https://github.com/caaatto/rede

Secure anonymous E2EE messenger -- Avalonia desktop GUI, X3DH + Double Ratchet, sealed sender, E2EE voice calls, I2P/Tor/WSS transport
https://github.com/caaatto/rede

anonymous avalonia chat csharp desktop-app dotnet double-ratchet e2ee end-to-end-encryption i2p messenger privacy sealed-sender secure-messaging signal-protocol srtp tor voice-call websocket x3dh

Last synced: 3 days ago
JSON representation

Secure anonymous E2EE messenger -- Avalonia desktop GUI, X3DH + Double Ratchet, sealed sender, E2EE voice calls, I2P/Tor/WSS transport

• Host: GitHub
• URL: https://github.com/caaatto/rede
• Owner: caaatto
• License: agpl-3.0
• Created: 2026-03-23T20:24:55.000Z (3 months ago)
• Default Branch: main
• Last Pushed: 2026-06-06T16:19:38.000Z (7 days ago)
• Last Synced: 2026-06-06T16:21:47.020Z (7 days ago)
• Topics: anonymous, avalonia, chat, csharp, desktop-app, dotnet, double-ratchet, e2ee, end-to-end-encryption, i2p, messenger, privacy, sealed-sender, secure-messaging, signal-protocol, srtp, tor, voice-call, websocket, x3dh
• Language: C#
• Size: 1.29 MB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Rede

Rede is an end-to-end encrypted messenger.

No phone number. No email. No metadata. Just keys.

All messages are encrypted on your device and decrypted on the recipient's

device. The server never sees plaintext, never knows who is talking to whom,

and stores nothing it doesn't have to.

## download

Grab the latest release for your platform:

**[Download for Linux / Windows](https://github.com/caaatto/rede/releases)**

No runtime or SDK required - the app is fully self-contained and

auto-updates when a new version is published.

## linux installation

**Quick start** - download and run:

```bash

chmod +x REDE

./REDE

```

**AppImage** - portable, double-click to run, no install needed. Grab

`REDE-x86_64.AppImage` from the release:

```bash

chmod +x REDE-x86_64.AppImage

./REDE-x86_64.AppImage

```

It integrates into your app menu on first run and auto-updates itself in place.

**System-wide install** (optional):

```bash

sudo cp REDE /usr/local/bin/REDE

sudo chmod 755 /usr/local/bin/REDE

```

**Install script** (recommended) - one command does everything: installs all

system dependencies (GUI, voice, hardware-key support) via your package manager

(apt/dnf/pacman/zypper), downloads the latest prebuilt binary, **verifies its

Ed25519 signature**, and registers a `rede` launcher, app icon and `.desktop`

entry. No SDK or build step:

```bash

curl -sSL https://raw.githubusercontent.com/caaatto/rede/main/scripts/install.sh | bash

```

The dependency step needs `sudo` (you'll be prompted). `REDE` itself installs

to `~/.local/bin` — user-writable, so the app **auto-updates itself in place,

exactly like the Windows build**, with no further package-manager involvement.

Re-run any time to repair the install. Flags:

| Flag | Effect |

|---|---|

| `--no-deps` | skip the system-dependency step |

| `--with-tor` / `--with-i2p` | also install the Tor / i2pd daemon for anonymous transport |

| `--uninstall` | remove the app (keeps your profile and system packages) |

| `--no-verify` | skip the signature check (not recommended) |

When piped, pass flags after `-s --`, e.g.

`curl -sSL … | bash -s -- --with-tor`.

If `~/.local/bin` is not in your `PATH`, add it:

```bash

export PATH="$HOME/.local/bin:$PATH"

```

To build from source instead (requires the .NET 8 SDK + git), use

`scripts/install-from-source.sh`.

**Desktop entry** - if you placed the binary manually and want an app

launcher, create `~/.local/share/applications/rede.desktop`:

```ini

[Desktop Entry]

Name=REDE

GenericName=Secure Messenger

Comment=Secure, anonymous E2EE messenger

Exec=/path/to/REDE

Icon=rede

Terminal=false

Type=Application

Categories=Network;Chat;InstantMessaging;

```

**Windows:**

Double-click `REDE.exe`.

## updating

Rede updates itself - you never re-clone, re-run the installer, or `git pull`.

1. On launch, the app checks GitHub for a newer release.

2. If one exists, the login screen shows **"Update available: vX.Y.Z - click to install"**.

3. Click it. Rede downloads the new build, **verifies its Ed25519 signature and

   checksum**, and swaps the binary in place.

4. Restart the app. Done.

No package manager, and no `sudo` when installed to `~/.local/bin` (the installer's

default) - exactly like the Windows build, which swaps `REDE.exe`. The AppImage

updates itself the same way.

The `curl | … | bash` installer is a one-time bootstrap. The only reason to run it

again is if a future release needs a brand-new system library - the self-updater

swaps only the app binary, not its OS dependencies.

## features

- **End-to-end encryption** - PQXDH (X25519 + ML-KEM-768 hybrid post-quantum) + Double Ratchet, XSalsa20-Poly1305. Quantum-resistant against "harvest now, decrypt later" attacks.

- **Sealed sender** - the server can't see who sent a message

- **Groups** - Sender Keys for group PFS, Ed25519 signed

- **Places** - Discord-like servers with channels, customizable profile (icon, accent color). All metadata is E2EE

- **Voice calls** - E2EE audio via SRTP (AES-128-CM + HMAC-SHA1-80), Opus 96kbps, RNNoise suppression, AGC, echo cancellation

- **Group calls** - LiveKit SFU for Places/Groups, E2EE via SFrame (key never leaves client), up to 25 participants, 1080p60 video

- **Profile customization** - accent colors, avatar images (PNG/GIF/JPEG), shared with contacts

- **Multi-device** - each device has its own keys, messages delivered to all devices

- **Hardware security keys (FIDO2)** - require a physical key (Thetis, YubiKey, etc.) plus your passphrase to unlock your profile, with optional server-side 2FA. Multiple keys + recovery code supported

- **Anonymous transport** - connect via I2P or Tor to hide your IP from the server

- **Message padding** - fixed-size buckets prevent traffic analysis

- **Self-destructing messages** - TTL-based auto-delete

- **No tracking** - no phone number, no email, no analytics, no ads

## getting started

1. Download and launch Rede

2. Choose a display name and a strong passphrase (min 12 characters)

3. Enter the server address and an invite code from the server admin

4. Click **Register**

Your user ID will be `displayname#tag` (e.g. `alice#a3f1`).

The passphrase encrypts your profile locally - there is no recovery if you lose it.

## transport options

Rede supports three connection modes. Select your transport on the login screen.

| Transport | Latency | IP hidden | How |

|---|---|---|---|

| Direct (WSS) | ~50-100ms | No | Connect via `wss://` |

| I2P | ~500-2000ms | Yes | Garlic routed via i2pd |

| Tor | ~300-1000ms | Yes | Onion routed via Tor |

Your messages are always E2EE regardless of transport.

Other users never see your IP in any mode.

For I2P or Tor, you need the respective daemon running locally.

The desktop client picks up proxy settings from the `.env` file or

environment variables:

```

REDE_SERVER=ws://address.i2p

REDE_TRANSPORT=i2p

REDE_I2P_PROXY=socks5h://127.0.0.1:4447

REDE_TOR_PROXY=socks5h://127.0.0.1:9050

```

## commands

Type these in the message input box.

```

/add               add a contact

/remove            delete a contact

/confirm           accept a key change

/fingerprint [user]         show identity fingerprint

/group                create a group

/ginvite       invite someone to a group

/kick          remove someone from a group

/rekey               rotate the group key

/place                create a place (server with channels)

/pchannel      add a channel to a place

/pinvite       invite someone to a place

/pkick         remove someone from a place

/pleave              leave a place

/prekey              rotate the place metadata key

/ttl                  auto-delete messages after N days (0 = off)

/call              start a 1:1 voice call

/call                       start a group call in the current place/group

/hangup                     end the call

/mute                       toggle microphone

/link                       generate a device link code

/devices                    show linked devices

/settings                   open settings

/help                       show help

```

**Keyboard shortcuts:**

```

Enter ......... send message

Escape ........ toggle sidebar

Ctrl+Q ........ quit

```

Right-click contacts to invite them to groups/places, view fingerprints, or delete.

Right-click groups and places for management options (invite, kick, rotate key).

## voice calls

Audio is encrypted with SRTP at 96kbps Opus (above Discord standard).

The call transport matches your connection - if you're on I2P, your call

is anonymous. SRTP keys are exchanged over your existing Double Ratchet

session, so the server never has access to audio.

Calls appear as an overlay in the chat area with accept/decline, mute, and

hang up controls.

**Group calls** (Places/Groups) use a LiveKit SFU for media routing, but

audio and video are still end-to-end encrypted with SFrame. The SFrame key

is derived from the Place's metadata key (or Group's shared key) via HKDF

with domain separation - neither the Rede server nor the LiveKit SFU ever

see it. Up to 25 participants per call, 1080p60 video, Opus audio.

## places

Places work like Discord servers - a place has channels, members, and roles.

Unlike Discord, all metadata (names, topics, icons, colors) is end-to-end

encrypted. The server only sees opaque IDs.

Each place has its own profile - accent color and icon - visible in the

sidebar. Right-click a place to manage members, channels, keys, and the

place profile. Only the creator can edit the profile, kick members, or

delete channels.

## profile

Customize your profile in Settings:

- **Accent color** - 12 preset colors, visible to your contacts in chat

- **Avatar** - upload a PNG, JPEG, or GIF (max 256KB)

Changes are previewed locally. Click **Apply** to save and share with contacts.

Profile updates ride on the regular chat channel: an avatar/accent edit is

broadcast to all contacts on apply, and lazily re-synced via the next chat

message in either direction whenever the broadcast missed an offline peer.

## multi-device

Link additional devices to receive messages on all of them.

1. On your existing device: `/link` (generates a code, valid for 5 minutes)

2. On the new device: enter the link code during setup

Each device has its own cryptographic identity.

## security keys (FIDO2)

Optionally require a physical FIDO2/WebAuthn security key (Thetis, YubiKey, etc.)

to unlock your profile. Enroll one under **Settings → Security → Security Keys**.

Once enrolled, your profile can only be opened with **your passphrase plus the

hardware key** - a stolen laptop and a cracked passphrase are no longer enough.

How it works:

- A random Profile Master Secret is mixed into your profile's encryption key.

  It is never stored in the clear - only wrapped by the key's `hmac-secret`

  output (and by a recovery code). Passphrase alone can no longer decrypt.

- **Multiple keys** can be enrolled (a main key + a backup), and a one-time

  **recovery code** is generated so you are never locked out if a key is lost.

- **Server-side 2FA** (optional): the same key also gates login at the server,

  so your account can't be used from another machine even with your identity keys.

- **Platforms**: Windows uses the built-in WebAuthn API (no extra install);

  Linux uses `libfido2` (`sudo apt install libfido2-1`).

Profiles without an enrolled key are unchanged - this is fully opt-in.

## privacy

```

message content ........... never visible to server (E2EE)

sender identity ........... hidden (sealed sender)

recipient identity ........ visible (server must route)

message size .............. hidden (fixed-size padding)

group/place membership .... visible (server manages roster)

channel names/place profile  hidden (E2EE metadata)

voice audio ............... never visible (SRTP, blind relay)

group call media .......... never visible (SFrame, SFU blind forward)

call participants ......... visible (server routes signaling)

your IP address ........... hidden with I2P/Tor, visible with direct WSS

```

Your profile (keys, contacts, chat history) is stored locally in `~/.rede/`,

encrypted with your passphrase using scrypt + NaCl secretbox.

There is no recovery mechanism - do not lose your passphrase.

## security

- Post-quantum hybrid handshake: PQXDH (X25519 + ML-KEM-768) per Signal spec — defends against "harvest now, decrypt later" attacks even if quantum computers break X25519

- Forward secrecy: past messages stay safe if current keys are compromised

- Post-compromise security: new key exchange heals after compromise

- TOFU pinning: server certificate and signing key pinned on first contact

- Backward-compatible PQ fallback: peers without PQ keys still get classical X3DH (security regression flagged in logs)

- Server signatures: all server responses signed with Ed25519

- Voice E2EE: SRTP keys never leave the Double Ratchet session (inherits PQ protection from session bootstrap)

- Optional hardware second factor: FIDO2 security key (`hmac-secret`) bound into the at-rest profile key, with optional server-side WebAuthn 2FA

## license

AGPL-3.0 -- see [LICENSE](LICENSE)