Self-hosting Threema Safe

12. Feb 2019

What is Threema Safe?

Threema Safe is the messenger Threema’s solution to back up your encryption ID and other things so they don’t get lost once either you decide to smash your phone against a nearby anvil or the phone itself decides to die unexpectedly. From this backup you can restore the aforementioned things into a new Threema-installation.

Threema Safe can also be selfhosted.

How does it work

Threema Safe regularly backs things up into a WebDAV-directory of choice. By default the Threema-Server is configured for this, but any WebDAV-server, from a standard webserver to a Nexcloud, can be configured as a backup target.

Server-side setup

As a standard webserver can be used as a backup target, we will show the necessary configuration for an nginx to act as a valid backup server for Threema Safe.

The main configuration file of the server, /etc/nginx.conf, reads

user www-data;
worker_processes 4;
pid /run/nginx.pid;

http {

	# standard stuff
	include /etc/nginx/mime.types;
	ssl_certificate /path/to/cert.pem;
	ssl_certificate_key /path/to/key.pem;
	ssl_dhparam /path/to/dhparams;

	server_name some.arbitrary.domain;

	server {
	
		listen 443 ssl default_server;      # ipv4
		listen [::]:443 ssl default_server; # ipv6
	
		location / {
			root	/path/to/webdav/contents;
			client_body_temp_path /tmp;
			dav_methods     PUT DELETE MKCOL COPY MOVE;

			create_full_put_path  on;
			dav_access    user:rw;
			autoindex    on;

			# if desired, a htpasswd-file can be provided to require
			# authentication in front of the nginx
			auth_basic "you shall not pass";
			auth_basic_user_file /path/to/htpasswd;
		}
	}
}

In the root of the WebDAV-folder create a folder (optional) with two things present (not optional):

a file config
a directory backups that must be writable (and likely readable for restore)

The config-file reads:

{
   "maxBackupBytes": 524288,
   "retentionDays": 180
}

This concludes the server side backup. If you want to verify that the WebDAV works correctly, you can browse it with your browser to see if it responds correctly.

# tree /path/to/webdav/contents
/path/to/webdav/contents
└── threema_safe
    ├── backups
    │   └── b5bb9d8014a0f9b1d only after first backup 12f4850b878ae4944c
    └── config

Client side setup

In Threema, go to the menu and select “My backups”. Activate Threema Safe and tap on “Expert Settings”, there you can enter your custom server. In our example, this would be https://some.arbitrary.domain/threema_safe. If you configured your nginx to require authentication, specify your access credentials. Then tap “Backup now” and you should be good to go!