How to setup end-to-end / client-side encryption, where do I find instructions?

Nextcloud version 19.0.0

I’m using a docker-image on my VPS.
Here is the system report:

Link: http://87.118.120.187:5000/s/EgLcQFqp3ZTSKKk
Password: /QlVOXnOWa8i70xYegj+

I’m an amature sysadmin and quite new to NextCloud.

My issue:

Any rootprivileged user on my VPS can access the personal files of the users of my NextCloud-instance.

I found so far, that I should enable users to use end-to-end encryption.

I’ve looked through the manuals but seem to find only instructions on server-side encryption.

I also found this: https://nextcloud.com/endtoend/ but can’t really make sense of it. :frowning:

Browsing these forums, I’ve found this: how-to-use-e2e-encryption/25487 (doesn’t help me) and this: Where can I find the clients that do e2e? which is mentioning a pre-release client.

The pre-release client does seem to be the right thing, but I have two questions, and my issue remains:

  1. Since the introduction of e2e with NC 13, this feature is still a work in progress? It seems totally unreasonable to me that a sysadmin has easy and unlimited access to user-file content, to me it seems that protecting, or at least hiding data from unknown far-away sysadmins would be a core feature in any cloud storage system. Am I missing something here?

  2. Why is it so hard to find sufficient and updated instructions on this? I’m an amature sysadmin, and had to spend several hours to first chew my way through the instructions on server-side encryption until finding that there actually IS an end-to-end feature, and then the search began for instructions on that. I could not find an app for it (at first) The above mentioned page https://nextcloud.com/endtoend/ has a nice graphic on how it works, but not on how it is done. I can’t find information on that page on how old the content is, until I download the whitepaper and realize that it is three years old! The forumthreads mention an app, so I searched for it by text and found it. Why does it not show in the tools or security categories? The appinformation (also on github) does not mention the need to download a special client, nor does it provide a link to one.

However, using the client (on Win 10), I still can do this on the backend:

´´´
root@myVPS:/opt/nextcloud/data/data/myNCuser/files# cat Documents/testing.txt
This should not be readable.
´´´
There doesn’t seem to be a readme anywhere with the link to the client, and it seems to be built in 2018.

My issue remains, I do not want to be able to read my users’ files in an easy way, and I can’t find instructions on how to achieve some kind of barrier (doesn’t need to be unbreakable, but I should not be tempted right away by seeing usernames and cataloguetrees without some extrasteps).

I’d be grateful if anyone could shed any light on this, and sorry if I’ve missed some fundamental sysadmin knowledge (I guess in /home/someUser, a user can easily set up some kind of encryption by themselves, but a nextcloud user can’t access the nextcloud backend, and even if they were also users on my VPS and granted access to their catalogue in the nextcloud backend, they wouldn’t be able to put in encryption there and use it from the frontend).

Thanks!

Update
As suggested in https://www.techrepublic.com/article/how-to-use-end-to-end-encryption-in-the-upcoming-nextcloud-desktop-client/
I’ve installed both the End to end encryption app and the Default encryption module app, I’ve logged out and in, I’ve rightcklicked and enabled encryption in the client on two of my folders, I’ve kicked out the non-e2e-client from my desktop, I’ve tried to fix the “invalid private key for encryption app”-message that bugs me in the webinterface, but I don’t seem to understand how (Profile -> Security asks about my old login and my new login and mousepointer hover-behaviour suggests links that however do nothing, but anyway I tried to change login password to nextcloud (and updated the client) so that I HAVE an old login…), I don’t understand the “add an app password” button in connection with the list of clients. And, I’m sort of out of ideas now. root can still read.

I think you know this link:
https://nextcloud.com/blog/encryption-in-nextcloud/

part " Client side end-to-end encryption":

Do you really want this:
“Note that the very nature of end-to-end encryption means there is no access to data through the web interface, nor any public sharing. This is because a browser would need to decrypt the files locally for the user to see them, but the code to do that has to come in the form of javascript from the server. This would break the trust model”

Perhaps you need server-side-encryption.

Thanks, yes, I know this link and two things:

I don’t want server-side encryption, not at this stage, cos it’s a bit too complicated, too much risk for dataloss. And we are not connecting external storage (at the moment).

I am running this instance of NextCloud for a young political party and we mainly need to share documents and documents are mainly not personal, so, the need for encryption of personal files is minimal. But I’d like to give users the possibility to write personal notes that are not politically correct, or that are not thought through or whatever. So, yes, I’ve accepted the tradeoffs that encrypted files are not accessible from the web. I am thinking that a user’s tree could look like this:

    - ncUser
      |- something-I-share
      |  |-thoughts-on-marxism.txt
      | 
      |- my-encrypted-stuff
           |-spokespersons-latest-stupid-thoughts-according-to-me.txt

Ok. Have you installed the app

https://apps.nextcloud.com/apps/end_to_end_encryption

Yes, I have installed the end-to-end encryption app.

Erm, I just found this:

bild

You can only use it in apps perhaps only in the desktop app.

videos on youtube.

https://www.youtube.com/watch?v=ZOoJo9BXHAI
https://www.youtube.com/watch?v=xxhP7JRGR5I

Thanks, that seems to be a good link for instructions.

I’ve looked at the default encryption app before, and it says this:

In order to use this encryption module you need to enable server-side encryption in the admin settings. Once enabled this module will encrypt all your files transparently.

But according to that link, I need both apps, end to end encryption app AND default encryption module. Well, I installed the default encryption module now, but that is not enough to execute client-side encryption as it seems. ACTIVATING the app, however, means all the risks of server-side encryption (as in, me messing up a backup of a recovery-key).

Hi
I have a problem installing the app “E2E Encryption” in Nextcloud. I simply don’t have such panel in my Nextcloud web app. So I can’t enable E2E and use it? What am I doing wrong?
Screenshot_2020-09-16_17-15-15 Screenshot_2020-09-16_17-16-42