Skip to main content

Security Model

GLYPH's security model is the reason most of the platform exists. It's the single biggest difference between running a GLYPH workspace and running a Slack or Teams tenant. This page spends a minute on what GLYPH does cryptographically, then more time on the part that actually changes your job: what that means for the decisions you make as an admin.

How GLYPH protects your content

Two technologies do most of the work.

MLS (Messaging Layer Security)

The IETF standard for end-to-end encrypted group messaging, defined in RFC 9420. MLS is the protocol that lets a group of any size share keys, add and remove members, and keep their conversation private from everyone outside the group — including the server delivering the messages.

MLS gives groups two properties that matter for admins:

  • Forward secrecy — even if a key is compromised today, older messages stay protected.
  • Post-compromise security — once a compromised member or device is removed, the group recovers and future messages are again private. Removal is real, not cosmetic.

Post-quantum cryptography (PQC)

The second layer. Traditional public-key encryption (like Elliptic Curve) is secure against today's classical computers but is expected to fall to sufficiently powerful quantum computers in the future. The threat isn't only future-tense — adversaries can record encrypted traffic today and decrypt later once quantum hardware matures (the "harvest now, decrypt later" problem).

GLYPH addresses this via NIST-approved post-quantum algorithms — currently CRYSTALS — through the crypto-agility framework. New standards get added as they emerge.

Together: MLS shapes the protocol (who can read what, how membership changes), PQC determines the math (how the underlying keys resist attack).

What this means for admins

Four implications. Internalize these and you'll avoid the most painful surprises GLYPH has to offer.

Implication 1 — End-to-end encryption

SENTRIQS cannot read your messages, your files, or your calls. It also means SENTRIQS cannot recover content that's been lost or deleted on your behalf. There is no "ask support to restore it" backstop.

Implication 2 — Archiving keys are unrecoverable

If your organization needs compliant archiving, enable it from the admin panel — but the encryption key is shown to you exactly once, at the moment you turn the feature on. SENTRIQS doesn't retain it and cannot reissue it.

If the key is lost, the archived material is permanently inaccessible. SENTRIQS can set you up with a new archive, but everything previously archived is gone. See Archiving and Compliance for the full handling guide.

Implication 3 — Workspace removal burns content from a member's devices

When you remove someone from the workspace (Manage [Workspace] admin view), GLYPH erases your workspace's group content from every one of their devices. By design — it's the "post-compromise security" property of MLS in action.

No undo. Re-adding them later gives a clean slate, not a restore. Removing from a single group's members view revokes access but doesn't burn existing content.

Implication 4 — Devices are authenticated individually

A user with a laptop, phone, and tablet = three trust decisions, not one. Each device gets its own keys and is added to a group independently.

How devices get into a group depends on the group's visibility: in Open groups, members can join on their own and add their own devices without admin involvement. In Private groups, an Owner or Manager has to add the member (with at least one device) first.

See The Device Model for the full breakdown.

The bottom line

GLYPH's encryption is what gives the platform its value, and it's what removes the safety nets a Slack admin takes for granted. There is no "ask support to recover it" backstop in GLYPH. Plan, document, and decide accordingly.