Navigation menu

Versions Compared

Old Version 8

changes.mady.by.user th

Saved on

compared with

New Version 9

changes.mady.by.user th

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

All E2ee related user settings are found in the Security section of their Personal Settings.

Key Storage

Note

When more than one Key Storage was provided by the administrator, all ownCloud users must select their preferred storage first. This step is neither needed nor available when there is provided only a single storage.

 

Image RemovedAt first login a wizard will open which guides through the creation of a key pair for encrypting and decrypting files. Tis pair comes with a private (secret) key and a public (not secret) key.

  • The public key will be used to encrypt files
  • The private key will be used to decrypt files

While the public key will be saved in the server's database ("anybody may encrypt files for me"), the private key must be kept secret ("only I may decrypt files").

Image Added

After the welcome screen you choose the key storage, where your keys will be saved.

The select box provides all available key storages, as they were set up by the administrator.

 

Image Added

Depending on the system settings you can choose if and where the private key is saved and how you want the decryption to be performed. This depends on your security requirements and possibilities:

 DescriptionUsabilitySecurity
Your Computer/DeviceThe private key is stored in the browser local storage (similar to a cookie)(star)(star)(star)(thumbs up)
External Key/Smartcard

The private key is available through an external process running on the client machine. Then the browser can only request decryption.
You have to install an extra Key Server on your machine, which is able to both recognize provided key files or Smart Cards (currently Windows only).
The key is never saved in the browser.

Info

The Key Server supports reading the key from a storage location (.pem file) or from a pkcs#11 compatible hardware device.

(star)(star)(thumbs up)(thumbs up)(thumbs up)
Manual input for each downloadWhen downloading an E2EE file, the private key has to be copy/pasted into a browser form. The key is never saved in the browser.(star)(thumbs up)(thumbs up)
Local decryptionThe E2EE file is downloaded locally and a secondary tool is required to decrypt (E2EE Reader).
The E2EE Reader supports both file and Smart Card decryption (currently Windows only).
The key is never saved in the browser.		(star)/(star)(star)(thumbs up)(thumbs up)(thumbs up)

...

Key

...

For the Your Computer/Device key storage, ownCloud users must generate their own private key.

 

Image Removed

Note

After generation you should copy or download the private key to a secure location. A backup of the private key is strongly recommended. In case the system crashes or a user is deleted by accident you cannot read the shared files anymore. The private key is NEVER sent to the server. The private key can never be recovered.

Info

A user can have multiple private keys assigned to his account i.e. for multiple devices. Files uploaded into one os his encrpyted folders will automatically be encrypted for ALL his private keys.

 

Once the private key is generated the public key is uploaded on the fly. From then on, a user can create encrypted folders.

Storages

External Key/Smartcard Configuration

For the External Key/Smartcard key storage, a key server URL has to be provided. In most cases this will be the default value http://localhost:9080.

By clicking the Test Connection button you will receive a message whether the key server was found or not. You will be asked to register your Smartcard when it had been found.

An additional button Connection Info will show up which either opens the key server's status information or a browser error page, in case the key server did not respond.

All other storages

Except of the variant External Key/Smartcard, where the key is retrieved from the hardware, in any other keys a new key pair will be generated.

The public key will be uploaded to the server's database, the private key is show in the next step.

 

Image Added

From now on you are able to create or read end-to-end encrypted files.

Note

Be sure to save the private key and store it at a secure location (e.g. in a safe). Make a backup of this key. Without the private key you cannot open any files, e.g. when the web browser was reinstalled.

The private key is never sent to the server. The private key cannot be restored.

In case this key is lost, you have to create a new one. However, you only can access files encrypted for your old key when

  • You re-upload the files
  • Another user who shared an encrypted folder with you re-encrypts it for your new key.
Info

After you are done with the wizard, the key management is always available in your Personal Settings - section Security

Image Added

Click Yes, take me there to find the section Security in your Personal Settings.

Info

User can have multiple private keys assigned to their accounts i.e. for multiple devices. Files uploaded into one of their encrpyted folders will automatically be encrypted for ALL of their private keys.

Decrypting Files

Key Storages Manual input for each download and Local decryption

Both storage options require, that your public key is available on the server. It will be used for encrypting files.

...

  • you at least once have generated a public key in the Personal Settings
  • you at least registered once with the Key Server (file key or Smart Card)
  • the administrator added your key on the server (occ command)

Manual input for each download

Every time you want to open an encrypted file the browser opens a modal window where you have to provide your private key.

...

The file is decrypted in the browser only, the private key is never sent to the server.

Local decryption

The raw E2EE file will be downloaded. You need the E2EE Reader to be able to decrypt those files.