End-to-end encryption with multiple devices

Hi,

I read the great news in this blog post: https://nextcloud.com/blog/production-ready-end-to-end-encryption-and-new-user-interface-arrive-with-nextcloud-desktop-client-3-0/ but somehow run into a problem.

I am hosting my own nextcloud server and upgraded all components:

• nextcloud server was already 19.0
• e2e encryption app upgraded to 1.5.2 from a previous version and additionally followed those instructions: https://github.com/nextcloud/end_to_end_encryption/releases/tag/v1.5.2-beta1
• updated my ubuntu desktop client to 3.0.0
• updated my phone android app to 3.13.0

Where I run into a problem:

1. I started with a freshly encrypted directory by creating a folder in ubuntu.
2. Then I enabled e2e encryption for the folder within ubuntu client.
3. After that I put a file into the folder and synced the contents to the nextcloud server.
4. Everything looks fine in the server web interface: folder shows the locked symbol, filename is encrypted and not accessible.
5. I completely wiped the Nextcloud app from my android phone and re-added the account.
6. I see the encrypted folder and when opening it asks for my old android device e2e mnemonic/passphrase and does not accept my ubuntu client passphrase.
7. It opens the folder but shows encrypted filenames like in the web view.

Did I miss something? Should the app have asked me for the ubuntu client mnemonic (that was my impression from the blog post)? How do I tell my Android app to use the same decryption method/key/mnemonic? Also did not find any option for the other way round (creating the folder in android and using the same decryption in ubuntu).

Currently a bit bummed, that I cannot access e2e encrypted content from both of my client devices.

Hmm yeah the blog post says “Only when adding a new device will you need to enter a passphrase, a mnemonic that your client can show you on demand.”

That sounds to me like you are supposed to enter the passphrase from your desktop client. Maybe you should log this as an issue on the github repo.

So yeah, once you have set it up on your desktop, you should not set it up on your mobile device but add the mnemonic from your desktop there instead - the mnenomic is how the different clients are able to see the files between them…

So step 6, that it asks for your android e2e mnemonic/passphrase but doesn’t accept the client one, that should work. I mean, really - that is how it should work…

The other way around should also work, you create it first in Ubuntu (after wiping all data on server and clients!) and then you have to enter the mnemonic on the desktop.

To clean the keys properly, see Help test the latest version of E2EE! -> you have to clean keys on the server but also on the (desktop) client.

Thank you so much for pointing me in the right direction. The step I was missing was to remove the keyring entries on my desktop app.

I decided to completely reset everything and to start new. There seem to be several issues - with only the last one killing the experience:

Creating an encrypted folder with Desktop app first
When creating an encrypted folder with the desktop app first the Android app does not allow to enter a pre-existing mnemonic and always generates its own mnemonic. Tried removing/re-adding the account from the app and also completely uninstalling the app. It just never prompts for the desktop mnemonic but generates it’s own.

Creating an encrypted folder with Android app first
The other way around seems to work (with one inconvenience): when creating the encrypted folder with the Android app and then setting up the desktop app the desktop app works as expected. It immediately prompts for the mnemonic. The inconvenience was again the Android app: when setting encryption on a folder it shows the mnemonic. I copied & pasted the mnemonic into a password safe and tried entering the mnemonic in the desktop app and failed with an error. After a while I discovered that the Android app did not use the displayed mnemonic but created a new one. Luckily it is possible to show the mnemonic from within the app again and I was able to copy & paste the correct one.

Remaining issue
The main issue now: all files uploaded through Android app work fine on the Desktop app.

Sadly when uploading folders & files through Desktop app the Android app does show the Folder but does not list its contents inside. Error message on Android: “Download failed
Could not complete operation. Server unavailable.”

During upload with the Desktop app I get error messages in the Nextcloud server log: “Error PHP fread(): read of 8192 bytes failed with errno=21 Is a directory at /data/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php#861” - When I browse through the server web interface everything seems fine (folders/file names are encrypted but I see all expected entries & matching file sizes).

Thanks again for helping. The last issue might be some Android app bug. My initial problem is resolved.

Edit: Added my current findings to the mentioned E2EE feedback thread: Help test the latest version of E2EE!

That’s excellent because those are things that, I’m sure, can be fixed - probably by our android dev, @tobiasKaminsky
I could not find open issues for these two problems so I’d like to ask you to file them on https://github.com/nextcloud/android/issues

Tobias might already have seen it, on that testing thread, so thanks for reporting and testing!

I have the same issue.

Now I can not remove the encrypted folder. The web interface does not have the right to do this and the Android app says that “Could not complete operation. Server unavailable.”.

I do not have admin rights to erase all data from the disk and start from scratch, so I am stuck forever with my immortal encrypted folder in the cloud

Steps to reproduce:

1. Encrypt an empty folder from the desktop client.
2. Copy some files to the folder.
3. Nextcloud will start uploading files to the server.
4. Nextcloud will hang forever (“waiting”) after uploading some files. Yes, one more bug. Bugs everywhere.
5. Open the folder from the android app.
6. Uncheck the encrypted folder in the desktop client to do not sync it anymore.

Congratulation! Now you have the encrypted folder that nobody can remove from any device!

UPD:
I was able to remove the folder by a total cleanup, following the instructions Help test the latest version of E2EE!

If you have access to a Nextcloud admin user, you can:

1. disable the app “End-to-end encryption” in the online page “Applications”
2. Remove the folder, which is now like any other folder, from online view
3. Re-enable “End-to-end encryption” (if you feel like using it again)
4. In any case, whether you did step 3 or not, quit Nextcloud Desktop (right-click on the service icon, click on “Quit”), then re-launch it.

Hope this helps a bit

Just re-tested with current stable versions:

• Server 19.0.4 (Ubuntu 20.04.1 LTS)
• Desktop Client 3.0.2 (Ubuntu 20.10)
• Android App 3.13.1 (Android 11)

Made sure that desktop client and android app had the same mnemonic and removed all previously encrypted folders on the nextcloud server (as mentioned in the linked instructions from @Linux_Bear).

Created an encrypted folder in the Android app and uploaded a file. Created an additional subfolder and uploaded two files in the encrypted root and the sub-folder from the desktop client. All encrypted files and folders work like a charm on the desktop and on my android phone. Also checked the webserver and all files & folders are encrypted on the hard drive.

Will try to slowly upload many more folders/files but the test worked fine.

Now I am looking forward to a JS interface directly on the server that accepts a passphrase/mnemonic to view the files directly in the browser app

Edit: works in principle but still having trouble synchronizing/uploading ~ 1.000 files (800 MB) structured in multiple sub-directories. Desktop client always says “Waiting …” but stopped uploading files/folders after the first 13 items.

Edit2: Funny thing is… I am trying to encrypt a folder/file structure that already successfully is synced to the server unencrypted. So it most likely has to do with e2e. No real hints in the nextcloud log so far.

I tried to set this up freshly today and ended up with all my clients having their own mnemonic.
I’m sure I did something wrong in the order of things but my impression is that there is still a need for improvement regarding usability but in general I think the concept is on a good way.

Discovered another issue today. I am using e2ee successfully on my desktop pc and android phone. Tried to setup nextcloud desktop client on my laptop. The desktop client asks for the E2E passphrase and when I copy & paste the mnemonic from my main desktop to the laptop it does not accept the mnemonic. I cannot save the value - the input dialog just stays open. I can cancel but then there is no mnemonic at all and the files cannot be decrypted.