Implement end-to-end encryption on Nextcloud

2021-06-14 TLDR Edit: End-to-end encryption is (completely?) non-functional and buggy. It is odd that Nextcloud promotes and documents this feature so actively yet it is so non-functional, with closed, yet unresolved, bugs.

Hi, I would like to implement end-to-end encryption on my Nextcloud instance. Can you help me with this?

The deliverable is a working example of end-to-end encryption.

Edit: I would like to pay for professional support. I am not interested in writing here everything I tried and what all the issues are.

2 Likes

What did you try? what is the problem?

the is an e2e app. This is not without drawbacks but it’s possible works in general…

I tried implementing e2e encryption. Too many problems to list. Are you available for hire?

Just setup Cryptomator. It is fully documented online and then you’ll have fully open e2e. Good luck.

1 Like

Yeah, I was thinking about that. I’ll try it out, but with its Alexa ranking of 700K+ I do not hold out too much hope.

It is an excellent, active project. Nothing to be afraid of. Nextcloud has actually promoted the project on their blog: Q&A: Tobias Hagemann talks about storing sensitive files in Nextcloud

I have to admit after I tried the app one can only ask why!?!? it is there? it’s nothing more then encrypted personal storage… no sharing… no integration, mnemonics reset needs direct edits on SQL DB…

2 Likes

Hi,
i have worked with end to end encryption in connection with Nextcloud and it has worked out very well. (Not using the e2e from Nextcloud itself so). We can achieve a group based file encryption solution, access from Windows, MAC, Linux as well as Android and iOS.
Please feel free to contact me, I am sure we can find a working solution.
Best,
Christian

Would you please provide the results here I am also interested in E2E encryption and sharing a group folder.

Thank you.

I may be able to cobble something together with all the software that exists out there, but that’s not what I am interested in. It’s difficult enough maintaining a decent installation of Nextcloud alone.

But to answer your question, there are no results per se. CPichler says, “we looked finally at these two”:
Sophos Safeguard / Sophos Mobile
Boxcryptor (Secomba GmbH from Germany)
, which are both proprietary.

The open source competitor of Boxcryptor, Cryptomator, does not offer multi-user features. So if you are looking for that combination of features, like I am, you are out of luck.

1 Like

If I might chime in here. I think it is an OK solution to use a combination of tools to achieve the desired result.
You will end up with more work in terms of configuration for different tools but you can also look at it from a positive perspective as you can use the end to end encryption outside of the Nextclod environment as well (local disks, USB, other hosted sharing solutions, shared network drives, etc.)
Obviously it would be great to have a “free” product that can do absolutely everything but I believe that might never be the case.
I found this setup to work quite well across many companies.
Best,
Christian

Wanting only FLOSS myself, I set something up with cppcryptsetup/gocryptfs and VeraCrypt, but it has quite some limitations:

  • I had to write some scripts for decrypting the folders, and scripts mixed with Windows scheduled tasks and Linux systemd units for unmounting.
  • I had to deploy the systemd unit and Windows scheduled task on the clients manually through TeamViewer (fortunately I only have around 10 users).
  • Users cannot share an encrypted folder themselves. I am the only one, as Nextcloud admin, who sets which folder is shared between whom and whom,

I was really hoping that Nextcloud Desktop 3.x would make things easier, but alas…

It seems that NC has a solution, but only payable Enterprise. End to End Encryption - Nextcloud

Example: Two users have installed the desktop client of NC. Is it possible to give my mnemonic passphrase to another user thus the is able to decrypt the files? Or is the user name part of the decryption and not only the mnemonic passphrase?

Nope, the page you linked to (and I linked in my original post) says nothing about only paying enterprise customers receive this feature.

You are right. NC speaks about enterprise grade and not about only for payable customers. Well, we have to wait for a version which works…

There are numerous container type encrypted filesystems…

Here’s one of many:

https://github.com/netheril96/securefs

According to the architecture diagram, the Nextcloud encrypted file space isn’t available via the web interface anyway. So, there’s not much point in worrying about fully integrated e2e. It’s probably better to manage encrypted files/directories with an external utility such as securefs or similar application rather than rely on or wait for Nextcloud to “enable e2e”

Multi-user encrypted filesystems are extremely resource intensive. The diagrammed Nextcloud architecture attempts to reduce the needed resources by encrypting the actual encryption keys using everyone’s own public keys. However, the metadata file will need to be decrypted and re-encrypted with each newly added public key. That decryption will need to occur on everyone’s client and then synced properly across all clients before the newly added client will function correctly.

If there’s a sensitive particular file that needs to be shared, it’s probably better just to use gpg.

In all depends on the use case, and number of clients… There are enterprise level applications and tools for larger businesses to deal with these issues. For small groups, enterprise solutions will most likely be either too expensive or too complex.

1 Like