I have been using nextcloud on and off since its inception. Sadly, most of the features don’t even work, or not well, or they get discontinued, or they only have community support.
My setup is server-side encryption with per-user keys. I pray to all gods that this feature will not be discontinued. However, I do not know which apps support server-side encryption. Any recommendations?
Apps that work with server-side encryption
- The notes app (file names/note titles still visible)
- The external storage app (file names unencrypted)
- The activity app stores all activity, including file names, which are not encrypted by SSE anyway. However, to prevent the file names of all files that ever existed from remaining on the server indefinitely, I would use the “activity_expire_days” setting in the config.
- File sharing
- Text
- PDF Viewer
- Talk/Spreed seems to encrypt the files that are saved from the chat. I don’t know where the file is stored before you save it from the chat, but it can be deleted. The conversations are stored in plain text in oc_comments. Although they can be deleted (careful not to delete the conversation, if you want to keep it open, only delete the chat log). The calls probably aren’t saved. Chats about shared files can be disabled in the admin settings. So I’d say this app is fairly usable, as long as you only make calls and don’t chat much, perhaps share files (unsure).
- viewer (the app that opens when you click a photo) loads the full image, no unencrypted preview/thumbnail required
- clamav antivirus might work when uploading file (obviously not the background scan). I haven’t tried it.
Apps that can be “made encrypted”
- calendar and contacts are encryptable with a third party app (e.g. etesync), or use decsync on android, which uses files to store contacts, then sync them with the nextcloud app
Apps that don’t work with server-side encryption
- the email app seems to scramble the imap password in oc_mail_accounts, but it does not encrypt the password with the user key, does it? The emails are stored in plain text in oc_mail_messages.
- the photos app requires previews/thumbnails to be useful, but they are stored unencrypted in /data/appdata_33333/preview/. Disable them with ‘enable_previews’ => false, .Then there also won’t be any thumbnails in the file browser (including grid view).
Known “problems” with apps
- The external storage app does not perform super well when syncing with clients (backblaze b2, idrive e2, koofr webdav) It is more of a file storage solution for uploading/storing files once, and not good for syncing to clients. Otherwise, you will run into timeout errors, decryption errors, and duplicate file errors, because the server gets confused. (any experiences? with setups that work?)