Ecryption and hardening

Providing optimal security for your data and communication

Security is key for Nextcloud users.

To protect your data, Nextcloud is designed with military-grade encryption and a large number of advanced security protections. To support the admin, automated checks warn of security problems.

Security advice

We make securing your system as easy as possible

in action

Automated checks and tips

Nextcloud detects issues with its installation and warns when it finds unknown or modified files. Administrators can find security tips and warnings in the configuration screen.

Administrators can set password quality policies enforced by Nextcloud as well as limit or disable sharing, enforce expiration dates and passwords on shares, disable preview generation and more.

You can find more information on hardening your Nextcloud installation in our extensive hardening guide

We provide the Nextcloud Security Scanner to check the security of your private cloud server.

Server-side Encryption

Encryption

Employ encryption for the highest degree of privacy and security

in action

Encrypted data transfer

Nextcloud employs industry-standard TLS to encrypt data in transfer. Usage of Object Storage like Amazon S3 or other external storage systems can be secured through Server Side Encryption.

Encrypt data at rest

Server Side Encryption can also be used on local storage. However, inherent to the concept of server side encryption, encryption keys will be present in memory of the Nextcloud server during the time a user is logged in and could be retrieved by a determined attacker. We take care to ensure keys are not stored unencrypted on permanent storage and at rest keys are encrypted using a strong cipher.

Encrypt from client to client

End-to-end Encryption client-side is available from Nextcloud 13 and newer as a folder-level option to keep extremely sensitive data fully secure even in case of a full server breach. The server facilitates key exchange for syncing between devices and sharing but has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form. Learn more here.

virus attack tree

Threat models and attack trees

There is a number of important decisons to be made about encryption in Nextcloud. The various solutions come with advantages and downsides. Read our blog linked below to find out more about the properties of each solution.

Encryption in Nextcloud

in action

Server-side encryption with flexible key handling

Nextcloud supports pluggable encryption key handling. If you have an external key server or Hardware Security Module, these can be made to work with Nextcloud.

Our default encryption key handling enables administrators to set a system wide recovery key for encrypted files,. This ensures that, even when users lose their password, files can always be decrypted. Encrypted files can be shared but after changing encryption settings, shares will have to be re-shared. Using our command line tools, data can be encrypted, decrypted or re-encrypted when needed.

If you face a regulatory or compliance need to encrypt data at rest but do not need to actually secure this data, locally encrypting data using our built in key management may satisfy compliance requirements.

Learn how to use server side encryption in our documentation

in action

Seamless End-to-end Encryption on the clients

Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are never readable by the server.

This solution is easy to use yet extremely secure thanks to its Zero-Knowledge server design and Cryptographic Identity Protection. It does not compromise security by using a browser to encrypt or decrypt files with code coming from the server and is not an all-or-nothing affair: any number of folders can be end-to-end encrypted. Sharing is secure without a need to exchange passwords and files don't need to be re-encrypted and re-uploaded when access rights for other users are changed.

Our solution is enterprise ready with support for a Hardware Security Module for issuing certificates, giving access to a full audit log and optionally allowing administrators to create an offline master recovery key.

Learn about End-to-end Encryption in our clients on this page.

End-to-end Encryption

Passive security measures

Besides active security measures like authentication and encryption, Nextcloud protects your data without any need for administrator action

Recognized quality

Brute Force Protection

Brute Force Protection logs invalid login attempts and slows down multiple attempts from a single IP address (or IPv6 range). This feature is enabled by default and protects against an attacker who tries to guess a password from one or more users.

Password reset tokens are invalidated when critical information like user email has been changed to protect against phishing attacks.

Nextcloud will ask system administrators for password confirmation on security critical actions.

Rate Limiting

Rate Limiting allows a developer to specify how often an IP range or a user may send a request in a specific time period. This can be useful for expensive API calls, to prevent users from accessing too much data in a smaller attempt of time or harden bruteforce stuff further. It is used by Nextcloud apps to protect users from spam and overloading.

Learn more about these protections in our blog.

Security hardening

Nextcloud employs a wide variety of extra security hardening capabilities, including:

  • Content Security Policy 3.0

      CSP is a HTTP feature that allows the server to set specific restrictions on a resource when opened in a browser. Such as only allowing to load images or JavaScript from specific targets.

      CSP 3.0 is the latest, most strict version of the standard, increasing the barrier for attackers to exploit a Cross-Site Scripting vulnerability.

  • Same-Site Cookies

      Same-Site cookies are a security measure supported by modern browsers that prevent CSRF vulnerabilities and protect your privacy further. Nextcloud enforces the same-site cookies to be present on every request by enforcing this within the request middle ware.

      We include the __Host prefix to the cookie (if supported by browser and server). This mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain.

Learn more about hardening features in our blog.

Machine learning based suspicious login detection

Nextcloud includes a machine learning technology which trains a neural network on successful logins on the instance and uses it to classify login attempts. Should it detect a login classified as suspicious by the trained model, it will notify the user and store an entry in the log for the system administrator.

When the user is notified, they can terminate the suspicious session, and proceed to set a new password. The administrator can also take action, like disabling user accounts or forcing users to pick a new password.

Of course, the solution is designed to protect privacy and all data remains on your server!

Learn more in our announcement blog

Need the best security?

Nextcloud Enterprise provides early access to security warnings, updates and mitigations.

Nextcloud enables you to focus on your work, taking care that your data stays private and completely under your control!

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine