Feature Request: End to End encryption

ANT_Cloud · June 27, 2016, 4:59pm

Hi,

while the server encryption is a nice feature, the key sits on the same server and therefore does not offer any benefit.

I wonder if, at a later stage, you guys would consider implementing true end to end encryption. ?
Don’t know if this would even be possible, but I would love to see it.

groovy · June 27, 2016, 5:05pm

One end is the nextclod-server. But what is the other end? It could be any device, any browser, any location. So I don’t think that’s possible. Making your server access via https only with a valid certificate is the most secure option you have, I think.

ANT_Cloud · June 27, 2016, 5:18pm

I think you are right, but I don’t like my files on the server not being encrypted.
Didn’t say it is easy to do

BernhardPosselt · June 27, 2016, 5:39pm

owncloud ticket has been open for ages and afaik someone is working on it however i doubt that it will ever see the light (anytime soon).

I’d go for the pragmatic approach: Encrypt everything beforehand (or dont even upload anything) that could be potentially devasting as in passwords or secret business documents or whatever else you can think of.

Stuff like your vacation photos or your music collection dont need to be encrypted. Worst case: someone can download and distribute them, the worlds not going to end

BernhardPosselt · June 27, 2016, 5:41pm

PS: I had users asking to encrypt their RSS feeds which is a terrible idea IMHO (unless you are reading NSA feeds xD)

Bugsbane · June 28, 2016, 2:12am

ANT_Cloud · June 29, 2016, 2:53pm

Well, I’m a fish I cant read sarcasm

Anyway… there is no reason not to encrypt everything (you can). It might take longer for some to realize (it seams especially for Generation Facebook), but there is a good reason for it… it’s called Privacy.

Anyway (again ), I understand that this won’t be easily integrated, I just would love to see this feature.

orion1024 · July 16, 2016, 2:58pm

As @BernhardPosselt said, I began working on client-side encryption for ownCloud, and there shouldn’t be any reason it won’t work with NextCloud.
That said, progress has been slow in the last few months thanks to my dayjob being very, very busy.
The ownCloud desktop team is also being slow merging my first pull requests, which doesn’t help.

The high workload at my dayjob should get better after the summer though, and I’m still set on delivering the feature.
The goal is to have a beta out at the end of the year.

You can follow progress here : https://github.com/owncloud/client/issues/4327

tflidd · July 16, 2016, 3:33pm

There is a free open source client which does client-side encryption for different cloud applications:

I don’t know if it is worth to have a look at it and perhaps integrate it into the NC client or some other way to bundle them.

orion1024 · July 17, 2016, 8:14pm

The issue with these agnostic CSE tools is that they usually don’t support sharing of the protected files ; it’s also yet another layer that needs to be setup, and usually too complex for casual users. But it’s true that the latter two could be resolved with some integration work.

rugk · March 16, 2017, 2:11pm

Yeah, please implement this. You can find many FLOSS libraries/apps out there right now, where you can see how one can do it or so. Of course it’s important to also encrypt the file names e.g.

Anyway you even have the possibility to do it right now as NextCloud’s password manager passman can also be used to store files. Maybe the passman devs want to work on this feature here too?

/cc @brantje

brantje · March 16, 2017, 2:40pm

Maintaining passman next to a 40 hour job is more than enough.
Unless Nextcloud pay’s us, then it becomes a different story.

BernhardPosselt · March 16, 2017, 2:59pm

I don’t think a password manager should encrypt files

brantje · March 16, 2017, 3:01pm

SSL certs for example?

rugk · March 16, 2017, 11:02pm

Hmm, maybe Passman can get an official NextCloud app? And it could be integrated, so that all files can be e2e encrypted…

Ripper · March 17, 2017, 3:25am

I’ve mentioned this before, but it’s worth bearing in mind that you really can’t trust encryption to anything that runs through the web client. A malicious admin would only have to tamper with the code of the app to capture your passwords. It would be a trivial attack.

Only by using an independent piece of software locally, like Cryptomator, can you have reasonable confidence in the encryption. But that reduces Nextcloud to a fileserver.

BernhardPosselt · March 17, 2017, 7:49am

But that reduces Nextcloud to a fileserver.

@Ripper yep, that’s the consequence of client side encryption. You have to kill the web interface in order to allow client side encryption because you can’t trust anything from the server

konrad.br · April 26, 2017, 1:01pm

+1 for this

Crypto Cloud System on the mobile version should be implemented to the desktop clients et voilà.

It actually seems to be ongoing work done on that, but I can’t find much info about it for now … it’s just offered in the iOS app.

Jason_Hunter · April 28, 2017, 6:57am

I don’t see the reason to kill the web interface. Can’t you just decrypt it with a browser plug-in?

colan · May 8, 2017, 2:27pm

Client side encryption looks like a duplicate of this issue, but it contains bounty information, which I mentioned should be moved here.