🔐 Server API to support End-to-End Encryption
Перейти к файлу
Nextcloud bot dd0ddcab70
Fix(l10n): Update translations from Transifex
Signed-off-by: Nextcloud bot <bot@nextcloud.com>
2024-11-17 00:43:11 +00:00
.github
.tx
LICENSES
appinfo
build-js
doc
img
js
l10n Fix(l10n): Update translations from Transifex 2024-11-17 00:43:11 +00:00
lib
screenshots
src
templates
tests
.eslintrc.js
.gitattributes
.gitignore
.l10nignore
.nextcloudignore
.php-cs-fixer.dist.php
AUTHORS.md
CHANGELOG.md
LICENSE
README.md
REUSE.toml
SECURITY.md
babel.config.js
composer.json
composer.lock
krankerl.toml
package-lock.json Chore(deps-dev): Bump elliptic from 6.5.7 to 6.6.0 2024-10-31 02:19:02 +00:00
package.json
psalm.xml
stylelint.config.js
webpack.js

README.md

End-to-End Encryption App

REUSE status

This app provides all the necessary APIs to implement End-to-End encryption on the client side. Additionally it makes sure that End-to-End encrypted files are not accessible with the web interface and other WebDAV clients.

Screenshots

Nextcloud Web

Found under Personal settings -> Security:

image

Nextcloud Android App

When the E2EE server app has been successfully enabled and the client app awaits initial setup:

image

Documentation

Client API

Here you can find the API documentation. Also some typical client operations and how to use the API to perform them are documented too.

Specification (RFC)

The end-to-end encryption implemented by the Nextcloud sync and mobile clients, as well as the functionality provided by this app to faciliate it, is based on the approach documented in the RFC repository.

Server-side Encryption

[!WARNING]
E2EE is currently not compatible with server-side encryption and thus should not be used with the server-side encryption app enabled

Installing

  1. Make sure the Server-Side Encryption app is disabled (or uninstalled)
  2. Install then enable the End-to-End Encryption app on your server. No configuration is required on the server other than this.

Configuring

  1. Trigger the "Setup end-to-end encryption" under settings within your favorite client app (all official clients support E2EE).
  2. Carefully note your mnemonic (encryption passphrase) generated by your first client. The mnemonic is needed to: recover access to your data (i.e. if your device is lost or you need to reinstall the app) as well as to setup additional clients.

[!CAUTION]
The mnenomnic is not recoverable by a server administrator. If you lose your mnemonic you will lose access to your encrypted data.

Using

Establishing a folder to encrypt

  1. Within your favorite client app, create a dedicated folder - or folders - that you wish to have be encrypted.
  2. Place the data (including other folders which will be encrypted)

Troubleshooting

General
  • Since all encryption is handled by the clients, it is important that all client versions in-use be kept relatively aligned (in terms of release version/period) to maintain end-to-end compatibility.
  • Since most operations are performed by the clients, in most cases potential bugs will need to be addressed in the clients (though sometimes in coordination with development occurring here with the server app).
  • Be careful not to configure different mnemonics across your devices. They must all share the same mnemonic (created on the first device you provision E2EE on) or undefined behavior will occur.
  • Keep in mind that using end-to-end encryption has trade-offs. Some functions will never be supported because they are inherently incompatible with the threat model of E2EE. In other cases, functionality may not yet be implemented in your favorite client (in this case you're encouraged to visit the Issues of your respective client and upvote the existing enhancement idea and/or submit your own where one does not already exist).
  • E2EE files are inaccessible (by design) from the Nextcloud Web UI (client) in order to minimize needing to trust the server.
Data not being encrypted
  • E2EE focuses on protecting your file-based data, but not other application data (e.g. calendars).
User agent configuraiton

The default user agent configuration is reasonable for all current official stable client releases, but sometimes needs to be adjusted when running custom or development client builds.

// config/config.php

    ...,
    // Allow to configure which client are supported (e.g. custom clients)
    'end_to_end_encryption.supported-user-agents' => [
        '/^Mozilla\/5\.0 \(Android\) Nextcloud\-android\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.13.0',
        '/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.0',
        '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-iOS\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.5',
    ]
Recovery

There are various recovery scenarios where it may be useful to access (decrypt) your files independent of your Nextcloud installation. A separate set of tools called the encryption-recovery-tools can be used for this.

Additional Screenshots

Nextcloud Web

Personal -> Security

image

Nextcloud Web

Admininistration settings -> Security

image

Nextcloud Desktop Client

image