Cloud Native / Data / Storage

Enable End-to-End Encryption Between Nextcloud and Your Desktop Client

5 Jan 2021 6:00am, by

Nextcloud has become my go-to private cloud server. I sync data from various devices and use it like my personal Google Drive. I use it mostly for storage and backup. Plus I do use the built-in document editors on occasion. With this platform I can do nearly anything I need, without having to rely on a third-party to keep my data from prying eyes.

Nextcloud can be hosted on your favorite cloud service provider (such as AWS, Google Cloud, Rackspace, or Linode), or you can host it on your own server. Either way, you’ll find it ticks all the boxes for a private cloud solution.

The current release is 20.0.4. Starting back with Nextcloud 19, it was possible to add a layer of encryption between the server and the client app (either desktop or Android/iOS mobile). Unfortunately, this feature isn’t enabled out of the box, and you do have to jump through a few hoops to make it happen. It’s not difficult, but will take you a few minutes to get up and running.

I’m going to show you how to do just that.

What the Nextcloud E2E Encryption Does

The way Nextcloud approaches this encryption is pretty fascinating. Effectively, once enabled, an encrypted file or folder is only accessible on either the mobile app or desktop client and not on the server. Because of that, the only way someone would be able to view a file would be from your phone or desktop. Should an attacker access your Nextcloud server, they wouldn’t be able to view the encrypted files/folders. Plus, any data you move back and forth across the Internet will be encrypted as well.

It’s a neat trick that works really well.

Let’s make it happen.

Requirements

In order to get end-to-end encryption working, you’ll need the following:

  • A running instance of Nextcloud (version 19 or newer).
  • Either the desktop or mobile app.
  • A user with sudo privileges.

I’ll be demonstrating with Nextcloud installed on Ubuntu Server (version 20.04) and the desktop client running on Pop!_OS.

Step 1: Enable Encryption in Nextcloud

The first thing to do is to enable encryption in Nextcloud. Log into Nextcloud with an admin account, click your profile icon, and click Settings. In the Settings window, locate and click Security in the left sidebar. In the resulting window, check the box for Server-side encryption (Figure 1).

You will be warned of the following:

  • Once encryption is enabled, all files uploaded to the server from that point forward will be encrypted at rest on the server. It will only be possible to disable encryption at a later date if the active encryption module supports that function, and all pre-conditions (e.g. setting a recovery key) are met.
  • Encryption alone does not guarantee the security of the system. Please see the documentation for more information about how the encryption app works, and the supported use cases.
  • Be aware that encryption always increases the file size.
  • It is always good to create regular backups of your data, in case of encryption make sure to back up the encryption keys along with your data.

Click Enable encryption below the warning.

Next, we need to install and enable the encryption module. Click on your profile icon again and this time click Apps. Type encryption in the search bar and, when the entry for End-to-End Encryption appears, click the associated Download and Enable button (Figure 2).

Figure 2: Installing and enabling the End-To-End Encryption app for Nextcloud.

Step 2: Enabling HTTPS

How you take care of this next step will depend on your needs. Since I use Nextcloud as a private, LAN-only instance, I don’t need to go the full HTTPS certificate route. Instead, I simply enable the SSL module for Apache, so I can make use of the end-to-end encryption feature. If you need to go the full-blown SSL HTTPS route, you’ll need to acquire your certificates, load them onto your server, and point the Apache Nextcloud configuration file to those certificates.

Or, to make it even easier, you could:

  1. Install Nextcloud via snap.
  2. Install SSL support using the nextcloud.enable-https lets-encrypt command.
  3. Follow the prompts.

The above only works when installing Nextcloud via snap. It’s the simplest and fastest route to getting Nextcloud up and running and certainly the easiest way of getting SSL support rolled into the platform.

For the sake of simplicity, let’s go the easy route for this.

Log into your Nextcloud server (via SSH) and run the following commands to enable SSL:

sudo a2enmod ssl

sudo a2ensite default-ssl.conf

sudo systemctl restart apache2

You should now be able to access Nextcloud using HTTPS, so point your browser to https://SERVER/nextcloud (where SERVER is the IP address of the hosting server).

Step 3: Enable Encryption on the Client

You’re now ready to enable encryption on the client. Open the Nextcloud app on your desktop. If you’ve not already connected the client to your server, do so now. When you’ve made the connection to a Nextcloud server that supports E2E encryption, you’ll see the support listed in the application (Figure 3).

Figure 3: Our connection supports end-to-end encryption.

Click the Display mnemonic button to reveal your encryption mnemonic, which will be 12 random words. Copy that mnemonic down, as you will need it to add more devices to your account (should you need to do so).

Step 4: Encrypt a Folder

Now we can encrypt a folder. Nextcloud has a nice safety feature built-in and only allows you to encrypt empty folders (that way you don’t run the risk of losing data). To encrypt a folder, right-click the entry in the desktop client app and click Encrypt (Figure 4).

Figure 4: Encrypting my New Stack folder on Nextcloud.

That’s it. The folder in question is now encrypted. If you view the folder listing in a browser, you’ll notice the icon has a lock (Figure 5), which indicates it’s encrypted.

Figure 5: My New Stack folder is encrypted.

The one caveat to this is that you can now only work with that encrypted folder from either the desktop or the mobile application. If you attempt to create or upload a new file from the web browser, you’ll find you don’t have permission to do so. And when you do add new files and folders to the encrypted parent folder, they’ll be listed as encrypted in the web browser, so you can’t even view them (unless you work from the desktop or mobile client).

The Nextcloud end-to-end encryption is a great feature to add to your private cloud, especially if it houses data of a sensitive nature. Give it a go and see if you don’t wind up encrypting most of the directories that can be used via a desktop or mobile application.

Feature image by Maxim Zhgulev on Unsplash.

A newsletter digest of the week’s most important stories & analyses.