https://github.com/ryannzander/hush
A peer-to-peer, end-to-end encrypted messenger for messages, photos, and calls. Free and open source, designed privacy-first.
https://github.com/ryannzander/hush
anonymous anonymous-chat messager messaging privacy privacy-first rust
Last synced: 21 days ago
JSON representation
A peer-to-peer, end-to-end encrypted messenger for messages, photos, and calls. Free and open source, designed privacy-first.
- Host: GitHub
- URL: https://github.com/ryannzander/hush
- Owner: ryannzander
- License: agpl-3.0
- Created: 2026-05-31T00:06:24.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-05-31T02:44:32.000Z (about 1 month ago)
- Last Synced: 2026-05-31T03:08:25.595Z (about 1 month ago)
- Topics: anonymous, anonymous-chat, messager, messaging, privacy, privacy-first, rust
- Language: Rust
- Homepage:
- Size: 153 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Threat model: THREAT_MODEL.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# Hush
An end-to-end encrypted messenger for text, images, files, and voice messages.
Asynchronous and metadata-private by design, free and open source.
## Principles
Every design decision is measured against these:
1. **End-to-end always.** Every message and attachment is encrypted on the sender's device
and decrypted only on the recipient's. No relay ever holds plaintext or long-term keys.
2. **Minimal metadata.** We treat *who talks to whom, when, and how much* as sensitive as
content. Servers store nothing they don't strictly need, and we work to hide social
graph and timing even from our own infrastructure.
3. **No identifiers you didn't choose.** Identity is a cryptographic key, not a phone
number or email. Trust is established out-of-band (safety numbers / QR).
4. **Auditable.** AGPL-3.0, reproducible builds (goal), audited crypto libraries — never
hand-rolled primitives.
5. **One core, many shells.** All security-critical logic lives in a single Rust crate so
it is written and reviewed exactly once.
## Architecture (short version)
```
UI shells (egui desktop · WASM web) → core crate (Rust) → relay network
identity · E2E crypto opaque mailbox queues
messages · onion transport (self-hostable)
```
- **E2E crypto:** the audited [libsignal](https://github.com/signalapp/libsignal) library —
post-quantum X3DH (PQXDH) + Double Ratchet, with sealed sender for metadata privacy. We
never reimplement primitives or the ratchet.
- **Transport:** asynchronous store-and-forward into per-contact **mailbox queues** that
hold only opaque ciphertext, **onion-routed** so no relay learns who talks to whom. No
real-time channels; everything is delivered when the recipient next connects.
- **Local storage:** encrypted-at-rest (SQLCipher), keys sealed by the OS keychain.
See [ARCHITECTURE.md](ARCHITECTURE.md) and [THREAT_MODEL.md](THREAT_MODEL.md).
## Roadmap
| Phase | Scope | State |
|-------|-------|-------|
| 0 | Cryptographic core: identity, PQXDH, Double Ratchet (libsignal) | done |
| 1 | Message protocol: text/image/file/voice-clip types, framing, attachment chunking, all E2E | done |
| 2 | Private mailbox queues, out-of-band invitations, and a networked relay (`services/relay`) | done |
| 3 | Onion routing across relays (hide the social graph) | done |
| 4 | Persistent encrypted store (SQLCipher) + safety-number / QR verification UX | next |
| 5 | Desktop (egui) and web (WASM) clients; release binaries; hardening | in progress |
## Building
```sh
cargo test # run the core test suite
cargo build --release # privacy-minded release profile (stripped, panic=abort, LTO)
```
Requires the pinned Rust toolchain and `protoc` (libsignal compiles protobuf
definitions at build time). See [CONTRIBUTING.md](CONTRIBUTING.md) for setup.
## Security
Found a vulnerability? **Do not open a public issue.** See [SECURITY.md](SECURITY.md)
for coordinated disclosure.
## License
[AGPL-3.0-or-later](LICENSE). The network-use clause is deliberate: anyone running a
modified server must publish their source, so the privacy guarantees stay verifiable.