The encryption stack · explained

End-to-end encrypted DMs — because friendship is private too.

Every message you send on Friends? is encrypted on your device with a key we never touch. Your private key is derived from your passphrase via Argon2id and lives only in your browser. We literally can't read a single DM — and neither can a subpoena.

Try Friends? — Free

The stack

Bry_NFET_SX — our custom crypto layer

  • XChaCha20-Poly1305 AEAD for every message body. Same algorithm Signal uses; modern, fast on mobile, nonce space large enough to never collide.
  • X25519 sealed boxes for the key exchange. Your public key is on the server; your private key never is. Sealed boxes let anyone send you an encrypted message without pre-knowing your identity.
  • Argon2id for turning your passphrase into the private key. Modern, memory-hard, GPU-resistant. Target: 300 ms on a mid-range phone so brute force on a leaked database would cost years per guess.
  • Wrapped private keys never leave the browser. The server has an encrypted blob it can't open. Even if we were hacked, the attacker would still need your passphrase to read a message.

What we can and can't see

The honest trust ledger

We can see:

  • That two user IDs exchanged a message (timestamp, size).
  • Which match generated the thread.
  • Push-notification metadata (so we can wake your phone).

We can't see:

  • The content of any message you've sent or received.
  • The content of any AI-drafted hang invitation.
  • Anything in your Solo? journal (same E2EE path).
  • What you typed into your passphrase, anywhere.

Why friendship needs E2EE

Private-by-default isn't just for dissidents.

Most messaging apps argue that E2EE is for journalists, activists, and whistleblowers. That's true, but it undersells the case. Friendship conversations contain the same content as therapy — fears, grief, medical news, job trouble, the truth about your relationship. That content shouldn't sit on any server in a form the vendor can read.

Friends? is the first friendship app to take this seriously at the protocol layer. Bumble BFF, Timeleft, Meetup — all of them store your messages in the clear on their servers.

What happens if you forget your passphrase

Honest answer: you lose old messages.

Because your private key is derived from your passphrase and we never store it, resetting your passphrase means old encrypted messages become unreadable. We can issue a new keypair — new threads will work — but the old ones are gone. This is the expected tradeoff for real E2EE. We prefer it over the alternative (backdoor recovery = we're lying about the "end-to-end" part).

Related: how Friends? works end-to-end.

Frequently asked

Is Friends? encryption really as strong as Signal's?

The core primitives — XChaCha20-Poly1305, X25519, Argon2id — are what Signal uses. The sealed-box flavor differs (we use anonymous sender sealed boxes by default because friendship matching is asymmetric). For every message body, the cipher strength is the same.

Can law enforcement get my messages?

We have nothing to hand over. The server holds ciphertext it can't decrypt. The only copy of the decryption key is on your device.

Can Friends? decrypt my messages to show them to me?

Yes, on your device, using your private key (which is decrypted from your wrapped key using your passphrase). The decrypted content never leaves your browser in any network-visible form.

Is group-meetup chat also encrypted?

Yes. Group threads use the same primitives with a fan-out-per-recipient sealed-box pattern. Adding a new member to a group rotates the symmetric key.

Does the Friend? AI read my messages?

Only messages you explicitly send to the AI (by opening the /friend chat surface). Your person-to-person DMs are invisible to the AI.

Give it five minutes

Meet people who actually fit — and do something real.

Free tier, Big Five test, three matches nearby. No ads, ever.

Start — FreeTake the tour →