You Can Finally Encrypt Slack Messages So Your Boss Can't Read Them

Have you ever worried that your boss may be reading your secret Slack channel where you share cat memes? Or perhaps you don’t trust that high school friend who created a Slack to talk about sports not to read your direct messages?

We’ve got some good news for you. Someone finally made a tool that runs on top of Slack and encrypts messages, making them readable only by the sender and their intended recipient or recipients. The tool, called Shhlack, was created by information security consulting firm MindedSecurity and is available as a browser extension or a patch for the Slack app.

In case you didn’t know, yes—your boss can read your Slack messages, regardless of what channel you share them on. Slack administrators (which may also include your company’s IT team) have access to all data within a work Slack. And a recent update makes it even easier for administrators to download all Slack logs, including direct messages.

Of course, there are a lot of apps these days that allow for end-to-end encrypted communications, meaning that messages are scrambled in a way that no one other than the people in the conversation can read. There’s Signal, Wire, Wickr, and plenty of others. But as we noted in 2015, there’s no native tool to encrypt messages on Slack.

“Shhlack is an experiment and an ongoing project, definitely not for production, at the moment, but with a very specific goal in mind: An easy-to-use solution for passing private messages without too much worries,” MindedSecurity chief technology officer Stefano Di Paola told me in an email. “We built the tool for protecting specific messages from being logged by Slack and being exported in cleartext.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

The tool relies on CryptoJS, a JavaScript library of encryption standards, as Di Paola explained in a blog post introducing Shhlack. It’s also not quite as easy to use—nor as secure—as other encrypted messaging tools at the moment. Unlike Signal or other end-to-end encrypted chat apps, Shhlack works with so-called Pre-Shared Keys or PSK, meaning the tool doesn’t manage encryption keys for you. You and your friends will have to do that. That means you will need to share the encryption key, in the form of a passphrase, with each other before you start your first encrypted Slack chat. (Don’t do this over Slack, as that will completely negate the purpose of using Shhlack—instead, try sharing your passphrase via Signal, or even better, in meatspace.)

Right now, Shhlack is available as a Chrome extension, and this the simplest way to use it. But keep in mind that this only allows you to encrypt messages if you use Slack within your Chrome browser. You can also install it as a patch for the Slack app for Windows, Mac, and Linux, following the instructions provided by Di Paola on the Shhlack GitHub project page.

My editor Emanuel Maiberg and I tested Shhlack on Chrome and it’s pretty easy to use. Basically, all you need to do is install the extension, share the secret passphrase with each other, and start chatting.

Once you install Shhlack, a colorful lock will appear next to the message dialog in Slack. You can send an encrypted message in Slack once Shhlack is installed simply by either clicking on the colorful lock icon, or hitting Alt + S.

The Shhlack message dialog.

At this point, make sure you use the passphrase that you have shared with the friend or colleague you want to send the encrypted message to and voilà: to you and the people who have the shared key, the message will be readable. To others, it will be gibberish.

Shhlack works well even in conversations where you only want one specific person in a channel to read your messages. When Emanuel and I tested it in a group chat with our editor-in-chief Jason Koebler, he couldn’t read our messages. This what Emanuel and I saw:

And this is what Jason saw:

As Di Paola told me, Shhlack it’s still in its infancy, and can be improved. For example, Di Paola said the team will try to implement the Signal protocol to avoid using pre-shared keys and make the setup more secure.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.