End-to-End encryption - zero knowledge

Sorry for this question, i’ve read the whole NextCloud website but i’m not sure about this feature.
Does the sync desktop app work with e2ee encryption - zero knowledge? If so, is there anything I need to configure or is everything set by default? Thanks to anyone who can answer.

Short answer: yes, the desktop app works as a E2EE-client.

What do you expect from the app?
It only encrypt the content of single folders on purpose. Those encrypted files will not be readable from within the web interface, only from clients conected with the → E2EE-API ← like the android- or the desktop app or any other app that connects to the E2EE-API.
If you have zero knowledge, it may eventualy not be the right tool for you.
It is made to enable sharing files, which a server admin is not allowed to read.

Much luck,

My answer doesn’t quite fit. But regarding Zero Knowledge you can still have a look at the Nextcloud app Secrets. Using Javascript encryption and decryption in the browser, you can exchange information with third parties, which is also deleted immediately after receipt. For example, with Secrets you can first securely transfer a synchronized password and then use it with the other party. The app Secrets works like PrivateBin. I have not checked whether the same code is used. For Zero Knowledge you can also use encrypted ZIP files. Or e.g. nadafile for “encrypted” HTML. Hopefully there is no bug in the software. :grinning:

1 Like

Hello ernolf, thank you for your reply.
I was referring to the zero-knowledge encryption method.

Zero-knowledge encryption and end-to-end encryption are not the same thing.
Many cloud storage providers can still scan and access your files once transferred, even if they offer E2EE.
Zero-knowledge doesn’t allow cloud storage providers to decrypt files.
Some cloud storage providers offer the zero-knowledge encryption by implementing what you could do with software like Cryptomator, automatically and by default.

So the question was whether the NextCloud synchronization app allowed knowledge-zero encryption, allowing the use of an additional password held only by the sender or doing it automatically.

I’ve read here: Encryption in Nextcloud - Nextcloud
They write about client side end-to-end encryption that can be enabled on folders, but i don’t see any option to set it. I think these settings can only be managed by the server administrators of the providers that use NextCloud on their servers.

Most likely in my case the provider does not allow this.


No, it does not. The desktop e2e functionality requires the server app and is used as you describe.

Exactly, you can use cryptomator.

Nextcloud is not zero trust, nor is it designed to be. Trust is the basis of choosing where to host your data via Nextcloud. Encryption offered is not zero knowledge. If that is your goal, look for other tooling.

1 Like

Thank you very much for your reply and for dispelling all my doubts. I had focused well then, but I thank you for all the confirmation.

1 Like

I am confused.

I thought the advertised Nextcloud E2EE was precisely a full encryption from one end (say, my laptop) to the other end (say, my smartphone) with no possibility of decryption other than having a client set up with the 12-word mnemonics. I thought this was why it was impossible to see files in an E2E encrypted folder from within the web app, and that could be decribed as a zero-knowledge scheme (unless, the clients send the 12-word mnemonics to the server, which I doubt).

Where am I wrong?

You are not wrong. All of what you wrote is true.

Having encrypted files does not mean your admin cannot tell that you are using e2e, because they are the one who installed the app. The e2e app is still depend on nextcloud server to function, etc.

Not meaning to confuse you. Don’t have time to write more on this.

You’re right, but, as far as i have understood, the E2EE function on the folders you’re referring to must be enabled by the provider’s administrator, otherwise, without it, the data transfer is yes encrypted (files can also be encrypted at the destination for added security) but everything is decryptable by the administrator if malicious or unprofessional, or if the authorities should require it.

Not my understanding. All encryption is through the nextcloud desktop and mobile client, but check this out: