How ownCloud uses encryption to protect your data

Because ownCloud is all about protecting your privacy we often get questions about encryption of data. In this blog post we will explain how and where ownCloud uses encryption and how it helps you keep your data safe.

What is encryption

Encryption is the ‘mashing up’ (encoding) of data in a way that makes it nearly impossible for somebody else to read (decrypt) it without a specific piece of knowledge: the encryption key. A simple example would be to move each character in the text one further in the alphabet, so an A becomes a B, a K becomes an L and so on. This makes the text unreadable, unless you know the trick: just move them all back one character!

Of course, modern encryption techniques are far more complicated, using advanced mathematics to make it virtually impossible to recover the data without the key. You can read more in the wikipedia entry.

How does ownCloud use encryption?

ownCloud uses encryption in two major ways: when transferring data to and from the server; and when storing data on an external server. The first requires the use of ‘TLS‘, a secure communication protocol for the internet. The ownCloud installation manual contains instructions for enabling TLS encryption and it is highly recommended to do this.

For storing data encrypted on ownCloud, you need to have the ownCloud Encryption app enabled. It will then encrypt all your data with a strong, randomly generated key, which is then protected with your log-in password. You can find documentation here. As the manual states:

“Encryption and decryption always occurs on the server side. This enables you to continue to use all other apps to view and edit data. However, this method of encryption also means that the server administrator can intercept your data.”

What this means is that you (your ownCloud server) keeps the key to decrypt your data. This makes it possible to access your files over the web interface and share files with others. To run safely on a non-trusted server, data would have to be encrypted by the client (your computer, phone or other devices) before being sent to the non-trusted ownCloud server and you would lose the web interface access.

The Encryption app

The goal of the Encryption app is to protect data on external storage. All files sent there will be encrypted by the ownCloud server, and upon retrieval, decrypted before serving them to you (or those you shared them with). The key to decrypt the data never leaves the ownCloud server. This makes the ownCloud Encryption app a great tool to benefit from cloud storage offered by services like Dropbox or Google Drive while ensuring security and privacy of your data!


Using the Encryption app is very simple. Just enable the app and the first time you log in again it will start to encrypt your data. If you later decide to disable the Encryption app, it will provide the option to decrypt your files in your personal settings. Please note that you should be very careful not to lose your login password as you will lose access to your files. As admin you can set a recovery password. See the documentation for more details.

Keep in mind that the Encryption app only encrypts the content of your files. Filename and folder structures are not protected. You can read more technical details on the Encryption app in this blog post.

Other technologies to protect your data

Application-specific encryption like the ownCloud encryption app without external storage makes little sense considering that you can just encrypt the whole hard drive. Several technologies exist which can encrypt your hard drive or create an encrypted, protected file where you can securely store data. We would recommend dm-crypt on Linux, as well as eCryptfs and EncFs for individual file and folder encryption. Windows users could use BitLocker and Mac users could try FileVault. One should note that you can also use full-disk encryption without physical access, with dropbear and busybox you can setup a system that you can unlock via SSH.

On the server, hard drive encryption on the operating system level would secure your server from somebody who gets physical access to it and steals the disks. Note that this only secures your data when the system is turned off, not while it is running! Full-Disk Encryption not only gives better security, it also offers far better performance (esp thanks to modern extensions in CPU’s like AES-NI).

Implications for security

ownCloud uses encryption to protect your data when it is not on the ownCloud client or the server. However, it does not encrypt data on your computer or protect you if access to your ownCloud server itself is compromised! There are other widely available technologies which provide protection of your data against different risks.

The ownCloud Encryption app provides a great way to secure your data on untrusted cloud storage services. It is easy to enable and works entirely unnoticeable for the user.

UPDATE: Encryption 2.0, introduced in ownCloud 8.1, makes encryption more flexible and modular.

62 Responses to “How ownCloud uses encryption to protect your data”

  1. António

    vou escrever em portugues não domino suficientemente bem o ingles para explicar o problema.

    Instalei o owncloud 8.0.2 . andei em testes e tudo parecia correr bem até que não consegui criar mais utilizadores. não entendi o que se passou e como tinha que rever a arvores de pastas e as permissoes de utilizadores decidi criar tudo de novo.

    Quanto à pasta de dados que estava na root do meu servidor limitei-me a renomea-la e posteriormente copiei tudo para a pasta correcta.

    Teoricamente tudo funcionaria. Mas eu tinha encriptado os ficheiros. Sem ter percebido que eles eram doaa utilizadores antigos. Eu julgava que os dados se mantinham na pasta sem alteração. Enganei-me!!
    O pior é que eu apaguei tudo da instalação anterior excepto essa pasta de dados. As chaves de encriptação também foram para o lixo.
    E agora?
    Alguém me sabe dizer como posso recuperar os dados?
    tenho um backup mas não serve de nada pois não tem o que preciso.
    existe alguma forma de resolver?


    Tradução via google translate

    I will write in Portuguese do not write English well enough to explain the problem.

    Installed owncloud 8.0.2. walked tests and everything seemed to be going well until I could not create more users. I did not understand what happened and how it had to review the folder trees and the permissions of users decided to create all over again.

    As for the data folder that was in the root of my limited myself server to rename it and then copied everything to the correct folder.

    Theoretically all work. But I had encrypted the files. Without having realized that they were doaa old users. I thought that the data remained unchanged in the folder. I was wrong !!
    The worst is that I deleted all the previous installation except that data folder. Encryption keys were also to waste.
    And now?
    Can someone tell me how I can recover the data?
    have a backup but it is no good because it does not what I need.
    is there any way to solve?

    Thanks You

  2. Henk

    For Windows I used the open source tool CryptSync for a while to encrypt the data that I stored on Google Drive.
    CryptSync syncs to 7-Zip AES-256 password protected files that can be synced again by ownCloud.
    Normally CryptSync should be used for the decryption at the other clients, but 7-Zip can also be used to open single files anywhere if the password is known.
    7-Zip also compresses the files, so it saves some space in the cloud.

    The additional software and the locally organizing of the encrypted end non-encrypted folders is a disadvantage.
    And there is no key exchange, so afterwards changing the password(s) means syncing all files again and distributing the new password(s).
    Nice is that each folder pair can have it’s own password. That could be used to differentiate in the access read rights.

    It’s a solution for the end to end encryption, but it’s not an attractive one.

    • Jos Poortvliet

      Yes, it is not ideal. However, there is at least one person working on client-side encryption for ownCloud and I know several are interested in the subject – so perhaps there will be better solutions in the future. Your help would of course be welcome 😉

  3. nately

    So, if using encryption and I disable\delete a users account, will they still have access to any of the files on the client? Sorry for the noob Q.

    • Jos Poortvliet

      If the files are locally synced and you remove the user on the server, the client will not be able to sync to the server anymore and not do anything (preserving the data locally).

      Server side encryption has no role in this, by the way.

  4. Julio Rodriguez

    Doesn’t BitCasa’s implementation of OwnCloud code, solve a lot of these issues? Simply using a block level de-duplicating file system, and convergent encryption where the hash of the file itself is used as one of the keys; therefore, the encrypted data is identical? Isn’t this client side encryption, how they allow the flow-through to the web & app access to happen? Didn’t anyone notice they were using your GUI and code; however, I could well be completely off base – smelled like your code to me. They seem to be undergoing some major turmoil at the moment (undoubtedly huge Amazon server bills – they should have bought a few Usenet providers and de-duped that resource), perhaps if they chapter 11 – their codebase will be magically available, and not lost forever.


    • sonia arora

      please suggest how can i use two-factor authentication using onetime password for owncloud 7.0.,i need to add more security on my owncloud. So please help how can i get one time password on cell phones and ,how to set this authentication by admin

      • Jos Poortvliet

        You’ll have to use an external authentication mechanism, I suppose – something like LDAP, and then have two-factor authentication there. But this isn’t really my area of expertise, perhaps this is something to ask on IRC… There is no build in two-factor authentication in ownCloud at the moment but some efforts are being put into this so it will come in a future release.

    • Jos Poortvliet

      Hey Julio,

      I, had a look at their site but didn’t notice an obvious ownCloud UI. Could you provide screenshots? If they took ownCloud code, their code should be open source: we use the AGPL and that requires them to open the code if they give any third party access to it.

      • Julio Rodriguez

        Sure Jos, I’d be happy to. However, currently I’m under the BitCasa transfer deadline of Nov 15th; after which I’ll have to uninstall the current version and re-install their new desktop version (required of their new backend infrastructure) anyways. In between, I will install one of their early versions, which has said GUI; however, obviously I can’t screenshot their old web UI – I don’t think I ever happened to (perhaps an old support forum post from 2012 would show something – I’ll check.)


  5. YR

    If you would like to use client side encryption alongside owncloud, you might want to take a look at:

    What you could do is put your encrypted directroy (e.g. “.Private”) on your owncloud, and mount this directory locally using ecrpytfs-mount-private.
    The advantage is that you can customize it to your own needs because you can define which data you want to encrypt and which not.

    BTW I haven’t tested it myself yet.

  6. AOua

    You talked about the security of data between the client side and the server side. What about secure transfer of data between servers?
    Having a shared folder between two servers seems to be vulnarable to attacks.


    • Jos

      The connection between ownCloud servers (with server-to-server sharing) is also protected by TLS.

  7. Unak

    What happens if my server crashes, but my encrypted data on external drives is fine? How do I recover it?
    It seems that if I lose the keys on the server I may not be able to recover my data even if I have my password,
    so my data is as durable as my server is?

    • Jos Poortvliet

      Yes, that is correct, if you loose access to your ownCloud server, you loose access to the encrypted data on external storage. I recommend to back up your ownCloud server!

      • Unak

        You may want to point this out in bold in the documentation, since many people spend significant time, effort and money on the data space durability, while the weak link is in fact their system drive. Plus a procedure to back up and restore the keys would be immensely helpful, along with a standalone tool to recover and extract the encrypted data in case the system fails. This is probably the weakest point in the entire encryption scheme in owncloud. The whole paradigm of the cloud is to be durable and not relying on another chain of events. Now it can be compared to locking your valuables in a heavily guarded bank vault and entrusting the keys to your kids. Correct me if I am wrong of course. Not trying to give a life lecture.

  8. Renan Felipe

    I was wondering if the case make available to one user – I have as an administrator – a file in doc, could leave visible only for these, but blocking it from downloading. Is that possible? I need the answer as soon as possible, because I am doing a tcc and I’m defending this application in my project, wanting to demonstrate in practice how to perform this function.

    • Jos

      No, if somebody can VIEW something, they can download it. That is not an ownCloud thing – that is how computers work, sorry.

  9. Renan Felipe

    Queria saber se caso eu disponibilizasse para um usuário – tendo eu como administrador – um arquivo em doc, se poderia deixar apenas visível para estes, mas bloqueando que façam download. Isto é possível? Preciso da resposta o quanto antes, pois estou fazendo um tcc e estou defendendo este aplicativo no meu projeto, querendo demonstrar na prática como realizar essa função.

  10. Enrico

    I enabled the encryption, but if I go on the folder using ssh terminal, I’m able to see all the files under /var/www/owncloud/data/Admin/files.
    This could be normal, but the thing that I don’t uderstant is the the files are not encrypted … if I try to edit a plain text file, I can do it.

    Am I doing something wrong?



    • Jos

      Encryption takes time and starts after you log in for the first time as that user.

  11. Pascal KOTTÉ

    Hi, encryption is nice but effortless if authentication is weak. Do you integrate 2 factor authentication ?

    • Jos

      Some of the authentication systems we use have front-ends which can do it, but we’d like to have it in standard ownCloud, too. Help is welcome!

  12. Praf

    Hi there, I would like to see how owncloud works but the demo does not appear to be working. Is is going to be enabled? If so, when?

    • Jos Poortvliet

      It does break occasionally (users can do anything with it, so…) but it should be back up a little while later, it gets reset every hour or so.

  13. Ryan Nix

    ownCloud needs to change its encryption scheme. In its current form, files encrypted in ownCloud take up 34% more space than files not encrypted. As cheap as storage is these days, thats still an insanely high increase in file size.

  14. Ramiro

    Hi i, activate encryption app and re login on my server, but redirects return a 404 Not foud error:

    Not Found

    The requested URL /owncloud//owncloud/index.php/apps/files/ was not found on this server.

    Apache/2.2.16 (Debian) Server at Port 80

    Can i solve this problem whitout a re install job?



    • Jos

      Best to look in the documentation or file a bug, this isn’t really the best place to get help, sorry!

  15. Olivier

    What would be great is if Owncloud could let us upload encrypted folders inside an standard Owcloud installation.
    That way we would benefit from the editing and sharing features while also being able to backup more sensitive information.

    When adding a “secure” folder to owncloud, we would simply be asked to provide a password and that would be used to encrypt data before sending it. Files and folders names would be encrypted as well.

    • Jos Poortvliet

      Yes, that is client-side encryption, but that means you can’t get at your files via the web interface nor share it. We would accept patches if somebody writes them for this, but it isn’t a high priority thing.

      • bevie

        lack of client side encryption option is a major weakness of owncloud in my humble opinion. it seems reasonable to guess that many people would like to store their data in public clouds and would be happy to use apps not browser to do so.

        • Jos Poortvliet

          Sure, but plenty of tools offer this functionality – it is simply not what ownCloud is about. We want to offer a rich web interface and web apps – if you don’t want that, use something else, that is perfectly OK. We can’t do everything 😉

          Of course we’d be happy to include this technology if it can work within a browser, it just needs somebody to do the work. And if you’re interested in looking into this/building such functionality you’d be very much welcome to do so.

          • bevie

            actually there are no open source client side encryption apps that are easy to use on the 4 or 5 main platforms otherwise I would use them. pity owncloud doesnt support it since many people want it.

          • Jos

            Well, if there really is demand – it is something that could be done, of course. Somebody has to step up and develop it… Perhaps bountysource could help.

  16. Steve

    To solve the problem being debated, use Tresorit – = client side encryption and therefore all transfers and storage are encrypted, even when shared as the shared party needs to install the client app access the shared data.

    • Jos

      Well, that will break all ownCloud apps and the entire web interface – so it is hardly a good solution… With the current state of technology the choice is either having the web interface and apps and having to trust the server, or having it all client-side encrypted and not having to trust the server.

      • bevie

        client side encryption means you can store your data securely on any cloud storage without need for trust. this is a massive leap forward conceptually in the post snowdon era. however web browsers arent fully up to encryption/decryption yet so you have to use apps for client side encryption. not a big problem really.

        • Jos Poortvliet

          Sure, but plenty of tools offer this functionality – it is simply not what ownCloud is about. We want to offer a rich web interface and web apps – if you don’t want that, use something else, that is perfectly OK. We can’t do everything 😉

  17. Alex

    Is it possible to use ownCloud with client-side encryption?
    I want to use ownCloud to sync my devices but don’t have access to a server I trust.

    • Jos

      Theoretically, yes, in practice, we simply have not developed this feature. It is low priority as it would make it impossible to use the nice web interface of ownCloud. We welcome work on this feature but most of our developers simply have different priorities. Perhaps another solution is a better fit for your needs, unless you want to help implement this feature of course.

      Another option is to encrypt the files locally before they are shared by ownCloud but this is probably not very convenient.

    • Sean

      Might be worth looking into Seafile which supports client side encryption. Read about it here:

      • Jos

        Yes, but this means no apps and no web interface (and if they offer that with client side encryption, the ‘client side encryption’ is either fake or broken). As said before – with the current state of technology, you have the choice: either have client side encryption (there are loads of solutions for that) or have a web UI.

        For ownCloud, our web UI and the apps are very important so we choose not to offer client-side encryption. That does not mean we won’t accept code and patches which make it possible, provided it is secure and whoever sends the patches commits to maintaining it. But that will break the web UI and thus most of us are not terribly interested in it.

        • Anonymous Coward

          That’s not true. It is possible to have a web interface and to use client side encryption. However, it means the encryption and decryption must be done in the browser, in JavaScript. It is true that this may not be too convenient, but it is possible with the current state of technology and it is done by websites like and, which offer a web interface and do all the cryptography directly in the browser, without any password, data or key ever being sent to the server unencrypted.

          Understandably decrypting the files in the browser before displaying them would not be too convenient for the developers. However, it is possible, and if it is the cost of having only the user ever able to access his files, I think it is worth it. However, that doesn’t mean it should be a priority.

          • Jos

            Hmmm, you then still get the encryption code from the server. How do you prevent code that shares your private key with the NSA to be send to your computer? Remember, client-side encryption makes sense ONLY if you don’t trust the server. So you can’t trust the code the server sends, either. Maybe it has been compromised. Maybe it will send specific code to specific people to intercept their data.

            It doesn’t solve the problem, I think. Browser plugins would work but then you can’t so easily share your ownCloud files as the recipient has to install a browser plugin first.

            You’re right that this isn’t ultra-high priority. Projects like the ones you mention are trying to solve these issues and they are making progress, but last time I checked, our security people weren’t convinced. They first need to be convinced this technology really works. Second, it needs to NOT make things harder on the ownCloud users – creating barriers to ownCloud use is just not acceptable, we want to let more people use ownCloud. Not less. Third, somebody needs to do the work. I’m not worried about that last point: as soon as a good solution to this issue has been found and developed by the international open source community, it will spread like wildfire to various open source web services, including ownCloud.

            So please don’t mistake my skepticism for not WANTING client-side encryption, I and other ownCloud developers want this. But it has to be a real solution, not “snake oil” (and that is quoting one of the ownCloud security people when talking about this subject). When the ownCloud security people tell me there is no decent, truly safe solution, I can only trust their expertise – I personally just don’t know enough about it.

            That does not mean we would oppose efforts to build a solution like this into ownCloud. It probably wouldn’t become part of the standard ownCloud package, but as an app or something it might be useful as an extra layer of, albeit imperfect, security. I would personally probably use it, too, and it would be good to get this working and work out the issues it causes so we’re ready when a really good solution comes by…

          • Aaron

            I agree with your statements, however even if I trust a server, I want to protect the data from some hacker that gets into the server. With server-side encryption, if he gets in and copies the contents of the server, he can acquire everything he needs, and even take his time to decrypt. If instead, it is encrypted client-side, where the key is never sent to the server, then if he copies the server contents he has nothing. In order to get the key, he has to write some code that is served to my client (web, something) that TRICKS it into surrendering the encryption key. This adds a fairly significant obstacle, as he must accomplish this while having access to the server, intelligently edit files on the server instead of just copying, and must maintain the access until he has the key, likely meaning waiting until I log in through the specific interface point he has compromised. Numerous controls could be implemented to make this even more difficult.

            If you want an example, Wuala does this today. But I dislike the program for other reasons.

            Data protection is about making it more expensive to attack than the data is worth. There is no 100% solution.

          • Jos

            Fair enough. If you look at it that way, then yes, ownCloud’s server side encryption does help a bit in some situations.

    • Nadine

      Hi, I use the Secure Data Space Demo version, it includes client side encryption as well as apps and web interface….

    • Thamiris

      By 9. Me4rz 2012 – 00:17Ja, das kann ich von meinem erestn Besuch auch sagen! Wirklich sehenswert sind auch immer die Vortre4ge am Stand von Heise! Das Live Hacking um 12.00 Uhr ist immer so brechend voll, dass es mf6glicherweise abgebrochen werden muss.Ansonsten gibt es ffcr Blogger noch die Mf6glichkeit, fcber getDigital zu berichten (als Dank winkt ein Gutschein) und gleich ein Gadget zum drfcber Bloggen mitzunehmen, siehe . Die OpenSource-Ste4nde sind (bis auf die Bfccher) aus meiner Sicht immer nur me4dfig interessant, aber nicht schlecht. Gut, um sich im persf6nlichen Gespre4ch auf den aktuellen Stand zu bringen.Wer in diesem Bereich te4tig ist, mf6chte sicherlich noch bei der Heise Krypto-Kampagne () vorbeischauen, oder auch bei CACert ().Audferdem gab es eine Bloggerhfctte am Intel-Stand, mit freien Schnittchen und Getre4nken, sowie die Mf6glichkeit andere Blogger (wie Cashy oder auch mich) zu treffen. Immer sehr schf6n!Ich wfcrde sogar drei Tage einplanen: Einen Tag ffcr die Orientierung, und zwei weitere um sich interessante Themen im einzelnen anzuschauen bzw. Vortre4ge zu hf6ren. Kostenfrei kommt man da ne4mlich sonst selten ran.Grudf,Ben

  18. Eric

    Encryption is awesome, but it makes useless external storage sharing (eg. shared folders on dropbox or others), because it encrypts that data and others won’t be able to access them

    • Brian Bartlett

      Eric, it just makes you work just a bit harder when you understand the process. To share anything with someone via an external device, you need to first use your private key to encrypt the file and then use the receipiant’s public key to encrypt it again. The receiptiant reverses the encryption using her private key and your public key. That’s the serious, almost always safe (so far I’ve been able to keep track). Naturally,you have to do this with every target in a shared folder/file and it’s a total PITA. Either you are serious about privacy/security and learn this stuff or you’ll end up roadkill on the Internet Super-Highway. Anyway, I hope this helps. I’m new here so this is major consideration as I don’t know the feature set.

      • Eric

        Hi Brian, the problem is that I share some files with people that don’t have any private/public key and are not even able to do something you describe. They just share files with me and that’s it, it works for them, but I cannot access them from my owncloud otherwise when I change them they get encrypted and I cannot access them anymore. There is also a bug about this and I’m in the same situation of the guy, it would be much useful for me to completely disable the encryption on external storages in order to use their sharing feature. Those are files I’m not so concerned about privacy and cloud matters. All my files are on my owncloud and encrypted. In a point of view of the user the current external storage with encryption is broken when files are shared wth others

        • Jos

          Eric, Brian,

          I’m afraid that this is simply not how the encryption was meant to work and ever could work. Encryption is only meant to encrypt data on external storage to make sure that external storage provider does not have access to what you do.

          Encrypting data on your own onwCloud server does nothing to protect your privacy as the key to the encryption is stored on the server as well.

          Not encrypting data on the external storage is an option, of course, by just not enabling the encryption app. But instead of using the sharing features of these external storage services (like Dropbox or Google Drive), to protect your privacy, you should share the files only through ownCloud – and use the encryption app to ensure the third party storage provider never sees your data.

          EDIT: Note that Encryption 2.0, which was part of ownCloud 8.1, deals with this: you can have a backend which works with external encryption algorithms and key management systems.

          • Eric

            Hi Jos, I didn’t know this. I always thought that the encryption was useful also on your own server, with the user’s password used to decrypt files and not directly stored on the server.. that’s bad

          • Marcelo Carlos

            I am not sure if I agree with the statement “Encrypting data on your own onwCloud server does nothing to protect your privacy as the key to the encryption is stored on the server as well.”. Assuming that the encryption key is encrypted with another key derived from the user password, and the user password is strong, confidentiality can also be achieved when the data is stored locally. If an attacker manages to access the filesystem of the owncloud server, he would be able to see the encrypted files and the encrypted key only (and of course, any decrypted content in the server memory). Obviously, the attacker could copy the files and encrypted keys and try to brute force them, but assuming strong passwords, the chances of him to succeed would be very limited.

            I see you point of having this detachment between the frontend (and keys) from the storage improves security, but in my opinion, local encryption significantly improves security as well.

          • Jos Poortvliet

            Well, it does help a little – but it only makes things a bit harder for an attacker so I just can’t call it ‘secure’. If an attacker has access to the server, especially when it is running, they can get at your data and that is what counts. Security is a bit of a black-and-white thing: either something is secure (“it would take an attacker on average 5 million years to brute-force the key and there is no other way to get the data”) or not (“anything else”).

    • Jos

      The idea is that you simply share the data on external storage like Dropbox via your ownCloud server. It will decrypt the data when it offers it to whoever you share with – the fact that it is stored on dropbox will not be noticed.

  19. Sven


    is it possible to enable the encryption only for one or two users?
    Or encrypts the app the files from all useres?


    • Jos

      Encryption is currently an ownCloud-wide setting so it encrypts the files of all users. Encryption starts the first time they log in.

      EDIT: in ownCloud 8.1, you can enable and disable encryption per external storage mount. You could, in theory, also develop an encryption backend which does not encrypt certain files.

Comments are closed.