Is it possible to share an e2ee encrypted folder?

Hi all!
Question: Is it possible to share an e2ee encrypted folder?
I can´t figure out how?
(User the newst version of the e2ee app + client 3.0.1)


1 Like

I created an account to post and read in this thread.

What I have tried:

  1. Create a folder
  2. Share it with another user from the same instance
  3. Sync on both sides
  4. Mark the folder as encrypted in the first user’s Windows’ client, then force sync.

At this stage, if I upload a file from the first user’s client, the file is not encrypted.

  1. Mark the folder as encrypted on the second user’s Android client (I only have one computer and one smartphone) => enter the second user’s 12-word mnemonic when requested by the Android client.

Now, if I try to upload a file from the second user’s Android client nothing ever reaches the online folder or the first user’s client, and I get the error:

Error    no app in context	OCA\EndToEndEncryption\Exceptions\MissingMetaDataException: Intermediate meta-data file missing

    /data/www/nextcloud542/apps/end_to_end_encryption/lib/Controller/LockingController.php - line 146:


    /data/www/nextcloud542/lib/private/AppFramework/Http/Dispatcher.php - line 170:


    /data/www/nextcloud542/lib/private/AppFramework/Http/Dispatcher.php - line 100:


    /data/www/nextcloud542/lib/private/AppFramework/App.php - line 137:


    /data/www/nextcloud542/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47:




    /data/www/nextcloud542/lib/private/Route/Router.php - line 297:


    /data/www/nextcloud542/ocs/v1.php - line 88:


    /data/www/nextcloud542/ocs/v2.php - line 24:


When trying to upload a file from the first user’s Windows’ client, I need to force sync (it won’t do it by itself), then the file arrives encrypted in the webview, which is good, but it also arrives encrypted in the second user’s Android client.

Then if I try to force sync the Android client, nothing will change in it, but shortly after, the Windows client will sync for several minutes (while the only file I put there is 800 kB) and throw the same error as pasted above.

Note: In both clients, the folder is marked as shared and encrypted.

After a lot of attempts and errors (I have found no tutorial or documentation), here is the only solution I have found to make it work (the following steps assume E2EE is enabled on Nextcloud hub and the Desktop clients are v3 or higher, correctly connected to the Nextcloud hub, and have been restarted on all clients machines after the E2EE module was enabled on Nextcloud hub):

  1. A creates a folder and force sync
  2. A shares it with B (Note: you might need to sync a second time before the sharing options are available in the context menu, if you have Nextcloud integration in the context menu), then syncs.
  3. B syncs ans therefore sees the folder shared by A in their client. B marks it as encrypted from their desktop client (A must not try to mark the folder as encrypted or its client will crash when trying to add files and sync).
  4. Then first B syncs, then A syncs so that A now sees the shared folder as encrypted (green padlock).
  5. B must be the first to put a file in the encrypted shared folder from their desktop client; that file will be immediately and automatically encrypted and uploaded by B’s desktop client, but it will never be visible in A’s client. The file must then never be removed or modified or the shared encryption will break, so B should choose a dummy file, preferably hidden. If this step is forgotten, the next step will make A’s client crash when trying to sync, and no synchronisation, file upload or file exchange will ever be possible in that folder.
  6. A puts some file in the shared encrypted folder in their desktop client, which triggers its synchronisation.
  7. B syncs, so that B should now receive the file.

From now on, anything dropped in the encrypted shared folder by either A or B through their respective desktop clients will be seen by the other. However, the dummy file that B first dropped in the folder will never be seen by A.

If ever B removes the dummy file from the folder and lets the client try to sync, it will break the encryption and no more file exchanges will be possible through that folder, even if the dummy file is recovered and put back in the folder by B

That’s a mouthful!
What are the chances the v.20 rollout will screw this up?

It (probably) just means you better have a contract with Nextcloud if you want to make use of it…

Does not work on 20.0.0 or 20.0.1. The warnings about crashing the client still apply, but there does not seem to be a way to successfully share the folders.

It works on my 20.0.4 and my 20.0.5. I have not tested earlier 20.x.

But you need desktop client 3.0.x.

Anyway, in my case, desktop 3.1.x for Windows does not even show the mnemonics on a freshly installed server with freshly enabled e2ee.

Thank you Freedim for the detailed workaround but it didn’t work for us at step 4.
“Then first B syncs, then A syncs so that A now sees the shared folder as encrypted (green padlock).”. In our case, A does not see the shared folder as encrypted.

We are using NC Snap, End-to-End Encryption 1.7.1, Default Encryption module 2.9.0 and the latest NC desktop client 3.2.2.

Thank you very much once again.

I did that with Nextcloud Hub 19 and Nextcloud Desktop 3.0 or 3.1…

Then Nextcloud Desktop developers told me in GitHub that sharing E2EE folders was not supported and that the steps that I detailed here were not supposed to work; they even marked the fact that it worked as a bug, and pledged to correct it. So with newer versions like yours, thay may have corrected the “bug” and make sure it doesn’t work anymore.

About the fact that multiple web pages in the Nextcloud galaxy mention the possibility of sharing E2EE folders whereas NC does not support it as of June 2021, there are several ongoing discussions here or in GitHub.

Sorry guys. gocryptfs/cppcryptfs and Cryptomator are your friends (for a while, I reckon).