Send encrypted messages via Secrez

Secrez 0.8.0 introduces the ability to exchange end-to-end, encrypted messages between local accounts, using a remote hub for SSL tunneling.

If you don’t know what Secrez is, please read my previous post:

How it works

Supposing that you are using Secrez locally, the communication between accounts is possible thanks to two external components: a courier and a hub.

The courier must run on your machine. It works as a post office, sending and receiving letters — ignoring the content.

The hub must be accessible from anywhere. It is used by couriers to publish themselves and talk to other couriers. The hub does only one thing: generate SSL tunnels towards the couriers (by default, they use

Any message moving around is composed of a payload and a signature. Hub and courier verify the signature and accept or reject the message, only the Secrez account can generate the payload with the encrypted message, and decrypt others’ messages.

The algorithm used for the exchange is x25519-xsalsa20-poly1305 — more info at

The flow

How to chat

If you haven’t yet, update Secrez to a version >= 0.8.0:

$ npm i -g secrez@latest

Install the Courier:

$ npm i -g @secrez/courier

Run the courier

$ secrez-courier

If you don’t specify the hub you like to use, it will use the default hub on
If there are no issues, it will show something like:

In Secrez, execute courier. It will ask you the port where the courier is listening to. If the courier is listening, Secrez connects to the courier and take ownership of it. Now, you are ready to chat with someone. First, look at your own data running whoami. It will show your public key and, most relevantly, your url on the hub that you must pass to your friend.

The method used in Secrez is experimental and is far from perfect. So, sometimes the connection to the hub gets lost — some other time you have to update the contact (using contacts -u …). I am working on it. However, in most cases, just repeat the process and the courier will reset the connection.

A quick video

Your own hub

I have set up a hub on to simplify people’s life. But in many case, it would be better if you use your own hub. For example, a company could set up the hub that its employees will use.

The simplest way to go is to install the Secrez Hub on a remote server:

npm i -g @secrez/hub

and run it:


If you don’t specify otherwise, it will start listening on port 8433.

A more reliable way is to use a process manager. If you clone the Secrez monorepo. You can run the script in the folder packages/hub/bin/pm2. It will use Pm2 and will keep the hub up.

Despite your preference, you should use a proxy, like Nginx, to expose it to HTTPS. You can generate free certificates using Let’s Encrypt.

Since the hub generates subdomains for any courier, it is essential that you set up the DNS for the domain to handle * Also, the firewall must allow access at ports higher than 32k on TCP.

Feedback, requests, suggestions

If you have suggestions, requests, etc. please open an issue at:

You can also join the Discord group. It is very silent, right now, but hopefully, sooner or later, it will become active:

🙏 Acknowledgments

Secrez Hub is based on Localtunnel Server, which has been created by Roman Shtylman (zombie). I forked it and added some restrictions to make it suitable for Secrez (and only for it). I want to publicly thank Roman to allow the world to use his brilliant code.

If you like this post, please 👏 and share it!

This post has been also published at

Polymath. Before founded @Passpack, and was at @Turo, @Yahoo, @Tronfoundation and others. More at