System Configuration
As Admin user you will find the E2EE settings in the Encryption section of the Admin Settings.
License Installation
Copy/paste your license key and click on Change License to install a new one or update it.
You will see until when your license is active and for how many users.
Key Storage Options
Select, which key storages will be available for your users. You may provide different settings for ownCloud and guest users.
If you provide more than one key storage options, users must set up their key storage in their personal settings prior to being able to read and save encrypted files. This must be communicated in advance to avoid any confusion.
The handling of the private key is - from a security perspective - the most important part. The private key must be kept safe but still be used when you want to decrypt data.
There is a clear trade-off between security and usability, depending on which option you want:
| Description | Usability | |
|---|---|---|
| User's Computer/Device | The private key is stored in the browser local storage (similar to a cookie) |  |
| External Key/Smartcard | The private key is available through an external process running on the client machine. Then the browser can only request decryption. You have to install an extra Key Server on your machine, which is able to both recognize provided key files or Smart Cards (currently Windows only). The key is never saved in the browser. | |
| Manual Input for each download | When downloading an E2EE file, the private key has to be copy/pasted into a browser form. The key is never saved in the browser. | |
| Local decryption, download only | The E2EE file is downloaded locally and a secondary tool is required to decrypt (E2EE Reader). The E2EE Reader supports both file and Smart Card decryption (currently Windows only). The key is never saved in the browser. | / |
General remarks about security:
- Even with access to a server backup no data can be decrypted (you need a private key)
- Access to a private key only allows to decrypt that users data
- When a private key is removed, all decryptable information is purged from the server (i.e. even if recovered, it cannot be used to decrypt data any more)
Access Restrictions
By default all users are enabled to use the E2ee app. If you want to restrict usage to specific groups only, you may set them in the Authorized Groups section. If you provide one or more groups here, only members of those groups may set a folder as E2ee encrypted. Click the apply button, when you are done.
The authorized groups will be applied when a user logs in for the first time.
To see exactly how many users are enabled to use the E2EE app, you may click the Apply E2ee Groups. After a reload the Summary section shows the number of currently enabled users.
Multiple Keys
Users can only have one public key assigned to them by default. This is a security feature. If you want users to have multiple keys (i.e. one for each of their device or for backup purposes) you may enable this option.
Status Report
You can generate a status report of your E2EE installation by clicking the button in the Summary section: The report will be mailed to the logged in administrator's email address. It includes the current license information such as the number of enabled users.
occ Commands
As an administrator you might want to perform certain operations by using scripts. The following commands are available:
e2eeshare:list-keys
Show all public keys for the provided user
Syntax
sudo -u www-data php occ e2eeshare:list-keys <user>
e2eeshare:add-key
Add a new public key to provided user
Syntax
sudo -u www-data php occ e2eeshare:add-key <user> <path>
e2eeshare:delete-key
Delete a public key from provided user
Syntax
sudo -u www-data php occ e2eeshare:delete-key <user> <key id>