# end_to_end_encryption **Repository Path**: mirrors_nextcloud/end_to_end_encryption ## Basic Information - **Project Name**: end_to_end_encryption - **Description**: :closed_lock_with_key: Server API to support End-to-End Encryption - **Primary Language**: Unknown - **License**: AGPL-3.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2023-11-08 - **Last Updated**: 2026-01-11 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # End-to-End Encryption App [![REUSE status](https://api.reuse.software/badge/github.com/nextcloud/end_to_end_encryption)](https://api.reuse.software/info/github.com/nextcloud/end_to_end_encryption) This app provides all the necessary APIs to implement End-to-End encryption on the client side and in the browser. ## Table of contents - [Screenshots](#screenshots) - [Nextcloud Web](#nextcloud-web) - [Nextcloud Android App](#nextcloud-android-app) - [Additional Screenshots](#additional-screenshots) - [Documentation](#documentation) - [Client API](#client-api) - [Specification (RFC)](#specification-rfc) - [Installing](#installing) - [Configuring](#configuring) - [Using](#using) - [Establishing a folder to encrypt](#establishing-a-folder-to-encrypt) - [Troubleshooting](#troubleshooting) - [General](#general) - [Data not being encrypted](#data-not-being-encrypted) - [User agent configuration](#user-agent-configuration) - [Recovery](#recovery) - [Development](#development) - [Building the app](#building-the-app) - [Contributing](#contributing) - [Contribution guidelines](#contribution-guidelines) ## Screenshots ### Nextcloud Web Found under *Personal settings -> Security*: ![image](https://github.com/nextcloud/end_to_end_encryption/assets/1731941/339017ab-79eb-43f7-ac9c-8c1990e107ef) ### Nextcloud Android App When the E2EE server app has been successfully enabled and the client app awaits initial setup: ![image](https://github.com/nextcloud/end_to_end_encryption/assets/1731941/42618c90-a5e6-40ad-b99d-cce86c20b018) ### Additional Screenshots #### Nextcloud Web *Personal -> Security* ![image](https://github.com/nextcloud/end_to_end_encryption/assets/1731941/7d55571f-5da6-40e0-aa69-141590378f84) #### Nextcloud Web *Admininistration settings -> Security* ![image](https://github.com/nextcloud/end_to_end_encryption/assets/1731941/bca6dec4-66fd-4ffa-a869-d7ef01f4a096) #### Nextcloud Desktop Client ![image](https://github.com/nextcloud/end_to_end_encryption/assets/1731941/95f31620-084d-47a6-a227-6a8bedf5da47) ## Documentation ### Client API Here you can find the [API documentation](https://github.com/nextcloud/end_to_end_encryption/blob/master/doc/api.md). Also some [typical client operations and how to use the API to perform them](https://github.com/nextcloud/end_to_end_encryption/blob/master/doc/api-usage.md) are documented too. ### Specification (RFC) The end-to-end encryption implemented by the Nextcloud sync and mobile clients, as well as the functionality provided by this app to faciliate it, is based on the approach documented in the [RFC repository](https://github.com/nextcloud/end_to_end_encryption_rfc/). ### Installing 1. Make sure the Server-Side Encryption app is disabled (or uninstalled) 2. Install then enable the End-to-End Encryption app on your server. No configuration is required on the server other than this. ### Configuring 1. Trigger the "Setup end-to-end encryption" under settings within your favorite client app (all official clients support E2EE). 2. *Carefully* note your mnemonic (encryption passphrase) generated by your first client. The mnemonic is needed to: recover access to your data (i.e. if your device is lost or you need to reinstall the app) as well as to setup additional clients. > [!CAUTION] > The mnenomnic is *not* recoverable by a server administrator. If you lose your mnemonic you *will* lose access to your encrypted data. > [!CAUTION] > When the web interface is used for end-to-end encryption then chunked uploads have to be disabled! ### Using #### Establishing a folder to encrypt Encryption must be actively enabled for folders. This can be done in any of the officially supported client apps (desktop, Android, iOS). In the desktop client, the option to encrypt can be found in the context menu (right click) of subfolders of a folder synchronization. Please note that it's neither possible to encrypt the root folder of a folder synchronization, nor to encrypt a subfolder with existing content. #### Troubleshooting ##### General - Since all encryption is handled by the clients, it is important that all client versions in-use be kept relatively aligned (in terms of release version/period) to maintain end-to-end compatibility. - Since most operations are performed by the clients, in most cases potential bugs will need to be addressed in the clients (though sometimes in coordination with development occurring here with the server app). - Be careful not to configure different mnemonics across your devices. They must all share the same mnemonic (created on the first device you provision E2EE on) or undefined behavior will occur. - Keep in mind that using end-to-end encryption has trade-offs. Some functions will never be supported because they are inherently incompatible with the threat model of E2EE. In other cases, functionality may not yet be implemented in your favorite client (in this case you're encouraged to visit the Issues of your respective client and upvote the existing enhancement idea and/or submit your own where one does not already exist). - E2EE files can currently only be read (using the viewer app) and downloaded from the Nextcloud Web UI (client). ##### Data not being encrypted - E2EE focuses on protecting your file-based data, but not other application data (e.g. calendars). ##### User agent configuration The default user agent configuration is reasonable for all current official stable client releases, but sometimes needs to be adjusted when running custom or development client builds. ```php // config/config.php ..., // Allow to configure which client are supported (e.g. custom clients) 'end_to_end_encryption.supported-user-agents' => [ '/^Mozilla\/5\.0 \(Android\) Nextcloud\-android\/(?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.13.0', '/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/(?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.0', '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-iOS\/(?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)).*$/' => '3.0.5', ] ``` ##### Recovery There are various recovery scenarios where it may be useful to access (decrypt) your files independent of your Nextcloud installation. A separate set of tools called the [`encryption-recovery-tools`](https://github.com/nextcloud/encryption-recovery-tools) can be used for this. ## Development There are many ways to contribute, of which development is only one! Find out [how to get involved](https://nextcloud.com/contribute/), including as a translator, designer, tester, helping others, and much more! 😍 Specific to this app we summarize the basic steps how to get involved below. ### Building the app This is is built using PHP on the backend side as well as Typescript and Vue.js on the frontend side. For building the frontend you need to install the currently active Node.js version (see `engines` in the `package.json`). To built the app from a fresh checkout of the repository run: 1. `npm ci` to install the frontend dependencies 2. `npm run build` to build the frontend When developing there are some more commands which might be useful for you: - `npm run dev` to build the frontend in development mode enabling support for the Vue devtools. - `npm run watch` similar to `dev` but rebuilds as soon as there are code changes in the sources. - `npm run lint` to check for linting issues (e.g. code style). Always check this before contributing code. - `npm run stylelint` similar as `lint` but for the `