Nextcloud End-to-End-Encryption – current state and recommendations
We regularly receive inquiries regarding end-to-end encryption in Nextcloud. Unfortunately, the associated Nextcloud app is currently only usable to a limited extent and not recommended for productive operation. We provide information on the current status and possible alternatives in this post.
Current Situation
The official end-to-end encryption app was published by Nextcloud, and they maintained the project actively between 2018 and 2020. After that, only minimal changes were made. This led to many poor app-store ratings, countless pending GitHub tickets and to the fact that the app cannot be used with a current Nextcloud version.
Even if you’re able to install the app somehow, only file content – but not file names, folder names or any other data like calendar appointments – will be encrypted.
Due to those flaws, we do not support this app on our shared Nextcloud installations. You can install the app on your own private Nextcloud installation with us, even though we do not recommend this for the reasons mentioned above. Furthermore, you risk compatibility issues with each upcoming Nextcloud update, which could possibly lead to corrupted or even lost data.
Data Integrity Without End-to-End-Encryption
We do everything possible to ensure that your data is safe with us, even without end-to-end encryption. This is supported by the ISO 27001 certification for both our company and our datacenter, and additionally through our swiss-hosting label.
Whenever possible and feasible from a technical standpoint, we additionally encrypt your data on our storage level. For example, we copy your data once a day to a remote datacenter. The copy does use an encrypted connection and the backup data is stored on encrypted hard drives.
Server-Side Encryption
Frequently asked questions also pertain to server-side encryption within Nextcloud. There is a built-in Nextcloud option; this feature is tried and tested, and can be activated if needed. Since the keys are stored as a file within the same Nextcloud installation, it is primarily useful when an external, untrusted storage is integrated into one's own Nextcloud. However, if data is mostly intended to be stored locally, enabling server-side encryption with a key on the same data storage does not enhance security.
In a standard setup of your Nextcloud installation with local data storage, the activation of server-side encryption is therefore not advisable and is not recommended by us.
Alternatives
If you don't want to compromise on full end-to-end encryption, we recommend encrypting the data locally using a third-party application. One suitable software, which we use ourselves, is Cryptomator. With Cryptomator, you encrypt your data on your local device, and only protected data is then transferred to Nextcloud and stored with us. As of today, this is the only technically feasible option if you want to store your data in an encrypted way with us or any other Nextcloud provider.
Outlook
We hope that the End-to-End Encryption App will be actively developed and become reliably usable again in the future. As soon as there are new developments or insights, we will update this post accordingly.