How to share End-to-End encrypted folder with other users?

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

When we shared an encrypted End-to-End folder with another user, the other user cannot access the encrypted files in the shared folder. What he gets is several encrypted files for a single shared file in the shared encrypted folder, .e.g, ._dec.~1b3 , ._dec.~4b48, , etc.

We shared the encrypted folder by right-clicking on it in Windows Explorer and then going to the Nextcloud context menu and selecting Share options.

Thank you very much

root@mirror:~# snap list nextcloud
Name Version Rev Tracking Publisher Notes
nextcloud 20.0.1snap1 24051 latest/stable nextcloud? -
root@mirror:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal
root@mirror:~#
The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Share an encrypted folder on user A’s machine with user B
  2. On user B machine, go to Windows Explorer and open up the shared folder
  3. The shared folder will contain many encrypted files with file names like ._dec.~4b48 (many files for a single shared file).

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE
1 Like

Hey cmgui,

What you are asking for is impossible. When you do End-to-End encryption, it means that the server has no clue what the actual data is. It can not read it and so, can not share it. Only your end device knows the key to decrypt the data, so only your device can share a clear text version of this data. On your device, you can select a file and send it over e-mail or similar and then a clear text version will be sent.

By using End-to-End encryption, you require the server to be unable to handle anything and so it can not do it. Should you wish to use the e-mail app to send the email in the previous example, you would not be able to attach the file from the local storage because that version would be the encrypted version.

Either you trust your server for it to share your data and you disable End-To-End encryption
Or you dont trust your server for it to share you data, keep End-To-End encryption and do not try to do what you asked yourself to be impossible to achieve.

Hi Heracles31

Thank you for the detailed reply.

According to this link on e2ee https://nextcloud.com/endtoend/ ,
“Secure sharing with other users without the need to enter passwords.” and
“Efficient sharing and revoking shares without the need to re-encrypt large files.”

And the End-to-End Encryption Design Whitepaper (Version: September 20, 2017) has a section “Sharing encrypted folders to other users”.

Also, this August 18 2020 blog https://nextcloud.com/blog/production-ready-end-to-end-encryption-and-new-user-interface-arrive-with-nextcloud-desktop-client-3-0/ says “In a future release, the scheme will allow for secure, end-to-end encrypted sharing with other users.”

So maybe e2ee encrypted folder sharing is not implemented?

Thank you very much once again

cmgui

1 Like

@cmgui
For End-to-End encrypted folders you can use passwords on zip files and share them e.g. with Nextcloud… pay attention for the synchronous secure zip passsword for encryption and decryption. Please use 7-Zip.
Would be a nice feature in Nextcloud e.g. with Extract . But actually “Extract” does not work with password for “extract”. Also “Extract” can not zip files or folders.

Thank you devnull.

We tried adding a password protected zip file as per your suggestion but it didn’t work. The other user still sees multiple encrypted files for a single original file in the shared encrypted folder, e.g., ._dec.~1f9c and ._dec.~3ce3.

Nextcloud client 3.0.3.15941 on Windows 10 64bit
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19041 N/A Build 19041

NextCloud Server
snap list nextcloud
Name Version Rev Tracking Publisher Notes
nextcloud 20.0.1snap1 24051 latest/stable nextcloud? -

Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04

If you use encrypted zip files you must share them without end-to-end-encryption.
I think you can use end-to-end-encryption for only a few folders and not all folders.

Thank you devnull.

I had thought so too, i.e., that using password-protected zip file is separate from End-to-End encryption shared folder. This is not feasible to non-technical people like HR and Finance.

The issue here is the Nextcloud website and Whitepaper say sharing End-to-End encrypted folder with other users is possible but obviously it isn’t so or hasn’t been implemented.

2 Likes

It is possible e.g. with Javascript crypto. PrivateBin and Mega use it. Nextcloud Community thinks it is not secure. I think it is not secure, too.

Example PrivateBin. You can use it also for files.
https://github.com/PrivateBin/PrivateBin

Hey there!
It should be possible to share, but new users can only see files and file versions which were added/changed after they were granted access to the folder. At least that’s what I understand from this ccc-talk:
Link to YouTube
Cheers and good luck!

Hi Kelvin

Tried your suggestion of adding changes and new files after the folder was shared. Still did not work. Still seeing multiple encrypted files in the shared encrypted folder.

The End to End Encryption App got only 1 star rating. Must be some reason for it.
Maybe it is because we have Server Side Encryption enabled? Not sure if anybody got it working?

Disabled Server Side Encryption and still didn’t work.
In any case, we need Server Side Encryption.

Thank you very much

Contrary to what @devnull says - the impression I get from jos poortvliet is that sharing should work securely without problems.
Now assuming the reason it still does not seem to work with the e2ee app is that the community believes it is impossible to make sharing sensible/secure with e2ee: All the info suggested by official resources still suggest the opposite.

What is the problem with the model presented by portflies back in 2017 which does support sharing?
Why would the whitepaper and the online resource remain unchanged in this state for years?
If there is a debate going on about whether it should be possible: Where does it happen?
Or is the Problem rather technical issues that have not yet been solved?

Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are not readable by the server.

Again, assuming that the community thinks that is is not possible to make sharing sensible/secure with e2ee - I do not see how this can be perceived as honest communication.
If anything to me this looks like a marketing division telling a straight lie in order to manipulate people that make decisions based on that public info as in End-to-end Encryption – Nextcloud.
In the end it leads to executives pointing there and then complaining to me as a developer: “but it was promised…”
This would reflect poorly upon developers and the open source community in general.

1 Like

Are you sure about this?

Lets assume you share folder F with new user U.
The way I understand poortvliet, the encrypted metadata file always contains the keys for each of the files in F.
Then the metadataKey is reencrypted against U’s public key - so afterwards U should be able to decrypt all files in the folder, including ones that had been there encrypted before and were not changed - or did I misunderstand that?

See this ongoing issue in GitHub:

Although it’s an issue about Nextcloud for Android, you will see the discussion quickly goes to E2EE folders shareability.

E2EE and server side encryption are mutually exclusive as said in the documentation. Disabling Server side encryption is very complicated and perhaps needs admin access to OS where Nextcloud Hub is installed, then will erase all your data.

When you have E2EE (if everything works well, of course), Server side encryption is almost useless. Anything E2EE remains encrypted (in an even better way) while staying on the server.