End-to-end encrypted communities with post-quantum key exchange. The server cannot read your messages, your metadata, or even your community's name.
Channels, voice chat, roles, DMs. The stuff you use every day. The difference is that everything is encrypted before it leaves your device.
Text channels organized into categories. Direct messages. Replies, reactions, editing, file attachments, encrypted pins. The familiar shape of a community platform, encrypted end-to-end by default.
Two layers of encryption: ChaCha20-Poly1305 transport encryption plus Sender Keys for end-to-end encryption. The server relays audio packets it cannot decrypt. Low latency, no third party listening in.
19 granular permissions. Per-channel and per-category overwrites. Multi-role assignment. Audit logs. Full community governance without giving up encryption to get it.
Session establishment uses PQXDH with ML-KEM-1024. Every ratchet step after that mixes in a fresh ML-KEM-768 shared secret. Traffic captured today stays protected even if a future quantum computer breaks the classical key exchange.
Every DM uses a unique key via Double Ratchet. Group channels rotate epoch keys when members leave. Compromising one message — or one member — does not compromise the rest.
The server delivers your DMs without knowing the sender. Your community's name is stored as ciphertext it cannot read. Metadata is not a side channel — it is not collected at all.
You already know the pitch from every other platform: we care about your privacy. And then they log everything, sell the patterns, and hand it over when someone with a badge asks nicely. Any platform that can read your data will eventually be compelled to share it. That is a structural problem, not a policy failure.
Hushwire doesn't ask you to trust us. The server literally cannot read your messages. It cannot read your community's name. It cannot see who sent a direct message. It cannot decrypt your profile picture. Not because of a policy: because of math.
When you search for a GIF, the server queries Giphy on your behalf — your IP address never touches Giphy's servers. That is the kind of detail that separates a privacy policy from a privacy architecture.
If you've ever had to think twice about what you say in a group chat — about who you are, who you're with, what you believe, what you're working on — this is built for you. Not as a feature. As the entire point.
The protocol design is peer-reviewed. The implementation is open source Rust — every function, every primitive, every test. If you're a security researcher, read it, audit it, try to break it. Read the full details.
Messages are encrypted on your device. The server relays ciphertext it cannot read. But Hushwire goes further: community names, descriptions, and avatars are also encrypted before upload. The server cannot produce readable data because it never had any.
Choose the right tradeoff per channel. Open: no encryption. Standard: encrypted, full history. Secure: epoch keys rotate on member removal. Strict: no history. Transient: deleted after delivery.
Verify contacts by comparing safety numbers out-of-band — the same pattern Signal uses. Multi-device linking uses 30-digit SAS verification. Identity key changes trigger visible warnings.
Hushwire is in closed alpha. Download the client, create a community, and invite the people who matter. Available for macOS, Windows, and Linux.
Download Hushwire