feat: E2EE room key reset modal (#33503)

Co-authored-by: Kevin Aleman <11577696+KevLehman@users.noreply.github.com>
1 year ago · 2806cb5d3e
parent 4aa731d6e9
commit 2806cb5d3e
14 changed files with 482 additions and 28 deletions
--- a/.changeset/e2ee-modal-keys.md
+++ b/.changeset/e2ee-modal-keys.md
@ -0,0 +1,8 @@
+---
+"@rocket.chat/meteor": major
+"@rocket.chat/i18n": patch
+---
+
+Adds modal confirmation to enable and disable End-to-end encryption
+
+Adds a reset room key option to the modal that disables End-to-end encryption, this is useful when all the members of a room lose their room E2EE keys
--- a/apps/meteor/app/e2e/client/rocketchat.e2e.room.js
+++ b/apps/meteor/app/e2e/client/rocketchat.e2e.room.js
@ -309,7 +309,7 @@ export class E2ERoom extends Emitter {
 		try {
 			const room = ChatRoom.findOne({ _id: this.roomId });
 			// Only room creator can set keys for room
-			if (!room.e2eKeyId && room.u._id === this.userId) {
+			if (!room.e2eKeyId && this.userShouldCreateKeys(room)) {
 				this.setState(E2ERoomState.CREATING_KEYS);
 				await this.createGroupKey();
 				this.setState(E2ERoomState.READY);
@ -325,6 +325,15 @@ export class E2ERoom extends Emitter {
 		}
 	}

+	userShouldCreateKeys(room) {
+		// On DMs, we'll allow any user to set the keys
+		if (room.t === 'd') {
+			return true;
+		}
+
+		return room.u._id === this.userId;
+	}
+
 	isSupportedRoomType(type) {
 		return roomCoordinator.getRoomDirectives(type).allowRoomSettingChange({}, RoomSettingsEnum.E2E);
 	}
@ -644,8 +653,16 @@ export class E2ERoom extends Emitter {
 		};
 	}

+	async doDecrypt(vector, key, cipherText) {
+		const result = await decryptAES(vector, key, cipherText);
+		return EJSON.parse(new TextDecoder('UTF-8').decode(new Uint8Array(result)));
+	}
+
 	async decrypt(message) {
 		const keyID = message.slice(0, 12);
+		message = message.slice(12);
+
+		const [vector, cipherText] = splitVectorAndEcryptedData(Base64.decode(message));

 		let oldKey = '';
 		if (keyID !== this.keyID) {
@ -653,20 +670,21 @@ export class E2ERoom extends Emitter {
 			// Messages already contain a keyID stored with them
 			// That means that if we cannot find a keyID for the key the message has preppended to
 			// The message is indecipherable.
+			// In these cases, we'll give a last shot using the current session key, which may not work
+			// but will be enough to help with some mobile issues.
 			if (!oldRoomKey) {
-				this.error(`Message is indecipherable. Message KeyID ${keyID} not found in old room keys`);
-				return { msg: t('E2E_indecipherable') };
+				try {
+					return await this.doDecrypt(vector, this.groupSessionKey, cipherText);
+				} catch (error) {
+					this.error('Error decrypting message: ', error, message);
+					return { msg: t('E2E_indecipherable') };
+				}
 			}
 			oldKey = oldRoomKey.E2EKey;
 		}

-		message = message.slice(12);
-
-		const [vector, cipherText] = splitVectorAndEcryptedData(Base64.decode(message));
-
 		try {
-			const result = await decryptAES(vector, oldKey || this.groupSessionKey, cipherText);
-			return EJSON.parse(new TextDecoder('UTF-8').decode(new Uint8Array(result)));
+			return await this.doDecrypt(vector, oldKey || this.groupSessionKey, cipherText);
 		} catch (error) {
 			this.error('Error decrypting message: ', error, message);
 			return { msg: t('E2E_Key_Error') };
--- a/apps/meteor/app/e2e/client/rocketchat.e2e.ts
+++ b/apps/meteor/app/e2e/client/rocketchat.e2e.ts
@ -139,8 +139,6 @@ class E2E extends Emitter {
 		this.log('decryptSubscriptions');
 		await this.decryptSubscriptions();
 		this.log('decryptSubscriptions -> Done');
-		await this.initiateDecryptingPendingMessages();
-		this.log('DecryptingPendingMessages -> Done');
 		await this.initiateKeyDistribution();
 		this.log('initiateKeyDistribution -> Done');
 		this.observeSubscriptions();
@ -332,10 +330,6 @@ class E2E extends Emitter {
 		Object.keys(this.instancesByRoomId).map((key) => this.instancesByRoomId[key].handshake());
 	}

-	async initiateDecryptingPendingMessages() {
-		await Promise.all(Object.keys(this.instancesByRoomId).map((key) => this.instancesByRoomId[key].decryptPendingMessages()));
-	}
-
 	openSaveE2EEPasswordModal(randomPassword: string) {
 		imperativeModal.open({
 			component: SaveE2EPasswordModal,
--- a/apps/meteor/client/components/GenericModal/GenericModal.tsx
+++ b/apps/meteor/client/components/GenericModal/GenericModal.tsx
@ -21,6 +21,7 @@ type GenericModalProps = RequiredModalProps & {
 	tagline?: ReactNode;
 	onCancel?: () => Promise<void> | void;
 	onClose?: () => Promise<void> | void;
+	onDismiss?: () => Promise<void> | void;
 	annotation?: ReactNode;
 } & Omit<ComponentPropsWithoutRef<typeof Modal>, 'title'>;

@ -67,6 +68,7 @@ const GenericModal = ({
 	icon,
 	onCancel,
 	onClose = onCancel,
+	onDismiss = onClose,
 	onConfirm,
 	dontAskAgain,
 	confirmDisabled,
@ -98,9 +100,9 @@ const GenericModal = ({
 	useEffect(
 		() => () => {
 			if (!dismissedRef.current) return;
-			onClose?.();
+			onDismiss?.();
 		},
-		[onClose],
+		[onDismiss],
 	);

 	return (
--- a/apps/meteor/client/hooks/roomActions/useE2EERoomAction.spec.ts
+++ b/apps/meteor/client/hooks/roomActions/useE2EERoomAction.spec.ts
@ -4,6 +4,7 @@ import { act, renderHook, waitFor } from '@testing-library/react';
 import { E2EEState } from '../../../app/e2e/client/E2EEState';
 import { e2e } from '../../../app/e2e/client/rocketchat.e2e';
 import { OtrRoomState } from '../../../app/otr/lib/OtrRoomState';
+import { imperativeModal } from '../../lib/imperativeModal';
 import { dispatchToastMessage } from '../../lib/toast';
 import { useRoom, useRoomSubscription } from '../../views/room/contexts/RoomContext';
 import { useE2EEState } from '../../views/room/hooks/useE2EEState';
@ -20,6 +21,13 @@ jest.mock('../../lib/toast', () => ({
 	dispatchToastMessage: jest.fn(),
 }));

+jest.mock('../../lib/imperativeModal', () => ({
+	imperativeModal: {
+		open: jest.fn(),
+		close: jest.fn(),
+	},
+}));
+
 jest.mock('../../views/room/contexts/RoomContext', () => ({
 	useRoom: jest.fn(),
 	useRoomSubscription: jest.fn(),
@ -39,6 +47,10 @@ jest.mock('../../views/room/hooks/useE2EEState', () => ({
 	useE2EEState: jest.fn(),
 }));

+jest.mock('../../views/room/hooks/useE2EERoomState', () => ({
+	useE2EERoomState: jest.fn(),
+}));
+
 jest.mock('react-i18next', () => ({
 	useTranslation: () => ({
 		t: (key: string) => key,
@ -105,20 +117,14 @@ describe('useE2EERoomAction', () => {
 		await waitFor(() => expect(dispatchToastMessage).toHaveBeenCalledWith({ type: 'error', message: 'E2EE_not_available_OTR' }));
 	});

-	it('should dispatch success toast message when encryption is enabled', async () => {
+	it('should open Enable E2EE confirmation modal', async () => {
 		(useOTR as jest.Mock).mockReturnValue({ otrState: OtrRoomState.NOT_STARTED });

 		const { result } = renderHook(() => useE2EERoomAction(), { legacyRoot: true });
-
 		act(() => {
 			result?.current?.action?.();
 		});

-		await waitFor(() =>
-			expect(dispatchToastMessage).toHaveBeenCalledWith({
-				type: 'success',
-				message: 'E2E_Encryption_enabled_for_room',
-			}),
-		);
+		await waitFor(() => expect(imperativeModal.open).toHaveBeenCalledTimes(1));
 	});
 });
--- a/apps/meteor/client/hooks/roomActions/useE2EERoomAction.ts
+++ b/apps/meteor/client/hooks/roomActions/useE2EERoomAction.ts
@ -5,11 +5,17 @@ import { useMemo } from 'react';
 import { useTranslation } from 'react-i18next';

 import { E2EEState } from '../../../app/e2e/client/E2EEState';
+import { E2ERoomState } from '../../../app/e2e/client/E2ERoomState';
 import { OtrRoomState } from '../../../app/otr/lib/OtrRoomState';
+import { getRoomTypeTranslation } from '../../lib/getRoomTypeTranslation';
+import { imperativeModal } from '../../lib/imperativeModal';
 import { dispatchToastMessage } from '../../lib/toast';
 import { useRoom, useRoomSubscription } from '../../views/room/contexts/RoomContext';
 import type { RoomToolboxActionConfig } from '../../views/room/contexts/RoomToolboxContext';
+import { useE2EERoomState } from '../../views/room/hooks/useE2EERoomState';
 import { useE2EEState } from '../../views/room/hooks/useE2EEState';
+import BaseDisableE2EEModal from '../../views/room/modals/E2EEModals/BaseDisableE2EEModal';
+import EnableE2EEModal from '../../views/room/modals/E2EEModals/EnableE2EEModal';
 import { useOTR } from '../useOTR';

 export const useE2EERoomAction = () => {
@ -17,6 +23,7 @@ export const useE2EERoomAction = () => {
 	const room = useRoom();
 	const subscription = useRoomSubscription();
 	const e2eeState = useE2EEState();
+	const e2eeRoomState = useE2EERoomState(room._id);
 	const isE2EEReady = e2eeState === E2EEState.READY || e2eeState === E2EEState.SAVE_PASSWORD;
 	const readyToEncrypt = isE2EEReady || room.encrypted;
 	const permittedToToggleEncryption = usePermission('toggle-room-e2e-encryption', room._id);
@ -26,8 +33,30 @@ export const useE2EERoomAction = () => {
 	const { t } = useTranslation();
 	const { otrState } = useOTR();

+	const isE2EERoomNotReady = () => {
+		if (
+			e2eeRoomState === E2ERoomState.NO_PASSWORD_SET ||
+			e2eeRoomState === E2ERoomState.NOT_STARTED ||
+			e2eeRoomState === E2ERoomState.DISABLED ||
+			e2eeRoomState === E2ERoomState.ERROR ||
+			e2eeRoomState === E2ERoomState.WAITING_KEYS
+		) {
+			return true;
+		}
+
+		return false;
+	};
+
+	const enabledOnRoom = !!room.encrypted;
+
+	const roomType = useMemo(() => getRoomTypeTranslation(room)?.toLowerCase(), [room]);
+
+	const roomId = room._id;
+
 	const toggleE2E = useEndpoint('POST', '/v1/rooms.saveRoomSettings');

+	const canResetRoomKey = enabled && isE2EEReady && (room.t === 'd' || permittedToToggleEncryption) && isE2EERoomNotReady();
+
 	const action = useEffectEvent(async () => {
 		if (otrState === OtrRoomState.ESTABLISHED || otrState === OtrRoomState.ESTABLISHING || otrState === OtrRoomState.REQUESTED) {
 			dispatchToastMessage({ type: 'error', message: t('E2EE_not_available_OTR') });
@ -35,11 +64,37 @@ export const useE2EERoomAction = () => {
 			return;
 		}

+		if (enabledOnRoom) {
+			imperativeModal.open({
+				component: BaseDisableE2EEModal,
+				props: {
+					onClose: imperativeModal.close,
+					onConfirm: handleToogleE2E,
+					roomType,
+					roomId,
+					canResetRoomKey,
+				},
+			});
+		} else {
+			imperativeModal.open({
+				component: EnableE2EEModal,
+				props: {
+					onClose: imperativeModal.close,
+					onConfirm: handleToogleE2E,
+					roomType,
+				},
+			});
+		}
+	});
+
+	const handleToogleE2E = async () => {
 		const { success } = await toggleE2E({ rid: room._id, encrypted: !room.encrypted });
 		if (!success) {
 			return;
 		}

+		imperativeModal.close();
+
 		dispatchToastMessage({
 			type: 'success',
 			message: room.encrypted
@ -50,9 +105,7 @@ export const useE2EERoomAction = () => {
 		if (subscription?.autoTranslate) {
 			dispatchToastMessage({ type: 'success', message: t('AutoTranslate_Disabled_for_room', { roomName: room.name }) });
 		}
-	});
-
-	const enabledOnRoom = !!room.encrypted;
+	};

 	return useMemo((): RoomToolboxActionConfig | undefined => {
 		if (!enabled || !permitted) {
--- a/apps/meteor/client/views/room/hooks/useE2EEResetRoomKey.spec.ts
+++ b/apps/meteor/client/views/room/hooks/useE2EEResetRoomKey.spec.ts
@ -0,0 +1,114 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { renderHook, waitFor } from '@testing-library/react';
+
+import { e2e } from '../../../../app/e2e/client';
+import { useE2EEResetRoomKey } from './useE2EEResetRoomKey';
+
+jest.mock('../../../../app/e2e/client', () => ({
+	e2e: {
+		getInstanceByRoomId: jest.fn(),
+	},
+}));
+
+describe('useE2EEResetRoomKey', () => {
+	const e2eResetRoomKeyMock = jest.fn().mockResolvedValue({
+		e2eKeyId: 'E2E_KEY_ID',
+		e2eKey: 'E2E_KEY',
+	});
+	const resetRoomKeyMock = jest.fn();
+	const roomId = 'ROOM_ID';
+
+	afterEach(() => {
+		jest.clearAllMocks();
+	});
+
+	beforeEach(() => {
+		(e2e.getInstanceByRoomId as jest.Mock).mockImplementation(() => ({
+			resetRoomKey: e2eResetRoomKeyMock,
+		}));
+	});
+
+	it('should call resetRoomKey endpoint with correct params', async () => {
+		const { result } = renderHook(() => useE2EEResetRoomKey(), {
+			legacyRoot: true,
+			wrapper: mockAppRoot().withEndpoint('POST', '/v1/e2e.resetRoomKey', resetRoomKeyMock).build(),
+		});
+
+		await waitFor(() => result.current.mutate({ roomId }));
+
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledTimes(1);
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledWith('ROOM_ID');
+		expect(e2eResetRoomKeyMock).toHaveBeenCalledTimes(1);
+
+		expect(resetRoomKeyMock).toHaveBeenCalledWith({
+			rid: roomId,
+			e2eKeyId: 'E2E_KEY_ID',
+			e2eKey: 'E2E_KEY',
+		});
+
+		await waitFor(() => expect(result.current.status).toBe('success'));
+	});
+
+	it('should return an errror if e2e.getInstanceByRoomId() does not return correct params', async () => {
+		(e2e.getInstanceByRoomId as jest.Mock).mockReturnValue(null);
+
+		const { result } = renderHook(() => useE2EEResetRoomKey(), {
+			legacyRoot: true,
+			wrapper: mockAppRoot().withEndpoint('POST', '/v1/e2e.resetRoomKey', resetRoomKeyMock).build(),
+		});
+
+		await waitFor(() => result.current.mutate({ roomId }));
+
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledTimes(1);
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledWith('ROOM_ID');
+		expect(e2eResetRoomKeyMock).toHaveBeenCalledTimes(0);
+
+		await waitFor(() => expect(result.current.status).toBe('error'));
+	});
+
+	it('should return an errror if e2e.resetRoomKey() does not return correct params', async () => {
+		const e2eResetRoomKeyMock = jest.fn().mockResolvedValue(null);
+		const roomId = 'ROOM_ID';
+
+		(e2e.getInstanceByRoomId as jest.Mock).mockImplementation(() => ({
+			resetRoomKey: e2eResetRoomKeyMock,
+		}));
+
+		const { result } = renderHook(() => useE2EEResetRoomKey(), {
+			legacyRoot: true,
+			wrapper: mockAppRoot().withEndpoint('POST', '/v1/e2e.resetRoomKey', resetRoomKeyMock).build(),
+		});
+
+		await waitFor(() => result.current.mutate({ roomId }));
+
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledTimes(1);
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledWith('ROOM_ID');
+		expect(e2eResetRoomKeyMock).toHaveBeenCalledTimes(1);
+
+		expect(resetRoomKeyMock).toHaveBeenCalledTimes(0);
+
+		await waitFor(() => expect(result.current.status).toBe('error'));
+	});
+
+	it('should return an error if resetRoomKey does not resolve', async () => {
+		resetRoomKeyMock.mockRejectedValue(new Error('error-e2e-key-reset-in-progress'));
+		const { result } = renderHook(() => useE2EEResetRoomKey(), {
+			legacyRoot: true,
+			wrapper: mockAppRoot().withEndpoint('POST', '/v1/e2e.resetRoomKey', resetRoomKeyMock).build(),
+		});
+
+		await waitFor(() => result.current.mutate({ roomId }));
+
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledTimes(1);
+		expect(e2e.getInstanceByRoomId).toHaveBeenCalledWith('ROOM_ID');
+		expect(e2eResetRoomKeyMock).toHaveBeenCalledTimes(1);
+
+		expect(resetRoomKeyMock).toHaveBeenCalledWith({
+			rid: roomId,
+			e2eKeyId: 'E2E_KEY_ID',
+			e2eKey: 'E2E_KEY',
+		});
+
+		await waitFor(() => expect(result.current.status).toBe('error'));
+	});
+});
--- a/apps/meteor/client/views/room/hooks/useE2EEResetRoomKey.ts
+++ b/apps/meteor/client/views/room/hooks/useE2EEResetRoomKey.ts
@ -0,0 +1,35 @@
+import type { RoomID } from '@rocket.chat/core-typings';
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import type { UseMutationOptions, UseMutationResult } from '@tanstack/react-query';
+import { useMutation } from '@tanstack/react-query';
+
+import { e2e } from '../../../../app/e2e/client';
+
+type UseE2EEResetRoomKeyVariables = {
+	roomId: RoomID;
+};
+
+export const useE2EEResetRoomKey = (
+	options?: Omit<UseMutationOptions<void, Error, UseE2EEResetRoomKeyVariables>, 'mutationFn'>,
+): UseMutationResult<void, Error, UseE2EEResetRoomKeyVariables> => {
+	const resetRoomKey = useEndpoint('POST', '/v1/e2e.resetRoomKey');
+
+	return useMutation(async ({ roomId }) => {
+		const e2eRoom = await e2e.getInstanceByRoomId(roomId);
+		if (!e2eRoom) {
+			throw new Error('Cannot reset room key');
+		}
+
+		const { e2eKey, e2eKeyId } = (await e2eRoom.resetRoomKey()) ?? {};
+
+		if (!e2eKey || !e2eKeyId) {
+			throw new Error('Cannot reset room key');
+		}
+
+		try {
+			await resetRoomKey({ rid: roomId, e2eKeyId, e2eKey });
+		} catch (error) {
+			throw error;
+		}
+	}, options);
+};
--- a/apps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsx
+++ b/apps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsx
@ -0,0 +1,49 @@
+import { useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import type { ReactElement } from 'react';
+import React, { useState } from 'react';
+
+import DisableE2EEModal from './DisableE2EEModal';
+import ResetKeysE2EEModal from './ResetKeysE2EEModal';
+
+const STEPS = {
+	DISABLE_E2EE: 'DISABLE_E2EE',
+	RESET_ROOM_KEY: 'RESET_ROOM_KEY',
+};
+
+type BaseDisableE2EEModalProps = {
+	onConfirm: () => void;
+	onClose: () => void;
+	roomType: string;
+	roomId: string;
+	canResetRoomKey: boolean;
+};
+
+const BaseDisableE2EEModal = ({
+	onConfirm,
+	onClose,
+	roomType,
+	roomId,
+	canResetRoomKey,
+}: BaseDisableE2EEModalProps): ReactElement | null => {
+	const [step, setStep] = useState(STEPS.DISABLE_E2EE);
+
+	const onResetRoomKey = useEffectEvent(() => {
+		setStep(STEPS.RESET_ROOM_KEY);
+	});
+
+	if (step === STEPS.RESET_ROOM_KEY && canResetRoomKey) {
+		return <ResetKeysE2EEModal roomType={roomType} roomId={roomId} onCancel={onClose} />;
+	}
+
+	return (
+		<DisableE2EEModal
+			onConfirm={onConfirm}
+			onCancel={onClose}
+			roomType={roomType}
+			canResetRoomKey={canResetRoomKey}
+			onResetRoomKey={onResetRoomKey}
+		/>
+	);
+};
+
+export default BaseDisableE2EEModal;
--- a/apps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsx
+++ b/apps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsx
@ -0,0 +1,54 @@
+import { Accordion, Box, Button } from '@rocket.chat/fuselage';
+import type { ReactElement } from 'react';
+import React from 'react';
+import { Trans, useTranslation } from 'react-i18next';
+
+import GenericModal from '../../../../components/GenericModal';
+
+type DisableE2EEModalProps = {
+	onConfirm: () => void;
+	onCancel: () => void;
+	roomType: string;
+	canResetRoomKey: boolean;
+	onResetRoomKey: () => void;
+};
+
+const DisableE2EEModal = ({ onConfirm, onCancel, roomType, canResetRoomKey, onResetRoomKey }: DisableE2EEModalProps): ReactElement => {
+	const { t } = useTranslation();
+
+	return (
+		<GenericModal
+			icon='key'
+			title={t('E2E_disable_encryption')}
+			variant='warning'
+			confirmText={t('E2E_disable_encryption')}
+			onConfirm={onConfirm}
+			onCancel={onCancel}
+			onDismiss={() => undefined}
+		>
+			<Box mbe={16} is='p'>
+				<Trans i18nKey='E2E_disable_encryption_description' tOptions={{ roomType }} />
+			</Box>
+
+			{canResetRoomKey && (
+				<>
+					<Box mbe={16} is='p'>
+						{t('E2E_disable_encryption_reset_keys_description')}
+					</Box>
+					<Accordion>
+						<Accordion.Item title={t('E2E_reset_encryption_keys')}>
+							<Box mbe={16} is='p'>
+								{t('E2E_reset_encryption_keys_description')}
+							</Box>
+							<Button secondary danger small onClick={onResetRoomKey}>
+								{t('E2E_reset_encryption_keys_button', { roomType })}
+							</Button>
+						</Accordion.Item>
+					</Accordion>
+				</>
+			)}
+		</GenericModal>
+	);
+};
+
+export default DisableE2EEModal;
--- a/apps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsx
+++ b/apps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsx
@ -0,0 +1,33 @@
+import { Box } from '@rocket.chat/fuselage';
+import type { ReactElement } from 'react';
+import React from 'react';
+import { useTranslation } from 'react-i18next';
+
+import GenericModal from '../../../../components/GenericModal';
+
+type EnableE2EEModalProps = {
+	onConfirm: () => void;
+	onClose: () => void;
+	roomType: string;
+};
+
+const EnableE2EEModal = ({ onConfirm, onClose, roomType }: EnableE2EEModalProps): ReactElement => {
+	const { t } = useTranslation();
+
+	return (
+		<GenericModal
+			icon='key'
+			title={t('E2E_enable_encryption')}
+			variant='warning'
+			confirmText={t('E2E_enable_encryption')}
+			onConfirm={onConfirm}
+			onCancel={onClose}
+		>
+			<Box mbe={16} is='p'>
+				{t('E2E_enable_encryption_description', { roomType })}
+			</Box>
+		</GenericModal>
+	);
+};
+
+export default EnableE2EEModal;
--- a/apps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsx
+++ b/apps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsx
@ -0,0 +1,62 @@
+import { Box, Modal } from '@rocket.chat/fuselage';
+import { ExternalLink } from '@rocket.chat/ui-client';
+import type { ReactElement } from 'react';
+import React from 'react';
+import { Trans, useTranslation } from 'react-i18next';
+
+import GenericModal from '../../../../components/GenericModal';
+import { dispatchToastMessage } from '../../../../lib/toast';
+import { useE2EEResetRoomKey } from '../../hooks/useE2EEResetRoomKey';
+
+const E2EE_RESET_KEY_LINK = 'https://go.rocket.chat/i/e2ee-guide';
+
+type ResetKeysE2EEModalProps = {
+	roomType: string;
+	roomId: string;
+	onCancel: () => void;
+};
+
+const ResetKeysE2EEModal = ({ roomType, roomId, onCancel }: ResetKeysE2EEModalProps): ReactElement => {
+	const { t } = useTranslation();
+	const resetRoomKeyMutation = useE2EEResetRoomKey();
+
+	const handleResetRoomKey = () => {
+		resetRoomKeyMutation.mutate(
+			{ roomId },
+			{
+				onSuccess: () => {
+					dispatchToastMessage({ type: 'success', message: t('E2E_reset_encryption_keys_success') });
+				},
+				onError: () => {
+					dispatchToastMessage({ type: 'error', message: t('E2E_reset_encryption_keys_error') });
+				},
+				onSettled: () => {
+					onCancel();
+				},
+			},
+		);
+	};
+
+	return (
+		<GenericModal
+			icon={<Modal.Icon color='danger' name='key' />}
+			title={t('E2E_reset_encryption_keys')}
+			variant='danger'
+			confirmText={t('E2E_reset_encryption_keys')}
+			dontAskAgain={<Modal.FooterAnnotation>{t('This_action_cannot_be_undone')}</Modal.FooterAnnotation>}
+			onCancel={onCancel}
+			onConfirm={handleResetRoomKey}
+			onDismiss={() => undefined}
+		>
+			<Box mbe={16} is='p'>
+				<Trans i18nKey='E2E_reset_encryption_keys_modal_description' tOptions={{ roomType }}>
+					Resetting E2EE keys is only recommend if no {roomType} member has a valid key to regain access to the previously encrypted
+					content. All members may lose access to previously encrypted content.
+					<ExternalLink to={E2EE_RESET_KEY_LINK}>Learn more</ExternalLink> about resetting encryption keys. Proceed with caution.
+				</Trans>
+			</Box>
+		</GenericModal>
+	);
+};
+
+export default ResetKeysE2EEModal;
--- a/apps/meteor/tests/e2e/e2e-encryption.spec.ts
+++ b/apps/meteor/tests/e2e/e2e-encryption.spec.ts
@ -160,6 +160,8 @@ test.describe.serial('e2e-encryption', () => {

 		await expect(poHomeChannel.tabs.btnDisableE2E).toBeVisible();
 		await poHomeChannel.tabs.btnDisableE2E.click({ force: true });
+		await expect(page.getByRole('dialog', { name: 'Disable encryption' })).toBeVisible();
+		await page.getByRole('button', { name: 'Disable encryption' }).click();
 		await poHomeChannel.dismissToast();
 		await page.waitForTimeout(1000);

@ -171,6 +173,8 @@ test.describe.serial('e2e-encryption', () => {
 		await poHomeChannel.tabs.kebab.click({ force: true });
 		await expect(poHomeChannel.tabs.btnEnableE2E).toBeVisible();
 		await poHomeChannel.tabs.btnEnableE2E.click({ force: true });
+		await expect(page.getByRole('dialog', { name: 'Enable encryption' })).toBeVisible();
+		await page.getByRole('button', { name: 'Enable encryption' }).click();
 		await poHomeChannel.dismissToast();
 		await page.waitForTimeout(1000);

@ -255,6 +259,8 @@ test.describe.serial('e2e-encryption', () => {
 		await poHomeChannel.tabs.kebab.click({ force: true });
 		await expect(poHomeChannel.tabs.btnEnableE2E).toBeVisible();
 		await poHomeChannel.tabs.btnEnableE2E.click({ force: true });
+		await expect(page.getByRole('dialog', { name: 'Enable encryption' })).toBeVisible();
+		await page.getByRole('button', { name: 'Enable encryption' }).click();
 		await page.waitForTimeout(1000);

 		await expect(poHomeChannel.content.encryptedRoomHeaderIcon).toBeVisible();
@ -367,6 +373,8 @@ test.describe.serial('e2e-encryption', () => {
 		await poHomeChannel.tabs.kebab.click({ force: true });
 		await expect(poHomeChannel.tabs.btnEnableE2E).toBeVisible();
 		await poHomeChannel.tabs.btnEnableE2E.click({ force: true });
+		await expect(page.getByRole('dialog', { name: 'Enable encryption' })).toBeVisible();
+		await page.getByRole('button', { name: 'Enable encryption' }).click();
 		await page.waitForTimeout(1000);

 		await expect(poHomeChannel.content.encryptedRoomHeaderIcon).toBeVisible();
@ -446,6 +454,8 @@ test.describe.serial('e2e-encryption', () => {

 			await expect(poHomeChannel.tabs.btnDisableE2E).toBeVisible();
 			await poHomeChannel.tabs.btnDisableE2E.click();
+			await expect(page.getByRole('dialog', { name: 'Disable encryption' })).toBeVisible();
+			await page.getByRole('button', { name: 'Disable encryption' }).click();
 			await poHomeChannel.dismissToast();
 			// will wait till the key icon in header goes away
 			await expect(poHomeChannel.content.encryptedRoomHeaderIcon).toHaveCount(0);
@ -472,6 +482,8 @@ test.describe.serial('e2e-encryption', () => {

 			await expect(poHomeChannel.tabs.btnEnableE2E).toBeVisible();
 			await poHomeChannel.tabs.btnEnableE2E.click();
+			await expect(page.getByRole('dialog', { name: 'Enable encryption' })).toBeVisible();
+			await page.getByRole('button', { name: 'Enable encryption' }).click();
 			await poHomeChannel.dismissToast();
 			// will wait till the key icon in header appears
 			await expect(poHomeChannel.content.encryptedRoomHeaderIcon).toHaveCount(1);
@ -727,6 +739,8 @@ test.describe.serial('e2e-encryption', () => {
 		await poHomeChannel.tabs.kebab.click({ force: true });
 		await expect(poHomeChannel.tabs.btnEnableE2E).toBeVisible();
 		await poHomeChannel.tabs.btnEnableE2E.click({ force: true });
+		await expect(page.getByRole('dialog', { name: 'Enable encryption' })).toBeVisible();
+		await page.getByRole('button', { name: 'Enable encryption' }).click();
 		await page.waitForTimeout(1000);
 		await expect(poHomeChannel.content.encryptedRoomHeaderIcon).toBeVisible();

--- a/packages/i18n/src/locales/en.i18n.json
+++ b/packages/i18n/src/locales/en.i18n.json
@ -1812,6 +1812,17 @@
  "E2E_Encryption_disabled_for_room": "End-to-end encryption disabled for #{{roomName}}",
  "E2EE_not_available_OTR": "This room has OTR enabled, E2E encryption cannot work with OTR.",
  "E2EE_Composer_Unencrypted_Message": "You're sending an unencrypted message",
+  "E2E_enable_encryption": "Enable encryption",
+  "E2E_enable_encryption_description": "Keep conversations private with E2EE, ensuring only intended recipients can access messages and files in this {{roomType}}.",
+  "E2E_disable_encryption": "Disable encryption",
+  "E2E_disable_encryption_description": "Disabling E2EE will compromise the privacy of this {{roomType}}. Access to any encrypted content will be lost for all {{roomType}} members. <br/><br/> Encryption can be re-enabled later. Proceed with caution.",
+  "E2E_disable_encryption_reset_keys_description": "If no one is able to access the encrypted content you can reset encryption keys instead.",
+  "E2E_reset_encryption_keys": "Reset encryption keys",
+  "E2E_reset_encryption_keys_description": "Alternatively, resetting encryption keys will keep encryption enabled but access to previously encrypted content may be lost.",
+  "E2E_reset_encryption_keys_button": "Reset {{roomType}} encryption keys",
+  "E2E_reset_encryption_keys_modal_description": "Resetting E2EE keys is only recommend if no {{roomType}} member has a valid key to regain access to the previously encrypted content. All members may lose access to previously encrypted content.<br/><br/><3>Learn more</3> about resetting encryption keys.<br/><br/>Proceed with caution.",
+  "E2E_reset_encryption_keys_success": "Encryption keys reset",
+  "E2E_reset_encryption_keys_error": "Encryption keys reset failed",
  "Markdown_Parser": "Markdown Parser",
  "Markdown_SupportSchemesForLink": "Markdown Support Schemes for Link",
  "End-to-end_encryption": "End-to-end encryption",
@ -5443,6 +5454,7 @@
  "This_room_has_been_unarchived": "unarchived room",
  "This_server_will_be_available_while_your_session_is_active": "This server will be available while your session is active",
  "This_week": "This Week",
+  "This_action_cannot_be_undone": "This action cannot be undone",
  "thread": "thread",
  "thread_message": "thread message",
  "Thread_message_list": "Thread message list",