Is end-to-end encrypted Matrix really private if I run the server?

Server admins see metadata and unencrypted room content. E2EE rooms are private even to you, but you can still see participation timestamps.

Should I disable federation entirely?

If your community is closed yes. Set federation_domain_whitelist to []. You will not be reachable from matrix.org but you also drop all federation abuse.

What size VPS for 50 users?

Anubiz Romania or Iceland III: 4 GB RAM, 4 vCPU. Synapse is RAM heavy under federation.

Can I migrate from an existing Element server?

Yes, the media store and Postgres dump move cleanly. Open a ticket and we can help with the rsync.

Harden a Matrix Synapse Server on Anubiz Offshore VPS

Matrix homeservers carry encrypted group chats, but the metadata (who talks to whom, when, room membership) is plaintext at the server and the integration secret on disk can decrypt cached attachments. Hosting Synapse on an Anubiz offshore VPS gives you jurisdictional and physical control, but only careful configuration of federation, registration and media retention keeps that promise honest. This guide is a practical Synapse hardening for a fresh Ubuntu 24.04 cloud image.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Threat Model

Synapse server admins can read all unencrypted rooms and see metadata in encrypted ones. The realistic adversary is a malicious federation peer trying to flood your DB, a leaked registration shared key, or a media abuse vector that gets your IP listed.

Step 1: Use Postgres, not SQLite

SQLite is the default but unusable past 20 users. Install Postgres 16, create a synapse user, enable TLS as in the Mastodon guide. In homeserver.yaml set database block to use psycopg2 with sslmode=require.

Step 2: Disable Open Registration

Set enable_registration: false. If you want invite-only signup, set registration_requires_token: true and mint tokens through the admin API. Never set enable_registration_without_verification to true on an internet-facing Synapse - it gets abused for spam relays within hours.

Step 3: Federation Allowlist

If your community does not need full federation, set federation_domain_whitelist to the set of homeservers you actually talk to. This kills the largest abuse vector (federation flood) outright. For an open federation, at least set federation_ratelimiting aggressively.

Step 4: Media Retention and Quarantine

Media is where abuse comes from. Set max_upload_size: 50M, media_retention.local_media_lifetime: 90d, media_retention.remote_media_lifetime: 14d. Run the admin POST /_synapse/admin/v1/purge_media_cache on a weekly cron. Have an abuse contact reachable.

Step 5: nginx, TLS and Well-known

Front Synapse with nginx, terminate TLS with Let's Encrypt or Caddy if you prefer auto-TLS. Serve /.well-known/matrix/server and /.well-known/matrix/client with the right JSON. Drop server_tokens, enable HSTS.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Anubiz Offshore VPS