.