Howl encryption and security: what’s end-to-end encrypted, and what isn’t

Howl end-to-end encrypts your direct messages, group DMs, and every voice, video, and stage call. For those, the server sees ciphertext, nothing else. Server text channels are not end-to-end encrypted, for reasons below.

Howl is open source, so you can check any of this against the code. Competitor claims carry an “as of” date and get re-checked when the date at the bottom moves.

What’s end-to-end encrypted

For the following, the server stores and relays opaque ciphertext only. It can’t read the plaintext.

Fail-closed by design. A DM call that can’t obtain a valid E2EE key doesn’t fall back to plaintext: you see a red blocked shield and no media. The failure mode is “no call,” never “unencrypted call.”

What’s NOT end-to-end encrypted

Server text channels, their messages, and uploads posted to them use ordinary server-side storage: encrypted in transit and at rest, but readable by the server by design.

Why? The same reason Discord and Slack keep them readable: a public community needs moderation, full-text search, spam and abuse handling, backups, and history for the member who joined last week. You can’t moderate or search content you can’t read. When you need a conversation the server can’t read, use a DM, a group DM, or an Off the Record chat (a DM mode where messages live only on your devices and are never backed up to our servers). The DM path only ever sees ciphertext, and we won’t add content inspection to it.

The recovery-escrow tradeoff

End-to-end encryption creates a problem. If only you hold the keys and lose them, your history is gone.

Self recovery is the default. Your key material stays with you, and the server holds nothing that can decrypt your DMs. Lose your recovery method and the content is unrecoverable, by us or anyone.

Server recovery is opt-in. You upload a server-readable copy of your vault key material so the server can help you recover. The cost: for those accounts, the server can then decrypt that user’s DM content out of band.

You can switch between the two whenever you want. Turning Server recovery on uploads that escrow copy; turning it back off deletes our copy, and you’re back to holding your keys alone. One side effect to know about: Off the Record chats require Self recovery on both sides, so turning Server recovery on ends any Off the Record chats you have open. You get a warning first, and the other person sees the chat close. Switch back to Self recovery and you can go Off the Record again.

You can’t have both “the server can restore your keys” and “the server can never read your content.”

Audits

Our security reviews so far are internal, not a third-party penetration test or formal certification. The strongest external assurance in this category today is Discord’s DAVE protocol, independently audited by Trail of Bits (as of 2026-07-10); we haven’t commissioned an equivalent yet.

Open source and self-hosting

Howl is open source under AGPL-3.0 and self-hostable under the same terms.

Run your own instance with Docker. Every Pro feature is unlocked free, there’s no phone-home, and DMs stay E2E encrypted. Voice/video is off by default on self-host, since it needs your own LiveKit; text and encrypted DMs run without it. Setup documentation is in the repo.

Responsible disclosure

Found a vulnerability? Tell us before anyone else. Email support@howlpro.com with “SECURITY” in the subject line (or use private vulnerability reporting on the GitHub repository) rather than opening a public issue, give us a reasonable window to remediate, and we’ll credit you if you’d like. Our Law Enforcement guidelines, Breach Notification policy, and DMCA policy are published in advance, not improvised after an incident.

FAQ

Is Howl end-to-end encrypted? Your DMs, group DMs, and all voice/video/stage calls, yes: MLS (RFC 9420) with a post-quantum hybrid ciphersuite for messages, SFrame for calls. Server text channels aren’t, so communities can moderate and search.

What encryption does Howl use for DMs? MLS (RFC 9420) via ts-mls, ciphersuite MLS_256_XWING_AES256GCM_SHA512_Ed25519: X-Wing (X25519 plus ML-KEM-768) key exchange, Ed25519 signatures, AES-256-GCM content encryption. That’s the post-quantum hybrid part. The key exchange protects your message keys against a future quantum attacker; the Ed25519 signatures authenticating participants stay classical.

Can Howl read my messages? Not your DMs or calls under default Self recovery; those keys stay with you. It can read server text channels (by design), and it can read the DMs of users who opt into Server recovery, since that uploads a server-readable copy of their key material.

What happens to a call if encryption fails? It’s blocked, not downgraded: the client shows a red shield and sends no audio or video. There’s no silent plaintext fallback.

Has Howl been independently audited? Not yet; our security reviews so far are internal. Discord’s DAVE call protocol has a Trail of Bits audit; we don’t have an equivalent.

Is Howl really open source? Yes: AGPL-3.0 and self-hostable, with all Pro features unlocked and no phone-home. Hosted-service pricing is on the pricing page.


Last verified: 2026-07-10. Competitor details are framed “as of 2026-07-10” and re-checked on that date; Howl claims are checkable against the open-source code.