From DLNET.ORG Cloud Documentation
Jump to: navigation, search

Encryption is the future of data security. It can be used to store your data in a way that it can only be read by yourself (or those having the private key), and not by others that have access to the data. And it allows to communicate with others in a way that only the conversation partners can read what is said, not the servers that forwards the communication.

Encryption is also used by servers to securely communicate with clients (such as your phone and PC) and other servers, using the SSL protocol (when combined with HTTP, widely known as HTTPS). This form of encryption effectively prevents eavesdropping, but it does not provide security against hackers, governments and malicious internet service providers.

This page discusses ways in which you can implement client-side encryption and end-to-end encryption, which is superior to the aforementioned server-side encryption.

Email encryption

The best way to implement end-to-end encryption for email is using Pretty Good Privacy (PGP). PGP works only if both you and your email partner have installed the required software and you have shared your public keys. There are various plugins for email applications that implement PGP. In Thunderbird, you can use the plugin Enigmail. For Outlook, you can use Gpg4win.

PGP is also supported by the webmail client. For this to work you first need to install the browser plugin Mailvelope, and import your PGP keys (or create new keys) into Mailvelope. See this page for some configuration instructions.

To read encrypted mail, you may need to change a setting in Roundcube. Go to Settings -> Preferences -> Encryption. Then turn on "Enable message decryption".

Roundcube also has a builtin PGP system, but I recommend against using it because it runs on the server, and hence is not true end-to-end encryption. However, the benefit of the builtin system is that you don't need to install the Mailvelope plugin to use PGP features.

Client-side storage encryption

Client-side encryption of stored emails (as notably offered by ProtonMail) is not currently supported. However, the benefits of such encryption are largely illusive. A malicious entity with access to the server could change the internals of the server to store a non-encrypted copy of all emails elsewhere. The only way to avoid this is with true end-to-end encryption (see PGP above).

Criticism of PGP and the limitations of email

PGP has been heavily criticized because it is cumbersome to use – and as a result, has seen very little adoption – and because it does not provide forward secrecy. The limitations are inherent to email, which is based on protocols from the 1980s. It is unlikely that email will ever become a truly secure medium of communication. Those who need true cryptographic security combined with usability should opt for messaging apps like Signal.

File encryption

ownCloud does not currently support client-side encryption. However, you can encrypt your own files locally on your PC. An easy way to do this is with Cryptomator. Cryptomator allows you to encrypt a folder before it is uploaded to the cloud. A downside is that you won't be able to access your encrypted files in the ownCloud app for mobile devices. You can, however, use the Cryptomator app and configure it with Webdav to connect to ownCloud.