in Development, Security

Misconceptions of ownCloud Encryption

Our organisation aykit is developing ownCloud notes applications for mobile devices. aykit is a non-profit organisation and we invest our spare time to develop those applications. The last couple of weeks we spent some time trying to figure out what exactly ownCloud encryption is doing. As it turns out, there is a big misconception of the real purpose of the ownCloud encryption app.

ownCloud encryption has been designed to encrypt data on external storage devices. This is crucial as it does not secure data on internal storage.

Or, as ownCloud developers put it:

The encryption app does not protect your data if your ownCloud server is compromised. This would require client side encryption, which this app does not provide

In fact, ownCloud stores your “private key” (the key input by the user when connecting to ownCloud) on the hard disk. I repeat, the key is stored on the hard disk, not even in RAM. This makes it easy for everyone having server access to decrypt the data and has been confirmed during a chat session with our team member ramsch:

Don’t get me wrong: This is ok for the purpose of this app, as it was never meant to encrypt files on internal storage.

All this led to the conclusion that we will not support encryption within My Own Notes. Understanding encryption techniques and implementations needs a lot of work. It just does not feel right putting that much effort into an encryption technique with such little use cases.

For everyone who wants to encrypt ownCloud content we suggest using EncFS eCryptfs (see comments below) or the very mature dm-crypt via LUKS. Those two techniques come with implications as well. However, they are very stable, very mature and are not known to break easily. Or, even better, use open source client side encryption software like CryptSync to keep your cloud data secure. Please be aware that this way, people won’t be able to access your data using the ownCloud web interface.

I hope we have been able to shed some light on ownCloud encryption app. Please consult the ownCloud article and documentation for further information and read our statement on github for the big why’s of not supporting encryption within My Own Notes.

  1. Yes, ou have shed good light on this issue. But why should people care about web interfaces, when most of cloud storage services what eally want is only a backup and synchronization system? I have never shared my personal notes with anybody. When I wanted to share some text I would send by email or IM. So, I don’t think your decision is as good as you believe, honestly.

    Anyway let me make a suggestion, well, two: text format and images. Take a look to TagSpaces. Well, it’s much more than a note taking app, but it’s what most users want: a sort of Evernote, open sourced, and installable on Owncloud and other WebDav compatible servers.

    Cheers, and thanks for your work.

    • Due to the results of a security audit of EncFS in Feb 2014, you might want to refrain from describing EncFS as “very stable, very mature and are not known to break easily”.

      • I was referring to LUKS being very mature. However, you are right. At the moment I would suggest using eCryptfs instead. I changed the article accordingly.