Providing optimal security for your data and communication
To protect your data, Nextcloud is designed with military-grade encryption and a
large number of advanced security protections for the highest degree of privacy and security. To support the admin, automated checks warn of security problems.
Nextcloud employs industry-standard TLS to encrypt data in transfer. Usage of Object Storage like Amazon S3 or other external storage systems can be secured through Server Side Encryption.
Server Side Encryption can also be used on local storage. However, inherent to the concept of server side encryption, encryption keys will be present in memory of the Nextcloud server during the time a user is logged in and could be retrieved by a determined attacker. We take care to ensure keys are not stored unencrypted on permanent storage and at rest keys are encrypted using a strong cipher.
End-to-end Encryption client-side is available from Nextcloud desktop client 3.0 and newer as a folder-level option to keep extremely sensitive data fully secure even in case of a full server breach. The server facilitates key exchange for syncing between devices and sharing but has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form.
There is a number of important decisons to be made about encryption in Nextcloud. The various solutions come with advantages and downsides. Read our blog linked below to find out more about the properties of each solution.
Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are never readable by the server.
This solution is easy to use yet extremely secure thanks to its Zero-Knowledge server design and Cryptographic Identity Protection. It does not compromise security by using a browser to encrypt or decrypt files with code coming from the server and is not an all-or-nothing affair: any number of folders can be end-to-end encrypted. Sharing is secure without a need to exchange passwords and files don’t need to be re-encrypted and re-uploaded when access rights for other users are changed.
Our solution is enterprise ready with access to a full audit log and optionally allowing administrators to create an offline master recovery key. Contact us if you are interested in additional capabilities like support for a Hardware Security Module for issuing certificates
Before, after picking a folder for end-to-end encryption, users could work in this folder and access it from all their clients, mobile and desktop, but not share it. It is now possible for the HR team to share their folders with confidential dossiers with each other!
File Drop now includes the option to upload files to End-to-End Encrypted folders for increased security in your organization.
Receive confidential files in a secure, trustworthy way without worrying about breaches. It’s simple, secure and a no fuss file exchange.
Going back to the HR department – the team can now send job applicants a link where they can securely upload their resume’s directly in an end-to-end encrypted folder, shared in the HR team.
Nextcloud features server-side encryption to encrypt data at rest. It is particularly powerful when used with external storage as it ensures keys never leave the Nextcloud server.
With the announcement of the Nextcloud end-to-end encryption techpreview, we’d like to invite you to scrutinize our source code and cryptographic approach in this whitepaper.
Nextcloud supports pluggable encryption key handling. If you have an external key server or Hardware Security Module, these can be made to work with Nextcloud.
Our default encryption key handling enables administrators to set a system wide recovery key for encrypted files,. This ensures that, even when users lose their password, files can always be decrypted. Encrypted files can be shared but after changing encryption settings, shares will have to be re-shared. Using our command line tools, data can be encrypted, decrypted or re-encrypted when needed.
If you face a regulatory or compliance need to encrypt data at rest but do not need to actually secure this data, locally encrypting data using our built in key management may satisfy compliance requirements.
Nextcloud Enterprise provides early access to security warnings, updates and mitigations. Nextcloud enables you to focus on your work, taking care that your data stays private
and completely under your control!