Element remains the most feature-rich Matrix client, but default settings prioritize convenience over privacy. This guide walks through configuration changes, command-line options, and account management techniques that reduce your digital footprint when using Matrix.

Initial Account Hardening

Before configuring client settings, review your account-level privacy options. Access your homeserver’s user settings panel (typically at https://your-homeserver.org/_matrix/client/r0/account/whoami).

Disable Read Receipts Globally

Read receipts create a persistent record of when you’ve viewed messages. While useful for conversation flow, they expose your online status and reading habits.

// Element Web: Disable read receipts via console
// Open browser DevTools (F12) and run:
localStorage.setItem('mx_settings', JSON.stringify({
  ...JSON.parse(localStorage.getItem('mx_settings') || '{}'),
  'pref_disable_read_receipts': true
}));
location.reload();

For persistent changes across sessions, access Element’s Settings → Privacy → “Send read receipts” and uncheck the option. This setting hides your reading status from other room participants.

Manage Presence Information

Your presence state (online, offline, typing) broadcasts to contacts. Disable presence updates to prevent tracking:

1. Open Element → Settings → Privacy & Security
2. Uncheck “Share my online status on this device”
3. Set “Who can see my online status” to “Never”

Session and Device Management

Matrix’s device-based encryption means each device operates as a separate security context. Regular session review prevents unauthorized access.

Verify Active Sessions

Use the Matrix API to enumerate and revoke sessions:

# Query active devices via curl
curl -X GET \
  "https://matrix.org/_matrix/client/r0/devices" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq '.devices[] | {device_id, last_seen_ip, last_seen_ts}'

The response shows all connected devices with timestamps and IP addresses. Revoke unfamiliar sessions immediately:

curl -X DELETE \
  "https://matrix.org/_matrix/client/r0/devices/$DEVICE_ID" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"auth": {"type": "m.login.password", "user": "$USER_ID", "password": "$PASSWORD"}}'

Set Up Cross-Signing

Cross-signing links your devices under a single identity, allowing you to verify device keys without comparing fingerprints manually:

1. Settings → Security → “Set up cross-signing”
2. Create a secure passphrase for your cross-signing key
3. Back up your recovery key—this is the only way to restore cross-signing if you lose all devices

Cross-signing enables the “Verified” green checkmark on devices you control, making tampering obvious.

Encryption Configuration

Element supports end-to-end encryption (E2EE) by default in direct messages and optionally in rooms. However, several settings require attention.

Enable Encryption by Default

Create new encrypted rooms by default:

// Element Web: Force encryption in new rooms
localStorage.setItem('mx_default_encrypted', 'true');

In Element Desktop, navigate to Settings → Security & Privacy → “Default device settings” and enable “Force encryption for new rooms.”

Configure Key Backup

Encrypted messages require key storage. Self-hosted key backup keeps your recovery keys under your control:

1. Settings → Security → “Set up key backup”
2. Choose “Customise your recovery key”
3. Store the recovery key in a password manager—not cloud storage

For advanced users, configure key backup to use a custom homeserver:

// Element Web: Point key backup to custom server
const { BackupManager } = require("matrix-js-sdk/lib/crypto-api/backup");
const backupManager = new BackupManager({
  baseUrl: "https://your-backup-server.org",
  auth: { access_token: "your-token" }
});

Metadata Minimization

Even with encryption, metadata reveals communication patterns. Reduce exposure through these strategies.

Use Private Rooms

Public Matrix rooms broadcast your participation to the entire network. Create private rooms instead:

{
  "name": "Private Project Discussion",
  "preset": "private_chat",
  "visibility": "private",
  "invite": ["@colleague:matrix.org"],
  "initial_state": [
    {
      "type": "m.room.history_visibility",
      "content": { "history_visibility": "joined" }
    }
  ]
}

Setting history_visibility to joined prevents new members from viewing message history before they joined.

Disable Room Federation for Sensitive Discussions

Prevent message metadata from spreading across servers by restricting federation:

{
  "type": "m.room.federate",
  "state_key": "",
  "content": { "m.federate": false }
}

This creates a fully isolated room—useful for sensitive discussions where even metadata leaking to other homeservers is unacceptable.

Configure Message Retention

Homeservers can auto-delete old messages. Add a retention policy to your room:

{
  "type": "m.room.retention",
  "content": {
    "max_age": 2592000,
    "min_lifetime": 86400
  }
}

This deletes messages older than 30 days while keeping at least 1 day of history.

Network-Level Privacy

Client configuration extends beyond Element itself. Consider these network-level measures.

Run Element Over Tor

For maximum network privacy, route Matrix traffic through Tor:

# Configure Element to use Tor (SOCKS5 proxy)
# In Element Desktop, add to config:
{
  "soft_log_level": "info",
  "tor": {
    "control_port": 9051,
    "socks_port": 9050
  }
}

On mobile, Orbot provides Tor routing for Element. Enable “Proxying” in Orbot settings and configure Element to use localhost:8118 as a SOCKS/HTTP proxy.

Use a Privacy-Respecting Homeserver

Your choice of homeserver determines what metadata the server operator collects. Self-hosted homeservers or community-run instances with clear privacy policies reduce exposure:

• matrix.org: Default public server, reasonable privacy policy but centralized
• privacytools.io list: Curated list of privacy-focused Matrix homeservers
• Self-hosted: Complete control but requires technical expertise

For self-hosting, disable these logging options in your Synapse configuration:

# synapse.yaml - reduce logging
log_config: "/dev/null"
report_stats: false
presence:
  enabled: false

Advanced Security Settings

Element provides several under-the-hood options worth enabling.

Disable Link Previews

Link previews require fetching external URLs, leaking metadata about shared links to third parties:

1. Settings → Privacy & Security → “Link previews”
2. Disable for all URLs or configure per-room

Configure Room Directory Visibility

Control who can find you in room directories:

// Element Web: Hide from room directory
const MxRelations = require("matrix-js-sdk/lib/models/relations");
localStorage.setItem('mx_directory_visibility', 'private');

Use Element Without JavaScript

For extremely security-conscious users, matrix-puppet-bridge provides a CLI-based Matrix client. While impractical for daily use, it demonstrates the principle that less client-side code reduces attack surface.

Maintenance and Monitoring

Security requires ongoing attention.

Regular Session Audits

Schedule monthly reviews of active sessions using the API or Element’s device manager. Remove devices you no longer use.

Update Element Promptly

Matrix vulnerabilities are patched regularly. Enable automatic updates in Element Desktop or subscribe to the Matrix Security Announcements mailing list.

Monitor for Account Compromise

Enable notifications for new device logins:

1. Settings → Security & Privacy → “Notifications”
2. Enable “Notify me when there’s a new login to my account”

This alerts you to unauthorized access attempts.

Related Articles

• Matrix/Element vs Signal for Private Group Communication
• Configure Firefox for Maximum Privacy Without Breaking
• How To Configure Trezor Hardware Wallet For Maximum Transact
• How To Configure Ublock Origin For Maximum Anti Tracking Pro
• Set Up Own Email Server For Maximum Privacy Using Mail In

Built by theluckystrike — More at zovo.one