Skip to main content

Introduction to Element Enterprise

What is Element Enterprise?Server Suite?

Element EnterpriseServer Suite provides an enterprise-grade secure communications platform that can be run either on your own premise or in our Element Cloud. Element EnterpriseServer Suite includes allthe Element Matrix Server, which provides a host of the security and privacy featuresfeatures, that you get with Element:including:

  • Built on the Matrix open communications standard.
  • Provides end to end encrypted messaging, voice, and video through a consumer style messenger with the power of a collaboration tool.
  • Delivers data sovereignty.
  • Affords a high degree of flexibility that can be tailored to many use cases.
  • Allows secure federation within a single organisation or across a supply chain or ecosystem.

and combines them with the following uniqueElement EnterpriseServer specific features:Extensions:

  • Group Sync: Synchronize group data from your identity provider and map these into Element spaces.
  • Adminbot: Give your server administrator the ability to be admin in any rooms on your homeserver.
  • Auditbot: Have an auditable record of conversations conducted on your homeserver.
  • Security and feature updates: Updates are easy to deploy and handled by our installer.
  • Support:Bridges: AccessBridge to IRC, XMPP, Telegram, Microsoft Teams, or SIP. More coming soon.

Further, we also offer Enterprise Support, giving you access to the experts in federated, secure communications giving you confidence to deploy our platform for your most critical secure communications needs.

Given the flexibility afforded by this platform, oursthere hasare a number of moving parts to configure. This documentation will step you through architecting and deploying Element Enterprise On-Premise.

Deploying to a Single NodeKubernetes or Multipleto Nodes?a standalone server?

Element Enterprise On-Premise can be deployed both to Kubernetes (a singlelightweight nodecontainer orchestration platform) or a setstandalone server. One key benefit of multiplegoing nodes.with InKubernetes theis casethat ofyou thecan multipleadd more resources and nodes to a cluster as you need them where you are capped at one node deployment,with thisour requiresstandalone Kubernetes, a container orchestration platform.server. In the case of our singlestandalone nodeserver deployment,installation, ourwe installer deploysdeploy microk8s (a smaller lightweight distribution of Kubernetes), andwhich deployswe then use for deploying our application to that microk8s instance.application.

In general, regardless of if you pick athe singlestandalone node deploymentserver or a multiple nodeKubernetes deployment, you will need a base level of hardware to support the application.

For scenarios that utilise closedopen federation, Element recommends a minimum of 68 vCPUs/CPUs and 16GB32GB ram for the host(s) running synapse pods.

For scenarios that utilise openclosed federation, Element recommends a minimum of 86 vCPUs/CPUs and 32GB16GB ram for the host(s) running synapse pods.


This document gives an overview of our secure communications platform architecture:

Matrix Architecture - Generic Kubernetes Deployment.png

(Please click on the image to view it at 100%.)

Comprising our secure communications platform are the following components:

  • synapse : The homeserver itself.
  • element-web : The Element Web client.
  • integrator: Our integration manager.
  • synapse admin ui : Our Element Enterprise Administrator Dashboard.
  • postgresql (Optional) : Our database. Only optional if you already have a separate PostgreSQL database.database, which is required for a multiple node setup.
  • groupsync (Optional) : Our group sync software
  • adminbot (Optional) : Our bot for admin tasks.
  • auditbot (Optional) : Our bot that provides auditability.
  • hookshot (Optional) : Our integrations with gitlab, github, jira, and custom webhooks.
  • hydrogen (Optional) : A light weight alternative chat client.
  • jitsi (Optional) : Our VoIP platform for group conferencing.
  • coturn (Optional) : TURN server. Required if deploying VoIP.
  • prometheus (Optional) : Provides metrics about the application and platform.
  • grafana (Optional) : Graphs metrics to make them consumable.
  • telegram bridge (Optional) : Bridge to connect Element to Telegram.
  • teams bridge (Optional) : Bridge to connect Element to MS Teams.
  • xmpp bridge (Optional) : Bridge to connect Element to XMPP.
  • irc bridge (Optional) : Bridge to connect Element to IRC.
  • sip bridge (Optional) : Bridge to connect Element to SIP.

For each of the components in this list (excluding postgresql, groupsync, adminbot, auditbot, and prometheus), you must provide a hostname on your network that meets this criteria:

  • Fully resolvable to an IP address that is accessible from your clients.
  • Signed PEM encoded certificates for the hostname in a crt/key pair. Certificates should be signed by an internet recognised authority, an internal to your company authority, or LetsEncrypt.

It is possible to deploy Element Enterprise On-Premise with self-signed certificates and without proper DNS in place, but this is not ideal as the mobile clients and federation do not work with self-signed certificates. Information on how to use self-signed certificates and hostname mappings instead of DNS can be found in How to Setup Local Host Resolution Without DNS

In addition to hostnames for the above, you will also need a hostname and PEM encoded certificate key/cert pair for your base domain. If we were deploying a domain called and wanted to deploy all of the software, we would have the following hostnames in our environment that needed to meet the above criteria:

  • (base domain)
  • (homeserver)
  • (element web)
  • (integration manager)
  • (admin dashboard)
  • (Our integrations)
  • (Our light weight chat client)
  • (Our VoIP platform)
  • (Our TURN server)
  • (Our Grafana server)
  • (Our Telegram Bridge)
  • (Our Teams Bridge)

As mentioned above, this list excludes postgresql, groupsync, adminbot, auditbot, and prometheus.

Wildcard certificates do work with our application and it would be possible to have a certificate that validated * and for the above scenario. It is key to do both the base domain and the wildcard in the same certificate in order for this to work.

Further, if you want to do voice or video across network boundaries (ie: between people not on the same local network), you will need a TURN server. If you already have one, you do not have to set up coturn. If you do not already have a TURN server, you will want to set up coturn (our installer can do this for you) and if your server is behind NAT, you will need to have an external IP in order for coturn to work.


Airgapped Environments

If you are going to be installing into an airgapped environment (one without internet connectivity), you will need to also download the airgapped installer, which is ~4GB of data that will need to be transferred to your airgapped environment. More information on this can be found in our airgapped installation documentation here:


To obtain our software, please visit our downloads page at:


Kubernetes toApplication downloading our software, you'll need to determine if you want to do a multiple node deployment or a single node deployment and whether or not you'll be running in an airgapped environment.

(Multiple NodesNodes)

For an installation into a multiplekubernetes node installation,environment, make sure you have a Kubernetes platform deployed that you have access to and head over to Kubernetes Installations

Standalone (Single NodeNode)

For a single nodestandalone installation, please note that we support these on the following platforms:

  • Ubuntu Server 20.04
  • Enterprise Linux 8 (RHEL, CentOS Stream, etc.)

Once you have a server with one of these installed, please head over to Single Node Installations