Wire is a secure messaging app that uses end-to-end encryption (E2EE) for all communications—including messages, calls, and file sharing—ensuring only participants can decrypt the information. E2EE is always enabled by default and cannot be disabled. Wire's open-source code allows anyone to verify its security protocols.

Message Encryption:

Wire employs the Proteus protocol, its implementation of the Axolotl/Double Ratchet protocol, to secure messages between clients. By utilizing pre-keys, Wire allows encrypted conversations to start even when both parties are not online simultaneously. The Proteus protocol incorporates robust cryptographic primitives:  

• ChaCha20 Stream Cipher
• HMAC-SHA256 for message authentication codes
• Curve25519 for elliptic curve Diffie-Hellman key exchange
• HKDF for key derivation functions

Media Encryption:

For one-to-one audio and video calls, Wire uses the Secure Real-time Transport Protocol (SRTP), with encryption keys and parameters negotiated through a Datagram Transport Layer Security (DTLS) handshake. Client authenticity is verified via fingerprint exchange over authenticated Proteus sessions. Conference calls are similarly encrypted but leverage Insertable Streams for E2EE of media packets, using: 

• AES-GCM 256 for payload encryption
• HKDF-SHA512 for key derivation

Forward Secrecy (FS) & Post-Compromise Security (PCS):

Wire ensures that all communications benefit from Forward Secrecy (FS) and Post-Compromise Security (PCS):

• Forward Secrecy (FS): Even if an encryption key is compromised, past communications remain secure because each message is encrypted with a unique key.
• Post-Compromise Security (PCS): After detecting a security breach and replacing compromised keys, future communications remain secure, safeguarding against attackers who had access to earlier sessions.

See Wire’s Security Whitepaper for more technical details about the encryption protocols. Or visit our help center to get more details.

Wire is committed to user privacy by collecting only the minimal data necessary to sync conversations across devices and troubleshoot issues. User profiles include:

• Registration email
• Username
• Profile name

Upon registration, Wire stores metadata per device to enhance notification clarity:

• Device class (mobile, tablet, desktop)
• Device model (for example, iPhone 14)
• User-defined device label
• Cookie label for authentication
• UTC timestamp of device registration

For more details please see Wire’s Privacy Whitepaper.

Wire allows users to verify conversations by comparing unique key fingerprints for each client. This process ensures that you're communicating with the intended recipient and helps prevent man-in-the-middle (MITM) attacks. After verification, you'll receive alerts if your contact starts using Wire on a new device.

Learn more about Wire’s crypto protocol

Wire uses end-to-end encryption for all messages, media, and calling. We use Secure Real-Time Transport Protocol (SRTP) with Datagram Transport Layer Security (DTLS) for end-to-end calling encryption.

Wire's mobile applications utilize operating system push notification services—Apple Push Notification Service (APN) for iOS and Firebase Cloud Messaging Service (FCM) for Android—to notify the app of updates. Importantly, Wire does not share any message or call data with these services. The app connects directly to Wire's servers to receive E2EE messages. Users preferring not to rely on external push services can download the F-Droid version of the Wire app, which avoids FCM and uses websockets for notifications.

See Wire’s Security Whitepaper and Privacy Whitepaper for more details about the encryption methods Wire uses and about how Wire protects your privacy.