Learn how you can enable the new Nextcloud end-to-end encryption.
The developers of the Nextcloud open source on-premise cloud solution have created a really amazing encryption setup between their latest desktop client (version 3.x) and the newest release of their server solution (version 19).
This end-to-end encryption method makes it such that encrypted files are only available to the Nextcloud desktop and mobile applications and are not accessible via the server. In other words, you encrypt a file (that exists on the server) from the client app. Once you’ve encrypted the file, it will no longer be accessible on the server, but will remain available (all the while encrypted) on any client application you have connected to your account on the server.
The thing about the new end-to-end encryption is that the setup isn’t quite intuitive. After some stumbling around, I did manage to put the pieces together, so I can show you how it’s done.
What you’ll need
How to enable encryption on Nextcloud
The first thing you must do is enable encryption on your Nextcloud instance. To do that, log in to Nextcloud with an admin account and then click your profile icon at the top-right of the window. From the popup menu, click Settings. In the resulting window, click Security from the menu in the left sidebar.
From the Security Settings window, click the checkbox for Enable Server-Side Encryption (Figure A).
How to install the encryption app in Nextcloud
The next step is to install the end-to-end encryption app. To do that, click the profile icon again and click Apps. In the Apps window, type encryption in the search bar. When the End-to-End Encryption entry appears (Figure B), click Download And Enable.
Next, you need to enable a default encryption module. To do that, go back to Apps and search for encryption a second time. You should see an entry for Default Encryption Module. Click Enable to enable this module.
How to enable HTTPS
Okay, this is the tricky part, because it depends on a number of things. First, is this installation WAN- or LAN-facing? Second, do you need true HTTPS, or do you just need to be able to point a browser to a secure HTTP address. For example, in my LAN-facing, non-domain using instance, I don’t need to work with an SSL certificate, I only need the client to think it’s using HTTPS. If you’re accessing your Nextcloud instance via IP address, and don’t have a domain for the cloud server, you’ll want to use the same method I use.
If, on the other hand, you do use a domain for your Nextcloud instance, and your server is accessible via both WAN and LAN, you’ll need to go the full-on, certificate-enabled HTTPS route.
I’m going to show you how to use the “tricky” method, just to get you up and running with end-to-end encryption. If you need to go the true HTTPS route, make sure you have your certificate and that your Apache or NGINX configuration file points to the proper keys.
Otherwise, log in to your Nextcloud server, via SSH, and issue the following commands:
sudo a2enmod ssl sudo a2ensite default-ssl.conf sudo systemctl restart apache2
At this point, you should be able to access your Nextcloud instance using https.
How to enable encryption on the client
Open your Nextcloud client on your desktop. You should now see a new button, labeled Enable Encryption (Figure C).
Click that button and encryption will then be enabled between the client and the server.
How to encrypt a folder
With everything in place, you can now encrypt a folder from within the Nextcloud app by right-clicking a folder and select Encrypt (Figure D).
At this point, the folder will appear in the Nextcloud web interface with a lock. You can see the folder, but you don’t have permission to upload or create files in that encrypted directory. The only way you can do that is via the desktop or mobile app. If you navigate into that folder, the file will be listed as a random string of characters (Figure E).
Congratulations, you now have end-to-end file encryption enabled between your Nextcloud 19 server and the desktop/mobile application.