e2eerelay - minimal end-to-end-encrypted message relay server
e2eerelay - a minimal end-to-end-encrypted message relay server
What it does
e2eerelay is a small server, written in Go, that relays end-to-end-encrypted messages between a user’s own devices. It was built to synchronize data (vault entries, changes, etc.) between the desktop and mobile versions of a password manager I’m developing, without ever being able to read the content itself.
The server only ever handles opaque ciphertext. It has no knowledge of encryption keys, and no way to decrypt what it stores or forwards.
Design principles
- Blind by design: the relay stores and forwards ciphertext only. Encryption and decryption happen entirely on the client side.
- Trusted devices only: a device can only register after proving knowledge of a shared master key via a daily-rotating HMAC challenge-response, never transmitted in the clear.
- Scoped delivery: messages are only ever served to the specific device inbox they were addressed to.
- Self-limiting: per-device rate limits, daily message/byte quotas, message size caps, and TTL-based expiry keep abuse and storage growth in check.
- Simple by necessity: no admin GUI, no unnecessary surface area, just an HTTP API backed by SQLite or PostgreSQL.
Tech
Go, chi router, SQLite/PostgreSQL, long-polling for near-real-time delivery.
See the project and full protocol documentation on Github