Last updated: March 16, 2026

Element remains the most feature-rich Matrix client, but default settings prioritize convenience over privacy. This guide walks through configuration changes, command-line options, and account management techniques that reduce your digital footprint when using Matrix.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Initial Account Hardening

Before configuring client settings, review your account-level privacy options. Access your homeserver’s user settings panel (typically at https://your-homeserver.org/_matrix/client/r0/account/whoami).

Disable Read Receipts Globally

Read receipts create a persistent record of when you’ve viewed messages. While useful for conversation flow, they expose your online status and reading habits.

// Element Web: Disable read receipts via console
// Open browser DevTools (F12) and run:
localStorage.setItem('mx_settings', JSON.stringify({
  ...JSON.parse(localStorage.getItem('mx_settings') || '{}'),
  'pref_disable_read_receipts': true
}));
location.reload();

For persistent changes across sessions, access Element’s Settings → Privacy → “Send read receipts” and uncheck the option. This setting hides your reading status from other room participants.

Manage Presence Information

Your presence state (online, offline, typing) broadcasts to contacts. Disable presence updates to prevent tracking:

  1. Open Element → Settings → Privacy & Security
  2. Uncheck “Share my online status on this device”
  3. Set “Who can see my online status” to “Never”

Step 2 - Session and Device Management

Matrix’s device-based encryption means each device operates as a separate security context. Regular session review prevents unauthorized access.

Verify Active Sessions

Use the Matrix API to enumerate and revoke sessions:

Query active devices via curl
curl -X GET \
  "https://matrix.org/_matrix/client/r0/devices" \
  -H "Authorization - Bearer $ACCESS_TOKEN" | jq '.devices[] | {device_id, last_seen_ip, last_seen_ts}'

The response shows all connected devices with timestamps and IP addresses. Revoke unfamiliar sessions immediately:

curl -X DELETE \
  "https://matrix.org/_matrix/client/r0/devices/$DEVICE_ID" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"auth": {"type": "m.login.password", "user": "$USER_ID", "password": "$PASSWORD"}}'

Set Up Cross-Signing

Cross-signing links your devices under a single identity, allowing you to verify device keys without comparing fingerprints manually:

  1. Settings → Security → “Set up cross-signing”
  2. Create a secure passphrase for your cross-signing key
  3. Back up your recovery key, this is the only way to restore cross-signing if you lose all devices

Cross-signing enables the “Verified” green checkmark on devices you control, making tampering obvious.

Step 3 - Encryption Configuration

Element supports end-to-end encryption (E2EE) by default in direct messages and optionally in rooms. However, several settings require attention.

Enable Encryption by Default

Create new encrypted rooms by default:

// Element Web: Force encryption in new rooms
localStorage.setItem('mx_default_encrypted', 'true');

In Element Desktop, navigate to Settings → Security & Privacy → “Default device settings” and enable “Force encryption for new rooms.”

Configure Key Backup

Encrypted messages require key storage. Self-hosted key backup keeps your recovery keys under your control:

  1. Settings → Security → “Set up key backup”
  2. Choose “Customise your recovery key”
  3. Store the recovery key in a password manager, not cloud storage

For advanced users, configure key backup to use a custom homeserver:

// Element Web: Point key backup to custom server
const { BackupManager } = require("matrix-js-sdk/lib/crypto-api/backup");
const backupManager = new BackupManager({
  baseUrl: "https://your-backup-server.org",
  auth: { access_token: "your-token" }
});

Step 4 - Metadata Minimization

Even with encryption, metadata reveals communication patterns. Reduce exposure through these strategies.

Use Private Rooms

Public Matrix rooms broadcast your participation to the entire network. Create private rooms instead:

{
  "name": "Private Project Discussion",
  "preset": "private_chat",
  "visibility": "private",
  "invite": ["@colleague:matrix.org"],
  "initial_state": [
    {
      "type": "m.room.history_visibility",
      "content": { "history_visibility": "joined" }
    }
  ]
}

Setting history_visibility to joined prevents new members from viewing message history before they joined.

Disable Room Federation for Sensitive Discussions

Prevent message metadata from spreading across servers by restricting federation:

{
  "type": "m.room.federate",
  "state_key": "",
  "content": { "m.federate": false }
}

This creates a fully isolated room, useful for sensitive discussions where even metadata leaking to other homeservers is unacceptable.

Configure Message Retention

Homeservers can auto-delete old messages. Add a retention policy to your room:

{
  "type": "m.room.retention",
  "content": {
    "max_age": 2592000,
    "min_lifetime": 86400
  }
}

This deletes messages older than 30 days while keeping at least 1 day of history.

Step 5 - Network-Level Privacy

Client configuration extends beyond Element itself. Consider these network-level measures.

Run Element Over Tor

For maximum network privacy, route Matrix traffic through Tor:

Configure Element to use Tor (SOCKS5 proxy)
In Element Desktop, add to config:
{
  "soft_log_level": "info",
  "tor": {
    "control_port": 9051,
    "socks_port": 9050
  }
}

On mobile, Orbot provides Tor routing for Element. Enable “Proxying” in Orbot settings and configure Element to use localhost:8118 as a SOCKS/HTTP proxy.

Use a Privacy-Respecting Homeserver

Your choice of homeserver determines what metadata the server operator collects. Self-hosted homeservers or community-run instances with clear privacy policies reduce exposure:

For self-hosting, disable these logging options in your Synapse configuration:

synapse.yaml - reduce logging
log_config: "/dev/null"
report_stats: false
presence:
  enabled: false

Advanced Security Settings

Element provides several under-the-hood options worth enabling.

Disable Link Previews

Link previews require fetching external URLs, leaking metadata about shared links to third parties:

  1. Settings → Privacy & Security → “Link previews”
  2. Disable for all URLs or configure per-room

Configure Room Directory Visibility

Control who can find you in room directories:

// Element Web: Hide from room directory
const MxRelations = require("matrix-js-sdk/lib/models/relations");
localStorage.setItem('mx_directory_visibility', 'private');

Use Element Without JavaScript

For extremely security-conscious users, matrix-puppet-bridge provides a CLI-based Matrix client. While impractical for daily use, it demonstrates the principle that less client-side code reduces attack surface.

Step 6 - Perform Maintenance and Monitoring

Security requires ongoing attention.

Regular Session Audits

Schedule monthly reviews of active sessions using the API or Element’s device manager. Remove devices you no longer use.

Update Element Promptly

Matrix vulnerabilities are patched regularly. Enable automatic updates in Element Desktop or subscribe to the Matrix Security Announcements mailing list.

Monitor for Account Compromise

Enable notifications for new device logins:

  1. Settings → Security & Privacy → “Notifications”
  2. Enable “Notify me when there’s a new login to my account”

This alerts you to unauthorized access attempts.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to configure element matrix client for maximum privacy?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles