Feature: Full serverside encryption. Also of thumbnails

I understand that the main goal was to protect files on external storage. But I think this goal comes up short. Nextcloud should also target to encrypt everything else server side. Especially thumbnails.

Files are already encrypted on the Nextcloud instance itself. Which kinda makes no sense, when only external storage was supposed to be encrypted. And makes even less sense since those file’s thumbnails are left unencrypted.

This is a pity, because in fact I as the administrator can not decrypt those files! At least not without modifying the code of Nextcloud to snoop on the passwords of those users. If I could, the “Optional” recovery option would kinda be pointless, wouldn’t it?
Furthermore this “snooping” would be illegal in my country and thus comes with a bigger hurdle to take than just looking at unencrypted files on my own server, which hardly is a legal issue.

Server side password-protected encryption is a LOT more secure than no encryption.

1. If the server is compromised:
   a) The attacker needs to make changes to the code of Nextcloud to snoop future password entries and stay on the server/reconnect later. This makes the intrusion easier detectable
   b) Only those accounts can be decrypted and become compromised that log in while the server is compromised.

2. The administrator can not accidentally see user files he was not supposed to see.

3. An administrator that wants to decrypt the files needs to be knowledgeable and particular malicious to snoop the passwords. He can’t do this on a whim or because he was temporarily overwhelmed by his curiousness. It will have most likely legal implications for him, if it is found out later.

4. If the user starts to distrust the administrator, he can stop using the service, and if that administrator has not yet “acted” he will never get the required password. Making it possible to virtually instantly delete my account at any time by simply never again providing my password.

5. A data dump, getting in the wrong hands, like a backup, is secure as the required passwords are missing altogether.

I do not see any good reason to not also encrypt the thumbnails. It would come with a performance loss, but if I wanted performance, I would not enable encryption in the first place.

Also I think this recovery option is really misleading. It makes you think the Administrator has no access to the files, while he can see all your photos just fine. So unless you encrypt the thumbnails as well, this should be made more transparent to the user at least. And maybe the encryption could really be limited to external devices in this case, improving performance, as its kinda pointless anyway. But I sincerely hope instead you opt for also encrypting the thumbnails/contacts/appointments…

Ofc, full client side encryption would be even better, and the only “real protection” even against malicious & knowledgeable Administrators. But I see the limitations with usability and there are in fact already solutions for this with zero-knowledge encryption from the view of Nextcloud with this usability trade-of available. (https://cryptomator.org/ or https://www.boxcryptor.com/en for example)

I tell you this as I also was caught wrong-footed by the fact that thumbnails were left unencrypted. This was totally unexpected for me and occurred to me much later after setup/use/propagation to friends

PS:
I have disabled the preview function altogether for now. Which partially fixes the problem but comes with a big - in my view totally unnecessary - usability cost. But here also I am stuck at not being able to delete already created thumbnails. is it safe to just purge them? Or are there references in the database to be taken care of?

Ok, this is a feature request, encrypt previews… For now, we do indeed recommend users who care deeply about this to do what you did - disable previews. Help welcome, this is certainly not a feature we don’t want or something, it just isn’t super high priority. But priority means simply that somebody has to be willing to do the work

That is delightful to hear. All other discussions so far ended more like with a reference to the manual like this:

But priority means simply that somebody has to be willing to do the work

Well, encryption is not exactly something “somebody” has to do. We want it to be textbook secure in the end, no? But I understand. A more elaborate warning about the thumbnail issue should be added in the settings for the password recovery until this is solved. I can at least provide that, if this is also considered low priority.

Is there some kind of Bug hunting page/mechanism? I would certainly throw in $50 for this feature. Not much but a start. Maybe others would, too.

There are some good points. However, it is far from real cryptography that is what users expect. Hiding the key of your house under the doormat or under the flowerpot prevents an attacker to get in straight away and it needs a bit more time and “criminal energy” to look for the key.

But you get a lot of problems as well. Server-side encryption has shown a lot of problems during upgrade and file recovery (even from backups this ranges from difficult to impossible). There is just a lot of code that can fail and which did fail in the past. Crypto is no easy thing to do, some flaws were found this year: Pwncloud – bad crypto in the Owncloud encryption module - Hanno's blog

I did use it in the past for similar considerations but I experienced many bugs that were all related to the encryption app). Since I turned it off (ownCloud 7), this has improved a lot.

Hmm, no this is more like hiding the key under the doormat while leaving the window next to it open.

And even this is not true, again, the key under the doormat is available for the attacker without any further interaction. But with Nextcloud encryption he will also need the password actively given by the user as I pointed out.

So either disable encryption altogether and be open about it or encrypt everything the same way. Else this is dangerously misleading.

That depends on the usage. If you sync calendar and contacts with your mobile device, you won’t have to wait long. And even if you get a snapshot, most passwords are not that secure. Compare this situation to a snapshot from an enrypted external storage (without encryption keys).

I completely agree with that. If you want to protect data on the local storage, you must use client-side encryption.

Yeah, this is probably a good idea. @LukasReschke @bjoern what do you think, should we warn users who enable encryption that the previews are stored unencrypted?

Yes, for privacy-aware people this should be enabled to warn them that preview images may expose privacy to the one who has physical (keyboard) access to the server.

Hi all… I thought I would offer up some insights & an encryption workaround that I’ve been using in case other search this:

CryptoMator allows you to encrypt cloud files individually now and they sync perfectly. This doesn’t work too well when viewing on the web, as you can imagine, but it works great across devices for native folder/file structures — much like the iOS NextCloud app does. CryptoMator also offers an iOS app (that I have not tested nor can recommend) that allows you to connect to WebDAV for transparent view of encrypted files since late last year.

With that said, @jospoortvliet, for anyone that wants to help tackle this, it’s open source so implementing in a web version might be something that could work, either as a browser plugin, app, or natively?

I also use CyberDuck.io allows you to mount a NextCloud WebDAV and will soon encrypt all files with CryptoMator too.

Enjoy your NextCloud, y’all! I do. Thank you devs & volunteers.

IMO, the idea of protecting against the server admin in an application like Nextcloud is a non-starter. The only way to do that is put all the logic client-side, and essentially turn the server into a dumb file store. That’s how the cryptomator solution treats it.

If you’re accessing from a web browser, the server admin could always poison the code you download in the webclient.

yeah, CryptoMator is cool

Hi All,

I really agree with the post title, I think there is no reason to have the server side encrypted if the server admin can just copy all the thumbnails.
Disabling the thumbanils is not a good solution as it makes the system almost unusable. What is the cons of encrypting the thumbnails along with the original picture while this is loaded?
Will this feature be implemented in a future NC release?

Thanks

Hi All,

Sorry to insist on this. There will be a feature to also encrypt the thumbnails on the server?
At the moment all the pictures, also private documents (like passport, driving licence, etc.) can be clearly seen from the server administrator.
What is the point of encrypting images and files if they can be seen?

Thanks

If you want to be a 100% sure that no one is able to see the contents of your files, they must be encrypted on the client, before they got uploaded. Look at End-to–End Encryption, If the server must have “zero knowledge” about your data. And here you can read about Server-side Encryption and it’s limitations.

So then why do we encrypt the images and not the thumbnails?
What is the point of encrypting if you are saying that we should end-to-end encrypt files to be 100% sure?
If we encrypt the images then so should do the thumbnails. Otherwise let’s just remove the server side encryption, at the moment with the thumbnails not encrypted it is useless, as the server admin can see them.

I don’t know. I’m not a developer. I can just provide you with the official documentation, in which you can see what each type of encryption can do and from what threat vectors it is suposed to protect you.

My point was, that a server administator, which is probably also the administrator of the Nextcloud instance most likely has other possibilities to access your data at runtime. Purely server-side encryption cannot protect you a 100% from access by an administrator at runtime, because at some point the data has to be decrypted on the server, so that it can be presented to you in clear text. To avoid this you have to encrypt the data already on your client, so the server does not see any unencrypted data at any time. This is what End To End Encryption aka Client-side Encryption does.

Server side encryption is mainly made to protect data “at rest” in case an unauthorised person should gain physical access to the server. However, if you are right and it does not encrypt all the data, then it doesn’t do the job it’s supposed to do right and as a server administrator you should rather use something like Full Disk Encryption with LUKS or simliar.

But again… When you are a user and upload your data to a server that is not completely under your control, the only way to make sure that no one can get to your data, is to use client-side encryption. And this priciple applies to any service and is not specific to Nextcloud.

Thanks bb77 for your reply.

I read the documentation and I know that it says that the thumbnails are not encrypted. I was just trying to bring this up, as I think they should be.

I totally understand the difference between server side encryption and client side encryption. I am the server admin of my server but I’d like my users (myself included) to be sure that the server admin (myself in this case) cannot see their pictures. Even if the server decrypts the photos before sending them, it is not an easy job for the server admin to get that location in RAM where the decrypted photos are located (I am not able to do that). If every server admin were able to do that, there would be no reason to have the server side encryption.

As you said, if someone gets possession of the Hard Disk, they can see all the thumbnails, i.e. all the data. I don’t think we should have an extra layer (LUKS) on top of it, server encryption should be enough if everything were encrypted.

You could still use the Impersonate app

…but yes, I get what you are saying. Personally I don’t want to comment about the overall quality and maturity of both encryption methods Nextcloud offers, because I don’t use them myself. But if you do a quick search in the forums and some reading, well, I’m pretty sure you’ll draw your own conclusions rather quickly…

fortunately it says This app is not compatible with instances that have encryption enabled. But who knows which side of the encryption

Ah ok. Then it seems to be better than I thought. At least there is no easy way to override it. Nevertheless, I don’t see any real use case for me. But yes, on a server with many users and admins, it might make sense. If it works reliably and everything is really encrypted.