NextCloud End-to-End on Android

Open Source File Share Nextcloud to Add End-to-End Encryption

Full encryption is on the way to the open source host-it-yourself client/server software. Feature will be baked into Nextcloud by year's end.

There's another reason for taking a second look at Nextcloud as a replacement for DropBox -- or even for Google's office apps or Microsoft's Office 356. Full encryption is on the way to the open source host-it-yourself client/server software.

A year-and-a-half ago when Nextcloud was first forked from ownCloud, it was basically for syncing, storing and sharing files.

"The elevator pitch," Nextcloud's founder and managing director told me a few months back, "was that we were a Dropbox replacement."

"Replacement" might not be exactly the right choice of words. It might be more precise to say that it supplied Dropbox functionality, but on the user's own server. Dropbox is SaaS, and it's use is on the service's servers. That can be problematic for regulated industries such as finance and health care that might be required to store sensitive data on premises. It's also a deal breaker for companies who prefer to keep their secrets on their own metal.

And because the software is open source, it's free, with support contracts available but optional. Being open source also means that companies can use their in-house DevOps teams to modify the code to suit specific requirements. That's usually not necessary, however. It has a modular design, meaning it's usually customizable enough through plugins.

It's also in rapid development. Since the fork that gave it birth, Nextcloud has evolved beyond being merely a Dropbox drop in.

"In a way, it's like the first true Office 365 killer," is how Karlitschek put it.

That assessment isn't far off the mark. These days, in addition to allowing the simple sharing of files, Nextcloud can be used for video conferencing, can connect to mobile devices by way of Android and iPhone apps, can allow the creation and editing of LibreOffice spreadsheets and documents, and more. It's grown into something of a one-stop-shop for meeting collaboration needs.

All this and encryption too.

On Wednesday Jos Poortvliet, Nextcloud's marketing and communication's manager, revealed that wall-to-wall encryption is on the way, and can even be sampled a bit as something of a not-ready-for-prime-time tech preview.

"[The preview] isn't super usable," Poortvliet told IT Pro. "It works for the Android client, the desktop client is close and the server part has implemented at least everything we currently have in our design. I'm not sure how far iOS is, I've seen them test it a bit with the Android client.

"We need a lot of testing and strongly recommend people to not let this anywhere near their production data."

But it's there for potential users to take for a test drive, in all of its incomplete glory.

Poortvliet indicated that Nextcloud's developers have decided to not take the easy way out with a one-size-fits-all cookie cutter approach to encryption.

"Our end-to-end works on a per-folder level and features an easy to use, server-assisted but fully secure key management with Cryptographic Identity Protection, our method of securely signing and handling user certificates," he said.

"Users can easily access their data on any of their devices using their client (not via the web interface) and share with other users, securely. On top of that, our design is unique in delivering on enterprise demands like a complete audit log, an optional offline administrator recovery key and support for a secure HSM (hardware security module) to be able to issue new identities to users."

They also seem dedicated to maintaining best security practices in their design -- because nothing spells bad PR like having a new security feature fail out of the gate.

"The Nextcloud end-to-end encryption is designed to never let the server get anywhere near unencrypted keys or data. We use standard, battle-tested encryption algorithms, tools and protocols to avoid the risks of rolling our own."

So, with a tech preview that's not yet even alpha quality, and with much work remaining to be done, why is Nextcloud making the announcement now? Isn't that jumping the gun?

"We publish this following the 'release early, release often' rule of open source to get feedback on both the design and implementation," Poortvliet explained. "We expect some harsh criticism, but we look forward to the constructive feedback which will enable us to improve and fine tune our design and implementation."

Encryption is expected to be ready in time for the release of Nextcloud 13 later this year. In the meantime, the company has posted a blog on all of the planned features, as well as a whitepaper with technical details of the project.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish