Status End2End-Encryption in NextCloud?

According to Encryption in Nextcloud, E2E encryption is now actually (finally…) supported (even though with a “limited” feature set for now, as e.g. sharing encrypted files does not yet seem to be supported, which makes the whole feature a bit pointless for many scenarios), and requires NextCloud 19 or 20 and the most recent client application versions:

Learn more about End-to-end Encryption on our website. Note that as of August 2020, end-to-end encryption is available on the latest releases of the desktop and mobile clients. It requires Nextcloud server 19 with version 1.5.2 or version 20 with 1.6.1. Sharing between users is not yet implemented and on the roadmap for 2021.

Funny thing, considering this feature was proudly announced with NextCloud 13 (!).

Apparently, NextCloud is better at marketing than with actually implementing encryption. Even the German computer magazine iX lately ran an article on self-hosted cloud solutions which (falsely) ascribed E2E encryption support to NextCloud.

Did anyone here already try the newly announced E2E support out? (For me, testing does not make sense until sharing is also supported.)

Yes. But E2E-encryption and sharing is a problem. I think you need public/private-key or must share a synchron key on a secure E2E way.
With no-browser-E2E-encryption the other person needs client, too.

@jospoortvliet

Yes - but just those features are advertised since (at least) NextCloud 13 (most recent version of their white paper linked there is from September 2017) on https://nextcloud.com/endtoend/, see Section “Unique Capabilities” there:

Yes, using the clients is mandatory. However, that’s also what’s documented for their E2E encryption and would be totally fine by me:

However, the modified blog post now states that sharing is not supported at all:

…which makes the whole feature pointless for me at the moment.

When I tried to use E2E encryption with NextCloud 15 or 16 - and failed miserably - I resorted to using Cryptomator which was suggested somewhere in this thread. It works fine and offers the features I need which Nextcloud promised to offer, but didn’t.

The only drawback is that I now have to use a further tool which provides the encryption layer, and which uses a virtual file system / virtual drive on Windows to implement this, which adds some additional layers of complexity for the administrator and users.

Cryptomator has been mentioned in other threads, too, but for me it is still unclear how this works. Would you mind clarifying?
Do the features you described as lost by using E2E work with Cryptomator?
Does every user need to install Cryptomator in his local machine?
Our Nextcloud instance is running on a Linux web server and we will have some hundred users with fluctuation every year. Most users are computer amateurs.

No - my previous statement in this regard was not clear in this regard, sorry.

If you use Cryptomator, you won’t be able to access or read the encrypted data through the NextCloud web frontend in any meaningful way.

That’s actually not even really possible, as in this case the user’s web browser would somehow have to decrypt everything on-the-fly, and the data would also need to be decrypted if you want to use server-side online editing functionality like OnlyOffice or Collabora Online/CODE, so you’d immediately lose the advantages of encryption in any case.

I don’t know your requirements, but if you want to use such features, you probably do not actually want E2E encryption.

Users who need to access the encrypted data need to synchronize the data to their local system, where it’s decrypted. In case of the E2E solution integrated into Nextcloud, this should be possible with the NextCloud client directly (but that’s just the feature which doesn’t fully work yet).

Cryptomator just replaces this step with an alternative encryption solution - it takes the encrypted data synchronized by the NextCloud client and provides an unencrypted view to it, so you can use the data with any local applications (PDF readers, MS Word, …)

Yes, together with the NextCloud client.

And also every user has to know the encryption key, so Cryptomator probably would not work for you - you’d have to trust each and every user not only to keep the password safe, but also safely destroy the keyfile she/he used.

So you won’t really have extra security compared to just revoking the user’s access to the directory.

I don’t know your threat model, but you probably need a different solution then.

I think Cryptomator and E2E together makes NO sense. It is double client side encryption.

If you use Cryptomator you do not need another client side encryption.
If you use E2E in Nextcloud you do not need Cryptomator.

Yes, of course. Cryptomator is an intermediate solution until NextCloud-E2E actually works.

I was not suggesting to use both at the same time.

I tested E2E Encryption and it seems to all be working in 20.0.10 except for some fundamental problems. I demand to be able to re-lock any E2E directories, and NOT display the mnemonic passphrase right in the client for anyone to see. I don’t care what Nextcloud thinks or says in their defense for implementing it like this, it’s NOT right.

Additionally, having the E2E app enabled breaks file versioning which is a total deal breaker. If you need E2E encryption, don’t bother with Nextcloud’s attempt at it until this is completely overhauled once again.

I played a little with the end-to-end encryption app in NC 21.0.2 and E2EE app 1.7.1 with stable desktop client (06.2021) and it looks sharing is completely disabled once you encrypt a folder… the folder replicates well between different clients of same user but there is no way to share the folder with another user… this should work by design but most likely it’s another bug now… it looks it doesn’t work now. the web page shows it as planned per “early 2021”

my conclusion is e2e is not complete now… I would expect much more mature solution 3y after they started working on this functionality… I suggest you choose another solution for now…

Never display mnemonic again once enabled - Desktop app Github 2443

Clarify mnemonic description and usage on client devices - e2e Github 205

Add option to hide mnemonic reminders in desktop client Desktop app Github 2671

See these issues, and please file new issues for re-locking directories if you don’t see your issue present already.

Hi,
I have seen that issues have been corrected.
But the past evaluation was very poor and the last update of evaluation are a year ago… were neutral.

Has anybody used it on a simple configuration (1 server no share between servers) with the different clients Windows, OSX, IOS, Android ?

I was very interested by this feature, but as evaluations were very bad, I did not even try…

My main concern are : If I intall it,
1- will it possibly block other users not using it ?
2- Does it have effects on not encryted file trees ?

Thanks in advance to any other testers for any answer…

Note : [Nextcloud] 21.0.x, or 22.x
Regards.

Only people with the client credentials will be able to unencrypt the files. Everyone else will be unable to decrypt the files.

No, it doesn’t.

Sorry for the double post, I did not know where to post.

Before posting, I did look to their repository but the following are frightening

• File Versioning for Non-Encrypted Files #247

• No connection to nextcloud from my Nextcloud-Desktop when plugin End to End Encryption is enabled #211

• Error handling folders via Mac OS Finder after E2EE successful enablement #210

• stuck with an encrypted folder #197

This was the reason for my initial post.
Moreover there was some post in the help/forum much more frightening.

When I did ask “will it possibly block other users not using it ?” I was asking that if I did activate the feature, will other users not using it be impacted. Not if they could read the encrypted part.

At the end what is missing as an info in all this, is how much testing was done recently with success on this feature ?
This is why I tryied to have an evaluation about users having used the feature by posting here.
As for other developments, we need to test, and the test results by a lot of peoples is not clear here.

I thanks the guys developping the feature for their efforts.
I hope they will solve the issues, they seems to work for that.

This feature is a great idea.
But I fear that the past evaluations that where very bad, and that will stop people from testing, and if I am alone to do so, it will not be enough…

Thanks to you and developpers for the feature.
In the hope to help.

May be if people you are testing the feature and they do not have issue please post a like in the web evaluation.

At least if you have tested it without impact on folders not encrypted, no sync issues on folder not encrypted please post some positive/neutral eval on https://apps.nextcloud.com/apps/end_to_end_encryption.

That state is exactly what you see in the issues list. If that doesn’t work for you I say don’t rely on it.

If you are worried about version bugs and missing features, trust your instincts and subscribe to these github issues so you’ll receive updates as they are eventually addressed. No doubt it will need time and we are both random people who don’t want to lose our data in the mean time.