Nextcloud-Archive/end_to_end_encryption
1
0
Fork 0
mirror of https://github.com/nextcloud/end_to_end_encryption.git synced 2025-10-26 12:04:59 +01:00
Code Issues Projects Releases Packages Wiki Activity
No description
1,628 commits 31 branches 75 tags 117 MiB
Find a file
Exact
github-actions[bot] f5f1dcffce
 Merge pull request #1161 from nextcloud/automated/noid/master-update-nextcloud-ocp 
[master] Update nextcloud/ocp dependency
2025-10-26 02:56:51 +00:00
.github chore: update workflows from organization 2025-10-22 19:34:59 +02:00
.tx [tx-robot] Update transifex configuration 2022-10-01 02:24:50 +00:00
__tests__ refactor(code-style): adjust import order 2025-10-20 23:34:47 +02:00
appinfo chore: master branch is now Nextcloud 33 2025-10-09 16:18:16 +02:00
doc doc: Remove old API documentation and link to OpenAPI specification 2025-05-15 14:18:49 +02:00
img docs: Add SPDX header 2024-09-30 22:59:48 +02:00
js chore(assets): Recompile assets 2025-10-23 10:59:56 +00:00
l10n fix(l10n): Update translations from Transifex 2025-10-26 00:30:32 +00:00
lib perf(keystorage): Split verifyFolderStructure in two 2025-08-19 10:02:27 +02:00
LICENSES chore: Fix reuse licences 2024-12-17 17:13:08 +01:00
screenshots docs: Add SPDX header 2024-09-30 22:59:48 +02:00
src refactor: make components consistant by using script-setup 2025-10-23 12:30:43 +02:00
templates docs: Add SPDX header 2024-09-30 22:59:48 +02:00
tests chore: adjust code usage 2025-10-20 23:18:01 +02:00
vendor-bin chore: Nextcloud 33 dropped support for PHP 8.1 2025-10-09 16:18:16 +02:00
.gitattributes docs: Add SPDX header 2024-09-30 22:59:48 +02:00
.gitignore docs: Add SPDX header 2024-09-30 22:59:48 +02:00
.l10nignore docs: Add SPDX header 2024-09-30 22:59:48 +02:00
.nextcloudignore docs: Add SPDX header 2024-09-30 22:59:48 +02:00
.php-cs-fixer.dist.php build: Move cs-fixer, phpunit and psalm to vendor-bin 2025-05-15 10:36:55 +02:00
AUTHORS.md docs: Add SPDX header 2024-09-30 22:59:48 +02:00
CHANGELOG.md docs: add changelog to inform admins about changes within app store 2025-10-14 15:50:18 +02:00
composer.json chore: adjust package-json for consistent order 2025-10-20 23:34:47 +02:00
composer.lock chore(dev-deps): Bump nextcloud/ocp package 2025-10-26 02:38:32 +00:00
eslint.config.js refactor: migrate to Vue 3 and Vue 3 based dependencies 2025-10-21 01:27:23 +02:00
krankerl.toml docs: Add SPDX header 2024-09-30 22:59:48 +02:00
LICENSE
openapi.json build: Add openapi-extractor 2025-05-15 14:18:49 +02:00
package-lock.json refactor: make components consistant by using script-setup 2025-10-23 12:30:43 +02:00
package.json refactor: make components consistant by using script-setup 2025-10-23 12:30:43 +02:00
psalm.xml chore: master branch is now Nextcloud 33 2025-10-09 16:18:16 +02:00
README.md docs: add documentation on how to build or contribute 2025-10-22 13:34:16 +02:00
REUSE.toml build: Add openapi-extractor 2025-05-15 14:18:49 +02:00
SECURITY.md docs: Add SPDX header 2024-09-30 22:59:48 +02:00
stylelint.config.cjs chore: Switch to vite to build frontend 2024-12-17 16:49:33 +01:00
tsconfig.json refactor: make components consistant by using script-setup 2025-10-23 12:30:43 +02:00
vite.config.ts chore: create licenses for .map files fixing REUSE 2025-10-22 13:56:10 +02:00

README.md

End-to-End Encryption App

REUSE status

This app provides all the necessary APIs to implement End-to-End encryption on the client side and in the browser.

Table of contents

Screenshots

Nextcloud Web

Found under Personal settings -> Security:

image

Nextcloud Android App

When the E2EE server app has been successfully enabled and the client app awaits initial setup:

image

Additional Screenshots

Nextcloud Web

Personal -> Security

image

Nextcloud Web

Admininistration settings -> Security

image

Nextcloud Desktop Client

image

Documentation

Client API

Here you can find the API documentation. Also some typical client operations and how to use the API to perform them are documented too.

Specification (RFC)

The end-to-end encryption implemented by the Nextcloud sync and mobile clients, as well as the functionality provided by this app to faciliate it, is based on the approach documented in the RFC repository.

Installing

  1. Make sure the Server-Side Encryption app is disabled (or uninstalled)
  2. Install then enable the End-to-End Encryption app on your server. No configuration is required on the server other than this.

Configuring

  1. Trigger the "Setup end-to-end encryption" under settings within your favorite client app (all official clients support E2EE).
  2. Carefully note your mnemonic (encryption passphrase) generated by your first client. The mnemonic is needed to: recover access to your data (i.e. if your device is lost or you need to reinstall the app) as well as to setup additional clients.

Caution

The mnenomnic is not recoverable by a server administrator. If you lose your mnemonic you will lose access to your encrypted data.

Using

Establishing a folder to encrypt

Encryption must be actively enabled for folders. This can be done in any of the officially supported client apps (desktop, Android, iOS).

In the desktop client, the option to encrypt can be found in the context menu (right click) of subfolders of a folder synchronization. Please note that it's neither possible to encrypt the root folder of a folder synchronization, nor to encrypt a subfolder with existing content.

Troubleshooting

General
  • Since all encryption is handled by the clients, it is important that all client versions in-use be kept relatively aligned (in terms of release version/period) to maintain end-to-end compatibility.
  • Since most operations are performed by the clients, in most cases potential bugs will need to be addressed in the clients (though sometimes in coordination with development occurring here with the server app).
  • Be careful not to configure different mnemonics across your devices. They must all share the same mnemonic (created on the first device you provision E2EE on) or undefined behavior will occur.
  • Keep in mind that using end-to-end encryption has trade-offs. Some functions will never be supported because they are inherently incompatible with the threat model of E2EE. In other cases, functionality may not yet be implemented in your favorite client (in this case you're encouraged to visit the Issues of your respective client and upvote the existing enhancement idea and/or submit your own where one does not already exist).
  • E2EE files are inaccessible (by design) from the Nextcloud Web UI (client) in order to minimize needing to trust the server.
Data not being encrypted
  • E2EE focuses on protecting your file-based data, but not other application data (e.g. calendars).
User agent configuration

The default user agent configuration is reasonable for all current official stable client releases, but sometimes needs to be adjusted when running custom or development client builds.

// config/config.php

    ...,
    // Allow to configure which client are supported (e.g. custom clients)
    'end_to_end_encryption.supported-user-agents' => [
        '/^Mozilla\/5\.0 \(Android\) Nextcloud\-android\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.13.0',
        '/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.0',
        '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-iOS\/(?<version>(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.5',
    ]
Recovery

There are various recovery scenarios where it may be useful to access (decrypt) your files independent of your Nextcloud installation. A separate set of tools called the encryption-recovery-tools can be used for this.

Development

There are many ways to contribute, of which development is only one! Find out how to get involved, including as a translator, designer, tester, helping others, and much more! 😍

Specific to this app we summarize the basic steps how to get involved below.

Building the app

This is is built using PHP on the backend side as well as Typescript and Vue.js on the frontend side. For building the frontend you need to install the currently active Node.js version (see engines in the package.json). To built the app from a fresh checkout of the repository run:

  1. npm ci to install the frontend dependencies
  2. npm run build to build the frontend

When developing there are some more commands which might be useful for you:

  • npm run dev to build the frontend in development mode enabling support for the Vue devtools.
  • npm run watch similar to dev but rebuilds as soon as there are code changes in the sources.
  • npm run lint to check for linting issues (e.g. code style). Always check this before contributing code.
  • npm run stylelint similar as lint but for the <style> section of our Vue files.
  • npm run test to run our frontend unit tests.

Contributing

Contribution guidelines

All contributions to this repository are considered to be licensed under the AGPLv3 or any later version.

Nextcloud doesn't require a CLA (Contributor License Agreement). The copyright belongs to all the individual contributors. Therefore we recommend that every contributor adds the following line to the AUTHORS file if they made substantial changes to the code:

- <your name> <your email address>

We can only accept contributions from authors that agree on the Developer Certificate of Origin! For this please make sure to sign-off your commits if you want to contribute code (git commit -s).

Please read the Code of Conduct. This document offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere and to explain how together we can strengthen and support each other.