Nextcloud: Server-Side and End-to-End Encryption

Nextcloud offers three layers of encryption: transport encryption (TLS), Server-Side Encryption (SSE) and End-to-End Encryption (E2EE). Which one fits when, and what we run at Linuxfabrik.

Transport encryption (TLS)

Protects against eavesdropping on the wire. Does not protect against compromised devices or servers. Mandatory for any Nextcloud installation.

Server-Side Encryption (SSE)

Optional. Each file is encrypted with a unique key before storage: either with a master key (default, for performance and feature reasons) or with a per-user key. SSE encrypts file contents only, not filenames or folder structure.

SSE was originally introduced to safely connect external storage like Dropbox: Nextcloud then ensures that data stored off-site lands encrypted.

Where the keys live

The master key (technically a password used to decrypt the files) is encrypted with the secret in config.php and stored in the Nextcloud data directory. It can be recovered in a disaster scenario.

Per-user keys live in each user's data directory and are encrypted with the user's password. With per-user keys enabled, online office (Collabora, OnlyOffice) cannot work because the server-side process cannot decrypt the file without the user session.

When SSE makes sense

• External storage is in use and data lands off-site.
• The data directory does not live on the same machine as Nextcloud itself.

When SSE adds little

If the data directory is on the same machine as Nextcloud, the protection is minimal: the key ends up next to the data. To hide content from the server operator, E2EE is the right tool, not SSE.

End-to-End Encryption (E2EE)

The strongest protection for user data. The server never has access to keys or unencrypted files. The sync client encrypts the data before upload, but only inside the E2E-marked folder (not its subfolders).

Functional limitations

Inside E2EE folders, the following stop working:

• Web interface access (the sync client becomes mandatory).
• Public shares and group shares.
• Server-side search and previews.
• Server-side trash and versioning.
• Online office collaboration.

The search index doesn't know the content because the server simply doesn't see it. E2E can be enabled for one or many folders: their content is fully hidden from the server, including filenames and directory structure.

Mnemonic passphrase

To sync folders across multiple devices, users need a mnemonic passphrase, generated by the first device when E2EE is enabled: 12 random English words (BIP39-style wordlist, generated with WordList::getRandomWords(12) in the desktop client).

• The passphrase encrypts the private key on the server. Lose it, lose the data: no admin in the world can recover it.
• Note it down and keep it in a password manager.
• The client can show the passphrase again on demand.

How to encrypt a folder

• Install or update the Nextcloud client.
• Reconnect the client to the server, a dialog with the mnemonic passphrase appears: write it down.
• Create a new, empty folder in the local Nextcloud directory.
• In the client, right-click the folder and choose "Encrypt".

Files dropped into that folder will only be uploaded encrypted from now on. Any number of folders can be encrypted.

SSE and E2EE at the same time?

Running SSE with per-user encrypted directories together with E2EE is technically possible but unsupported and leads to problems.

What is not encrypted

Whatever method is in use, only files are encrypted. Calendars, todo lists and other DAV-based data are not encrypted, because the CalDAV ecosystem lacks clients that support it.

What we run at Linuxfabrik

We leave the decision to the on-site server administrator.

Further reading

• Nextcloud Admin Manual: Encryption configuration
• End-to-End Encryption app on the Nextcloud App Store
• Nextcloud Blog: Encryption in Nextcloud

We can help

Need help with the encryption strategy of your Nextcloud? Have a look at our Service & Support plans and get in touch.