E2E encryption vs server side encryption


#1

Are there still use cases where you should use the client server encryption instead of the new E2E encryption? Moreover can I activate the E2E encrypted folder by default or do I have to activate the server side encryption in the settings first?


#2

Do not enable both:

  • Server side encryption means that your client is sending the data unencrypted to the server and the server does encryption and decryption before sending it back to the client. This means that you trust the server/provider as it can read the data.
  • Client side encryption means that your client already encrypts the data before sending it to the server, so the server/provider cannot read the data and of course no man in the middle.
  • If you enable both, your data is doubled encrypted once client-side and once again on the server. So server-side encryption does not make sense of you already use client-side encryption and perhaps even is blocked by Nextcloud or causes issues depending on if the doubled decryption on web UI access is handled correctly.

#3

So does that mean I can use E2E encryption without activating the server side encryption? So if that’s the case. Why should I use server side encryption when I choose to use E2E? It seems like E2E is more secure and server side is redundant isn’t it?


#4

Server side encryption had originally been intriduced to secure remote storages like Dropbox and the like. In such cases the NC instance made sure, that all data only gets stored off-site beimg encrypted. Server side encryption had not been intended for local use. E2E on the other hand is in the hands of the particular user account and thus protects data inside the E2E-enabled folder, but not in folders below that.

E2E also has some other disadvantanges, since it’s only working with a sync client, so you’ll only get encrypted files from the Web client, should you download any encrypted file. E2E has a very specific use case and the limitations only make sense with very sensitive data.

Both encryptions come at the - probably significant - loss of performance and are probably not suited for underpowered hosts.


#5

Thank you. Question. Can I still share photo albums or images with e2ee enabled?


#6

Well, not without the 2nd party having also a desktop sync client and you sharing the secret with him/her. Definetively not via a public link.


#7

I’m confused. Why can third party providers like pCloud, Tresorit and sync do that? They use zero knowledge encryption plus end to end encryption and they can provide that.


#8

I don’t know any of those, but that’s also beyond of the scope of this discussion. You asked for the differences between server side encryption and E2E. If you want to utilize another sync service, do so - this decision is soley yours.


#9

Edit:

Must do more testing first.


#10

Thanks ryu. I’m going to test this later today.


#11

I’m sorry Chippel. I thought I had E2E enabled but only had server side encryption enabled. I enabled E2E now and will do some testing.

But you do have a point about other services like sync…