What is Threema Safe?
Threema Safe is the messenger Threema’s solution to back up your encryption ID and other things so they don’t get lost once either you decide to smash your phone against a nearby anvil or the phone itself decides to die unexpectedly. From this backup you can restore the aforementioned things into a new Threema-installation.
Threema Safe can also be selfhosted.
How does it work
Threema Safe regularly backs things up into a WebDAV-directory of choice. By default the Threema-Server is configured for this, but any WebDAV-server, from a standard webserver to a Nexcloud, can be configured as a backup target.
Server-side setup
As a standard webserver can be used as a backup target, we will show the necessary configuration for an nginx to act as a valid backup server for Threema Safe.
The main configuration file of the server, /etc/nginx.conf
, reads
user www-data;
worker_processes 4;
pid /run/nginx.pid;
http {
# standard stuff
include /etc/nginx/mime.types;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_dhparam /path/to/dhparams;
server_name some.arbitrary.domain;
server {
listen 443 ssl default_server; # ipv4
listen [::]:443 ssl default_server; # ipv6
location / {
root /path/to/webdav/contents;
client_body_temp_path /tmp;
dav_methods PUT DELETE MKCOL COPY MOVE;
create_full_put_path on;
dav_access user:rw;
autoindex on;
# if desired, a htpasswd-file can be provided to require
# authentication in front of the nginx
auth_basic "you shall not pass";
auth_basic_user_file /path/to/htpasswd;
}
}
}
In the root of the WebDAV-folder create a folder (optional) with two things present (not optional):
- a file
config
- a directory backups that must be writable (and likely readable for restore)
The config
-file reads:
{
"maxBackupBytes": 524288,
"retentionDays": 180
}
This concludes the server side backup. If you want to verify that the WebDAV works correctly, you can browse it with your browser to see if it responds correctly.
# tree /path/to/webdav/contents
/path/to/webdav/contents
└── threema_safe
├── backups
│ └── b5bb9d8014a0f9b1d only after first backup 12f4850b878ae4944c
└── config
Client side setup
In Threema, go to the menu and select “My backups”.
Activate Threema Safe and tap on “Expert Settings”, there you can enter your custom server.
In our example, this would be https://some.arbitrary.domain/threema_safe
.
If you configured your nginx to require authentication, specify your access credentials.
Then tap “Backup now” and you should be good to go!