Nextcloud End to End Encryption


Nextcloud 13, about to be released, will include end-to-end encryption. We've come up with a way to encrypt files on the client without the server having any way to gain access to the plain text format, despite the server facilitating the sharing and such. In the talk we'll explain what we wanted to achieve and how we did it - input very much welcome, of course. As you probably know, if you want End to End (end-to-end) encryption with file sync and share right now it is a game of compromises. You might not be able to share without giving out your passwords, or have no web interface at all, or compromise security by having browser side encryption and decryption, or have manage your own TrueCrypt file, use clunky third party tools and so on. Nextcloud designed a client-side end-to-end encryption protocol meant to protect user data from nosy system administrators or a full server security breach while limiting usability as little as possible. Of course, some functionality got lost but we think we struck a pretty decent balance between usefulness and security. The goal of being easy to use was central because complexity leads to mistakes and mistakes lead to security breaches. We avoided users picking and sharing passwords, for example, but also Our end-to-end works on a per-folder level and features an easy to use, server-assisted but fully secure key management with Cryptographic Identity Protection, our method of securely signing and handling user certificates. Users can easily access their data on any of their devices using the clients (not via the web interface) and share with other users, securely. But it also offers an audit log, optional offline admin recovery key and more features. We'll go over the design in this talk and take your feedback on it! -