Status End2End-Encryption in NextCloud?

Well, in a sense it already is - the E2E app is described as

End-to-end encryption is still in alpha state, don’t use this in production and only with test data!

The only thing is that it’s rather unfortunate that it still is like that. :frowning:

And maybe the proud ad for E2EE at Nextcloud features that put you in control should be taken down until E2EE actually is a usable feature… :wink:

4 Likes

You don’t have your data once in encrypted and once in unencrypted form - you only have it in encrypted form, and it only looks as if it also would be available in unencrypted form. Actually it’s encrypted and decrypted on-demand during usage. The “unencrypted files” you’re seen is just a virtual view of the data which does not actually exist on disk.

That’s the difference to an encrypted 7zip file - there you actually have to store the data in unencrypted form, have to zip/encrypt it locally in one big 7z file and then to upload it somewhere else.

OTOH that’s also not what Cryptomator does, so if you want just that, duplicity may be the tool for you. However AFAIK it does not sync data dynamically, which you would get with Cryptomator and the NextCloud Sync client.

E2EE is developed here:

I think if you find the bug which can be reproduced consistently, you should not hesitate to report that there like I did: https://github.com/nextcloud/end_to_end_encryption/issues/105 The repository is quiet and based on the commit history, it’s not actively developed for a while (most of the recent commits are translation updates).

RFC is available here: https://github.com/nextcloud/end_to_end_encryption_rfc/blob/master/RFC.md

“Testing” can mean a lot as can alpha since everyone in open source knows a product in “alpha state” which is quite stable and used. The fact that the E2EE feature is mentionend in every second product presentation doesn’t help to show that alpha in this case means that even a proper encryption can not be assured. I just saw a product presentation where Frank Karlitscheck mentioned E2EE without any further comment to a (very) buggy alpha state.

I really like Nextcloud and the people behind it, but policies to advertise half baked products don’t help to build a reputation for stability; especially since this happens quite often. Anyone remembers the guest functionality that was advertised but never delivered? Or the many problems with the groupfolder implementation? The latter was used by a bigger NGO in which I volunteer and lead to loud critic by users of which some loudly wanted that we migrate to a “more professional product” (not my words) like Office365 oder Google.

3 Likes

Es gibt noch ein anderer Platz wo man Probleme von E2EE mitteilt: https://github.com/nextcloud/desktop/issues?utf8=âś“&q=is%3Aissue+is%3Aopen+label%3A"feature%3A+%3Alock%3A+end+to+end+encryption". Wo sollte ich?

Is E2EE in NextCloud actually usable nowadays, or still not yet?

No. If you have only one folder it seems to work with the actual server/client/app combination. But finding out that is still more something that is in development will cost you some time. If you need it now - look for something else. If you can wait: it will be the thing that is needed for cloud sync!

Does the standard desktop client build version 2.5.2 have E2EE enabled and in a usable state?

It would be nice to see it working. Be aware that E2E is only an add-on to nextcloud and not the standardway of transferring data.

Will I risk anything concerning my unencrypted data which already resides on the server (and shall stay unencrypted)?
Besides some other bugs, I have not seen problems with other data than in encrypted folders. But as E2E seems more experimentell than established, I would take care of the data you want to sync :wink:

I agree will all of you, that there will be some disappointments if you find out, that E2E is not really that useable than it is advertised… I’m not looking for the next big new server version with new features - I want the featured features stable working in every day live. :wink: As it is only an app we don’t have to expect it to be the main focus when it comes to new releases?!

2 Likes

Hey,
Anybody know how to contact the webmaster or what to do to temporarily take down/change the mentioned website https://nextcloud.com/endtoend/

I think we lose a lot of trust if people try nextcloud because of this page, only to find out that it does not work as advertised, or even just to find out that is still alpha and should not be used in production.

1 Like

Hi there,

The website is maintained here: https://github.com/nextcloud/documentation

The source of the page is this one: https://github.com/nextcloud/nextcloud.com/blob/master/page-endtoend.php

You would want to create an issue there to discuss the necessity of the change.

Thank you.

Does anybody have time to open this issue?

1 Like

Does anyone have experience with “duplicati”

take rclone (rclone.org).

Highly tested and rock solid even when uploading TB-sized files to the cloud.

I do intensively use duplicity, which is like the command line (step) mother of duplicati.

It is really mighty and works so smooth. You just need to invest some time to understand how to use it.

I love it: 5/5

According to Encryption in Nextcloud, E2E encryption is now actually (finally…) supported (even though with a “limited” feature set for now, as e.g. sharing encrypted files does not yet seem to be supported, which makes the whole feature a bit pointless for many scenarios), and requires NextCloud 19 or 20 and the most recent client application versions:

Learn more about End-to-end Encryption on our website. Note that as of August 2020, end-to-end encryption is available on the latest releases of the desktop and mobile clients. It requires Nextcloud server 19 with version 1.5.2 or version 20 with 1.6.1. Sharing between users is not yet implemented and on the roadmap for 2021.

Funny thing, considering this feature was proudly announced with NextCloud 13 (!).

Apparently, NextCloud is better at marketing than with actually implementing encryption. :wink: Even the German computer magazine iX lately ran an article on self-hosted cloud solutions which (falsely) ascribed E2E encryption support to NextCloud.

Did anyone here already try the newly announced E2E support out? (For me, testing does not make sense until sharing is also supported.)

2 Likes

Yes. But E2E-encryption and sharing is a problem. I think you need public/private-key or must share a synchron key on a secure E2E way.
With no-browser-E2E-encryption the other person needs client, too.

@jospoortvliet :bouquet:

1 Like

Yes - but just those features are advertised since (at least) NextCloud 13 (most recent version of their white paper linked there is from September 2017) on https://nextcloud.com/endtoend/, see Section “Unique Capabilities” there:

Yes, using the clients is mandatory. However, that’s also what’s documented for their E2E encryption and would be totally fine by me:

However, the modified blog post now states that sharing is not supported at all:

…which makes the whole feature pointless for me at the moment.

When I tried to use E2E encryption with NextCloud 15 or 16 - and failed miserably - I resorted to using Cryptomator which was suggested somewhere in this thread. It works fine and offers the features I need which Nextcloud promised to offer, but didn’t.

The only drawback is that I now have to use a further tool which provides the encryption layer, and which uses a virtual file system / virtual drive on Windows to implement this, which adds some additional layers of complexity for the administrator and users.

1 Like

Cryptomator has been mentioned in other threads, too, but for me it is still unclear how this works. Would you mind clarifying?
Do the features you described as lost by using E2E work with Cryptomator?
Does every user need to install Cryptomator in his local machine?
Our Nextcloud instance is running on a Linux web server and we will have some hundred users with fluctuation every year. Most users are computer amateurs.

No - my previous statement in this regard was not clear in this regard, sorry.

If you use Cryptomator, you won’t be able to access or read the encrypted data through the NextCloud web frontend in any meaningful way.

That’s actually not even really possible, as in this case the user’s web browser would somehow have to decrypt everything on-the-fly, and the data would also need to be decrypted if you want to use server-side online editing functionality like OnlyOffice or Collabora Online/CODE, so you’d immediately lose the advantages of encryption in any case.

I don’t know your requirements, but if you want to use such features, you probably do not actually want E2E encryption.

Users who need to access the encrypted data need to synchronize the data to their local system, where it’s decrypted. In case of the E2E solution integrated into Nextcloud, this should be possible with the NextCloud client directly (but that’s just the feature which doesn’t fully work yet).

Cryptomator just replaces this step with an alternative encryption solution - it takes the encrypted data synchronized by the NextCloud client and provides an unencrypted view to it, so you can use the data with any local applications (PDF readers, MS Word, …)

Yes, together with the NextCloud client.

And also every user has to know the encryption key, so Cryptomator probably would not work for you - you’d have to trust each and every user not only to keep the password safe, but also safely destroy the keyfile she/he used.

So you won’t really have extra security compared to just revoking the user’s access to the directory.

I don’t know your threat model, but you probably need a different solution then.

I think Cryptomator and E2E together makes NO sense. It is double client side encryption.

If you use Cryptomator you do not need another client side encryption.
If you use E2E in Nextcloud you do not need Cryptomator.

Yes, of course. Cryptomator is an intermediate solution until NextCloud-E2E actually works.

I was not suggesting to use both at the same time.