end_to_end_encryption
end_to_end_encryption copied to clipboard
nextcloud
Status and Roadmap for e-2-e?
End to End Encryption appears to be in an alpha state at the moment.
It appears that updates since 2020 have been largely version bumps to allow installation on newer NC versions (up to v22) but have not resolved issues with the functionality/stability.
It would be good to get an update from devs on the plans for this app, even if the status is "abandoned".
Moving forward, if we can identify the main needs to make it functional (i.e. alpha -> beta needs), then a fork may be warranted to get this working.
Yes, a status update would be very welcome. In the meanwhile, I have to assume that the project is abandoned since we’re getting close to Nextcloud 24 and the app is still incompatible with Nextcloud 23. The roadmap is also not updated. :-(
Just starting a little list, feel free to amend and we can gather together as we go...
End-2-End Encryption Features:
Tested on Server v22.2.5 (Linux)
Working (show tested version):
- [x] create e2e folder
- [x] enter e2e mnemonic
- [x] files encrypted on server
- [x] sync with Linux client v3.4.1
- [x] sync with OS X client v3.2.1
Not Working
- [ ] share encrypted folder - not allowed from web interface or desktop clients
- [ ] admin recovery key
End to End Encryption appears to be in an alpha state at the moment.
It appears that updates since 2020 have been largely version bumps to allow installation on newer NC versions (up to v22) but have not resolved issues with the functionality/stability.
It would be good to get an update from devs on the plans for this app, even if the status is "abandoned".
Moving forward, if we can identify the main needs to make it functional (i.e. alpha -> beta needs), then a fork may be warranted to get this working.
Since they do not even do an official response, (from member to dev) it mean it's already abandoned.
I don't understand why this is abandoned. Isn't E2EE a key feature?
in my case i have started to moveout to seafile, i do not use all their shiny (who really heavily on "password app") dav function, and seafile their built in client side encryption do work.
So the lack of answer mean we can safely say it's totally abandoned from nextcloud and stop recommend them altogether ??
@BirdInFire I think it is safe to assume, as you say, that e2e has been abandoned.
However, the point of this issue is to review a path forward, it is open-source after all!
The basic e2e implementation is, thankfully, working. I think the path forward will be to fork the e2e module and then look at implementing the required features to make it more useful. In my use-case, I'd be happy even if we just managed to get sharing of e2e folders working.
Very keen to hear from any crypto-nerds as to suggestions on next steps. If there's a clear path, I think we could find some funding to help push this forward too.
p.s. nice to see that Seafile now supports document editing with collabora. Although I am curious how that can work with encryption, I don't think that's possible while the server is zero-knowledge.
[edit for details]
Looks like server caches password for 1hr:
https://help.seafile.com/security_and_encryption/use_encrypted_libraries/
If you use web app, you have to input the password to the server. The server will cache the password in encrypted format for 1 hour. It won't store the password on disk.
That certainly could lead to compromise of encrypted files if the server was compromised.
p.s. nice to see that Seafile now supports document editing with collabora. Although I am curious how that can work with encryption, I don't think that's possible while the server is zero-knowledge.
[edit for details]
Looks like server caches password for 1hr:
https://help.seafile.com/security_and_encryption/use_encrypted_libraries/
If you use web app, you have to input the password to the server. The server will cache the password in encrypted format for 1 hour. It won't store the password on disk.
That certainly could lead to compromise of encrypted files if the server was compromised.
yeah it's why i do not use the server, after all i have ditched nextcloud because of that. i only want a sync service, and use native app on my device to do the job.
OK, best to get back on topic. Seafile encryption is interesting, but doesn't seem to solve the main missing feature described above, which is sharing of encrypted folders/libraries.
edit.
I may be wrong about that (Seafile docs are unclear). This forum post suggests that encrypted libraries can be shared: https://forum.seafile.com/t/folder-in-encrypted-library-cannot-be-shared/10366
Anyway, best to get back to Nextcloud e2e discussion.
@BirdInFire I think it is safe to assume, as you say, that e2e has been abandoned.
However, the point of this issue is to review a path forward, it is open-source after all!
The basic e2e implementation is, thankfully, working. I think the path forward will be to fork the e2e module and then look at implementing the required features to make it more useful. In my use-case, I'd be happy even if we just managed to get sharing of e2e folders working.
Very keen to hear from any crypto-nerds as to suggestions on next steps. If there's a clear path, I think we could find some funding to help push this forward too.
I believe much of the functionality required for end to end encryption is present within this add on. The majority of the end to end encryption logic that would require changing is in the nextcloud clients.
Adding shared folders to nextcloud's end to end encryption would require modifying the clients code (and the metadata format) so that it encrypts the metadata key using the public keys of all recipient users. The metadata format currently used by nextcloud cannot support shared folders. The client would also need to be modified to store the list of users and their public keys locally. This would then need to be exposed in the UI (although you can probably do this just using the normal folder sharing UI for the nextcloud client, just need to remove the check that prevents it from showing for encrypted folders).
Thanks @purdieb that's some good pointers, I guess filing an issue in the client repo would also be a good idea.
Thanks @purdieb that's some good pointers, I guess filing an issue in the client repo would also be a good idea.
since they do not even respond here to the core E2E (even a "we are aware of the issue yada yada yada") do not push your hope to much :(
Thanks @purdieb that's some good pointers, I guess filing an issue in the client repo would also be a good idea.
since they do not even respond here to the core E2E (even a "we are aware of the issue yada yada yada") do not push your hope to much :(
As this is open source software we do not need "them" to respond, just to find a solution!
Thanks @purdieb that's some good pointers, I guess filing an issue in the client repo would also be a good idea.
since they do not even respond here to the core E2E (even a "we are aware of the issue yada yada yada") do not push your hope to much :(
As this is open source software we do not need "them" to respond, just to find a solution!
True but i will not help on this one, don't want to really help the people who doesn't have the respect to tell the community if it's on hold or abandoned, nor even respond on this for so much time.
Sorry for the wait while this has been raised elsewhere and also answered elsewhere, see https://github.com/nextcloud/end_to_end_encryption/issues/273#issuecomment-1091648311 -
I'm afraid we are 100% transparent: there has never been a decision to NOT work on the E2E app, or to drop it. So there is nothing to announce. It's been on todo lists to update the app forever. But every week we have to pick the tasks to work on for the week, other things were more urgent, be it customer problems and features they pay for or the thousands of other issues people ask about in the community.
I maintain the website and I'd also prefer the site to be in line with what is the state of things is - but I know as much as you do. So my heuristic is usually "if an app is not available for a release that gets updated, it's time to remove the feature from the website". This app is available for Nextcloud 22 from what I can see in the app store, so I haven't thought about removing it yet.
As Joas said, somebody was assigned the task to work on it, but if they get sick or if other higher priority things come up - it might not happen. In the end, it's like in any other open source project: either somebody volunteers or somebody gets paid to do something. Everyone here in the chat is welcome to step up in either of those ways!
It has been made available for 23 by @CarlSchwan and is currently being worked on to be available for 24 as well. New features haven't yet been implemented since there also haven't been any customer requests for that and like @jospoortvliet stated in the cited statement above we continuously need to decide on priorities. So yes we would love to push this forward but currently have a different focus, the project definitely isn't abandoned but alive while more in a maintenance way than pushing forward the feature set.
@AndyScherzinger Thank you very much for the clarification. You might want to update the official web page and roadmap. In case customers are reading it, they might think the information describes the project’s current status rather than where it was supposed to be.
”Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are not readable by the server.”
so cc @jospoortvliet for https://github.com/nextcloud/end_to_end_encryption/issues/285#issuecomment-1123345416 thanks for pointing that out @karlemilnikka 🙏
@DanScharon looking forward to it 👍
Also just as a side-note or reminder because like mentioned by some of you before this is OSS and this repo is here so anybody is free and very welcome to contribute. So if anybody is up for it, please go for it, we support you implementing it as good as we can with being there for the solution discussions/design as well as reviews and answering potential question one might come up with.
Also just as a side-note or reminder because like mentioned by some of you before this is OSS and this repo is here so anybody is free and very welcome to contribute. So if anybody is up for it, please go for it, we support you implementing it as good as we can with being there for the solution discussions/design as well as reviews and answering potential question one might come up with.
Thanks for the clarification, would be interesting to see the roadmap changed evey update (with a message) because when (like me) go to the roadmap, see it not updated, go to the github no answer on the feature, you can understand why we think it's abandonned (since on git we rarely go see if a closed post do answser if the feature is abandonned or not).
hope to see the feature soon in the meanwhile i will continue with seafile because my threat model (VPS and so on) force me to have a client side encryption (to the minimum).
@AndyScherzinger Thank you very much for the clarification. You might want to update the official web page and roadmap. In case customers are reading it, they might think the information describes the project’s current status rather than where it was supposed to be.
”Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are not readable by the server.”
The top of the page states: "In particular, as of May 2022, offline recovery, sharing and HSM features are on the roadmap." (date was Jan 2021, I updated it to May 2022)
Will suffice, I hope.
@AndyScherzinger Thank you very much for the clarification. You might want to update the official web page and roadmap. In case customers are reading it, they might think the information describes the project’s current status rather than where it was supposed to be. ”Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are not readable by the server.”
The top of the page states: "In particular, as of May 2022, offline recovery, sharing and HSM features are on the roadmap." (date was Jan 2021, I updated it to May 2022)
Will suffice, I hope.
and expain in witch case (not) enabling it. because many user have brocking bugs with it.
and one month later dead again, and the full lie on the website "Note: our end-to-end encryption solution is under constant development.", the only guy who pass here to commit is the bot....
and one month later dead again, and the full lie on the website "Note: our end-to-end encryption solution is under constant development.", the only guy who pass here to commit is the bot....
Yes. Since the project is just maintained to keep the existing functionality, and no work on the roadmap features will be done for the foreseeable future, it would be better to just be up front with it on the website. Remove everything regarding offline recovery, sharing, HSM and "enterprise grade/production ready", and promote the existing functionality instead. Even though the existing functionality is far from what’s currently promoted, it’s better than competing mainstream solutions like Onedrive or Google Drive that don’t offer E2EE at all.
and one month later dead again, and the full lie on the website "Note: our end-to-end encryption solution is under constant development.", the only guy who pass here to commit is the bot....
E2EE is more than just the server-side app, looking at recent Android PRs, i.e.
- https://github.com/nextcloud/android/pull/10390
- https://github.com/nextcloud/android/pull/10388
- https://github.com/nextcloud/android/pull/10323
- https://github.com/nextcloud/android/pull/10322
on the website. Remove everything regarding offline recovery, sharing, HSM and "enterprise grade/production ready", and promote the existing functionality instead.
Just to be clear, this is the tracker for the server-side app for e2ee (the project) and has no relation to the website which is purely operated by Nextcloud (as a company).
Trying to catch up with this thread after seing the half star review on the store... @AndyScherzinger is there still a dedicated person for this? / A kanban to follow progress?
Thanks
is there still a dedicated person for this? / A kanban to follow progress?
There is a dedicated person for this in cases where we decide to add enhancements to e2ee, yes. There is no kanban to follow progress and it is also not planned to have a dedicated one. We currently work on getting a "server/files"-related kanban board up again - used the quotation marks since that board would cover anything files or server related.
Thanks for the update, @AndyScherzinger. Do you think the development of any of the features listed as coming in 2021 or 2022 (on the official E2EE roadmap) will be continued this year?