Encryption
and hardening

Providing optimal security for your data and communication

Encryption

Security is key for Nextcloud users

To protect your data, Nextcloud is designed with military-grade encryption and a
large number of advanced security protections for the highest degree of privacy and security. To support the admin, automated checks warn of security problems.

Encrypted data transfer

Nextcloud employs industry-standard TLS to encrypt data in transfer. Usage of Object Storage like Amazon S3 or other external storage systems can be secured through Server Side Encryption.

Encrypt data at rest

Server Side Encryption can also be used on local storage. However, inherent to the concept of server side encryption, encryption keys will be present in memory of the Nextcloud server during the time a user is logged in and could be retrieved by a determined attacker. We take care to ensure keys are not stored unencrypted on permanent storage and at rest keys are encrypted using a strong cipher.

Encrypt from client to client

End-to-end Encryption client-side is available from Nextcloud desktop client 3.0 and newer as a folder-level option to keep extremely sensitive data fully secure even in case of a full server breach. The server facilitates key exchange for syncing between devices and sharing but has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form.

Threat models
and attack trees

There is a number of important decisions to be made about encryption in Nextcloud. The various solutions come with advantages and downsides. Read our blog linked below to find out more about the properties of each solution.

Threat models and attack trees

Seamless end-to-end
encryption on the clients

Nextcloud Hub 4 Files preview

Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are never readable by the server.

This solution is easy to use yet extremely secure thanks to its Zero-Knowledge server design and Cryptographic Identity Protection. It does not compromise security by using a browser to encrypt or decrypt files with code coming from the server and is not an all-or-nothing affair: any number of folders can be end-to-end encrypted. Sharing is secure without a need to exchange passwords and files don’t need to be re-encrypted and re-uploaded when access rights for other users are changed.

Our solution is enterprise ready with access to a full audit log and optionally allowing administrators to create an offline master recovery key. Contact us if you are interested in additional capabilities like support for a Hardware Security Module for issuing certificates

E2EE file sharing

Before, after picking a folder for end-to-end encryption, users could work in this folder and access it from all their clients, mobile and desktop, but not share it. It is now possible for the HR team to share their folders with confidential dossiers with each other!

E2EE file sharing
E2EE file drop

E2EE file drop

File Drop now includes the option to upload files to End-to-End Encrypted folders for increased security in your organization.
Receive confidential files in a secure, trustworthy way without worrying about breaches. It’s simple, secure and a no fuss file exchange.
Going back to the HR department – the team can now send job applicants a link where they can securely upload their resume’s directly in an end-to-end encrypted folder, shared in the HR team.

Encryption case studies

Nextcloud Server-side Encryption

Server-side encryption

Nextcloud features server-side encryption to encrypt data at rest. It is particularly powerful when used with external storage as it ensures keys never leave the Nextcloud server.

Nextcloud E2EE Encryption

End-to-end encryption

With the announcement of the Nextcloud end-to-end encryption techpreview, we’d like to invite you to scrutinize our source code and cryptographic approach in this whitepaper.

Server-side encryption

Server-side encryption with flexible key handling

Nextcloud supports pluggable encryption key handling. If you have an external key server or Hardware Security Module, these can be made to work with Nextcloud.

Our default encryption key handling enables administrators to set a system wide recovery key for encrypted files,. This ensures that, even when users lose their password, files can always be decrypted. Encrypted files can be shared but after changing encryption settings, shares will have to be re-shared. Using our command line tools, data can be encrypted, decrypted or re-encrypted when needed.

If you face a regulatory or compliance need to encrypt data at rest but do not need to actually secure this data, locally encrypting data using our built in key management may satisfy compliance requirements.

Need the best security?

Nextcloud Enterprise provides early access to security warnings, updates and mitigations. Nextcloud enables you to focus on your work, taking care that your data stays private
and completely under your control!