ownCloud Planet

Welcome to ownCloud News, our contributor blog roll. ownCloud contributors should ask to get added!

Opinions are the responsibility of those who express them. See our privacy policy.

If you'd like to stay up to date with ownCloud news you could also subscribe to our newsletter!

ownCloud
Notification: YOU are giving a talk at the ownCloud Conference 2017!
July 17, 2017

Franka Wittek holding a talk at last year's ownCloud Conference

From 20th-23rd of September we are hosting the ownCloud Conference 2017 in Nuremberg. To make this a great experience for everyone, we need your help! We are giving you the platform to hold a talk.

The event is all about you, the ownCloud community! Please feel free to talk about your favourite app, ownCloud installation, best practices or a proposal for future architecture. We are asking for your contribution to a great ownCloud community event.

There will be three different formats in the tracks:

  • 10 minutes lightning talks – this format is meant to highlight a new idea, show something cool, or to bring up a new topic to discuss later.
  • 45 minute tech talks –  This format is designed to explain or investigate a topic which needs more depth in discussion, a broader audience and of course some interactivity welcome.
  • Workshops with flexible length – this format is for hands-on excercises – to share knowledge, to learn, to try things.

Presentations can address all different areas of ownCloud, however, we first and foremost welcome technical topics around code, as well as contributions about the social aspects of the project, community affairs or just free software in general.

Here are some areas where we would particularly welcome contributions. This list is meant to serve as inspiration but does not limit the possible topics we accept:

  • ownCloud core technologies on server and clients, such as file access, sharing, syncing
  • Aspects of ownCloud as an application platform: best practices, APIs, fancy project ideas
  • Scaling, deployment and updating: How do you grow big with ownCloud?
  • Integrations: ownCloud as a good citizen in other environments, or vice versa
  • Community: How to build a community around ownCloud

You can also give a workshop!

The audience will range from hobby code enthusiasts over many developers, designers and other creatives, to administrators, web activists and free software supporters, interested users, politicians and deciders.

There will be beginners, as well as professionals in attendance. And even though the ownCloud conference is a community event with no commercial background, we do consider commercial ownCloud users as community members and welcome their experiences stemming from installations within companies, education organisations and at service providers.

 

So if you’re interested, apply for giving a talk here!

Don’t forget to register!

For general information about the conference, see the conference pages.

Thanks!

read more



ownCloud
The marketplace is making some nice progress!
July 11, 2017

The marketplace is the new platform, where ownCloud apps are provided for downloading and upgrading. App developers upload their apps there, so ownCloud admins can automatically install them. The marketplace is currently still in beta, but is making progress!

Our development team worked hard to bring you these new features for the marketplace:

Updated save process of user settings
We standardized all data save dialogs for a better user experience. Changing your settings is now way more intuitive.

 

Updated upload process
If you want to publish an app, you can now double-check how the information, which you specified in the info.xml of your app, looks like on the marketplace. So you can publish your app the moment you think it’s perfect.

Market app
The market app in ownCloud is responsible for downloading and upgrading the other apps from the marketplace. We improved the integration of this app into the marketplace. The market app now supports bundles and lets users easily install apps contained in a bundle.

Bug fixes
We fixed around 30 bugs, also bugs reported on the official marketplace bug tracker: https://github.com/owncloud/marketplace-issues. If you still find one, you can also report it there 😉 It will be appreciated.

You can now try out the Enterprise Apps!

Starting now, all ownCloud enterprise apps are available. As all other apps, the ownCloud enterprise apps are separate from the core to allow modular, parallel and therefore faster development in both the ownCloud core and the extensions. This also enables the admins to decide which features they want in their ownCloud.

If you are interested in the ownCloud enterprise features, it is now very easy to start a 30-day-trial. Generate yourself a demo license key in your marketplace account and start testing!

 

We hope that the marketplace is out of beta soon, so we can close down the old https://apps.owncloud.com and focus on new, better technology.

 

read more



ownCloud
The ownCloud beta client is coming to the fdroid repository for easier testing!
July 10, 2017

Lots of you already installed the ownCloud desktop testing client, and are helping us finding the bugs we need to fix.

The same is now coming for the android client, or better said, for the popular fdroid repository, where you can easily download open source apps (for free, of course). If you don’t want to rely on the Google Play Store to download your apps and fancy Open Source software, fdroid is a viable alternative.

So, my thanks to Schabi, who took over maintaining the beta client on fdroid!

Some issues are already fixed in the beta client, which are not yet in the stable version. Problems with Instant Upload, which some people had with Android 6 and Android 7, should be fixed in the beta client. If you are affected by this, you should probably install the beta.

A new feature made it into the beta, too – private links (a.k.a. local links) will soon be supported in the android client, and are available in the top right corner of the share view. Installing the beta is a good chance to try this out!

Open Source software thrives only with a strong community. Making the source code transparent enables other people to help making software more stable and reliable. That’s why we want to give you our beta client easily, so you can already use the brand-new stuff and our daily improvements, and if you stumble over bugs, errors and security holes, you can report them on https://github.com/owncloud/android/issues, or write a mail to apps@owncloud.com. For this purpose you can view the logs in the client and post them in github issues.

Let’s make ownCloud better for everyone!

read more



ownCloud
Guest Post: Cornelius Kölbel on end to end encryption
July 5, 2017

Guest Post: What End-to-End Encryption in Enterprise Cloud environments needs

Cornelius Kölbel is Managing Director at NetKnights GmbH and has more than 20 years experience in IT services. Since 2003 he focused on IT security. His expertise is in the area of content security, encryption and strong authentication.

 

Your Data is at risk. And thus, is your personal life and your company’s values. By using your own cloud storage like ownCloud you can avoid hackers, trade espionage, and rogue governments getting your data. Your data is under your control.

But depending on where your storage is located some risks still remain. The connection to your ownCloud installation in the hosted datacenter is TLS protected. All data are encrypted on their transport to the datacenter. But within the datacenter your data is plain text.

You are using ownClouds integrated encryption? You even have the full disk encrypted using LUKS or similar methods? This is fine but only protects you from certain attacks like stealing the sole hard disk. But if the attacker gains access to the very location where the actual encryption takes place, the encryption is useless, since this location also contains the encryption key! Thus, if the attacker has access to the datacenter or – more likely – is a rogue or bribed employee of the datacenter the attacker can get physical access to your encryption key and finally to your data.

This is why client side encryption is such a good idea. With client side encryption the data is encrypted on your own client. The key material is only available on your client, not on the ownCloud server. The data is sent already encrypted to the server. Not only is the transport layer encrypted using TLS but the payload itself within the TLS cannot be read anymore. The ownCloud server and the storage never sees any clear text data and never has access to the encryption key. The tool Cryptomateor which was introduced in this previous blog post works this way.

 

Requirements

But enterprise scenarios come with a longer requirements list than tools like the slick Cryptomator can cover. Even smaller companies have to comply with these requirements, if they are supplier for bigger enterprises. I have run several projects where supplying companies were confronted with the requirements for encryption and two factor authentication since they delivered to bigger enterprises, which simply defined those requirements. Let us take a look at the requirements when you run a company or bigger organization.

 

File Encryption

In such scenarios when encrypting data, it is important to encrypt files. In contrast to full disk encryption and encrypted containers encrypted files can be moved around without breaking the encryption. Even the encrypting file system does not provide this sticky encryption. If the user moves the file to another disk or a USB stick, the file would not be encrypted anymore, since with full disc encryption and container encryption the encryption is bound to the storage and not to the data. The data should not be decrypted when the file is moved. This is why we require to encrypt the files and keep them encrypted when moving the file to another location.

 

Client Side Encryption

As mentioned in the beginning the files should be encrypted and decrypted on the client. This way only encrypted data is transferred via the network. The user can also move the files as in the previous requirement but most important the encryption gets independent from the storage location.

The administrator can access the file but cannot read the data in the file. This way all backup mechanisms still work, but the data is persistently protected.

 

Groups

When working with data in a company, users are usually working on projects with other colleagues. Thus, several users need access to the encrypted data. The project leader or data owner might need to add other users to the group and grant them access to the encrypted data or withdraw this access again.

It is important to note, that usually not *the* administrator gives access to the data. Complying to the concept of duty of separation, the administrator may be responsible for providing the storage and taking care of the backup, but he might not be allowed to read the data and probably will not be allowed to decide who is allowed to read the data.

This leads us to the requirement for a bit more sophisticated key management.

 

Key Management

If files are encrypted with passwords then a password based key derivation function (PBKDF) is used to generate the encryption key. A badly implemented encryption would use this key to encrypt the file.

This would result in the problem, that – if you change the password – the complete file needs to be decrypted with the old password and re-encrypted with the new password. This might be fine for one small file but totally fails with a complete directory, a hard disk or a huge storage.

When you look at encryption a multi-step encryption has proven to be sensible. Even in the case of a PGP encrypted email, the email is for many reasons not encrypted with the public key of the recipient directly but with a symmetric data encryption key (DEK), which is unique to this email.

Only this DEK is encrypted with the public key of the recipient. This is called Key Encryption Key (KEK).

The other great thing when using a DEK and KEK is, that several users can have access to the same data with different passwords – or different KEKs. This way a user who has access to the data can also be allowed to grant access on the data to a new user. The software can access the DEK with the KEK of the old user and encrypt the DEK of the file with the KEK of the new user.

This way, each file has a list of KEK-encrypted DEKs attached to it. Confused? No need to be. Take a look at the picture:

 

 

(Footnote: Actually, this is also the same when sending an encrypted

email to a list of recipients)

 

Thus, an enterprise encryption software needs to allow adding users with their key encryption key to files. Users need to have different roles like adding users to access groups or only being allowed to access the data.

(Of course, you cannot effectively avoid the user breach: The user who has been granted access to the data can go rogue and print the data, take a photograph or copy. If you want to tackle with this threat you need to think about implementing data leakage prevention.)

 

So, what the heck with the KEK?

You might use the latest and greatest symmetric unbreakable encryption algorithms for actually encrypting the data. But these are of no use, if the access to this encryption – usually the password – is week. An attacker would always target the KEK (a.k.a. Passwords) and not the DEK (The encryption itself).

Thus, another important requirement is not only to encrypt the data but also to protect the access to this encryption. A good way to do this is not to use a password based access but to use public key cryptography.

As mentioned with the PGP example, the KEK is the public key of the user. The DEK is encrypted with the public key. The user has to provide his private key to decrypt the DEK to access the data.

 

Perfectly the private key is located on a smartcard, so that the private key cannot (easily) be copied or stolen. If the private key was initially created on the smartcard, you can in addition be sure that the private key was not stolen or copied.

 

 

Data Read Escalation

As we required earlier the administrator usually cannot read the data and cannot add users to the group of data users, who can read the encrypted data.

But in certain cases – when all users have lost their smartcard, forgotten their passwords, have quit the job – the company needs to be able to access the encrypted data without one of the original users available.

In this case the encryption solution needs to provide a process with preferably the 4 eyes principle to regain access. The 4 eyes principle is important to increase the trust and allow full deniability for all participants.

Technically the key management can do this by adding a system-KEK or recovery-KEK to all files.

 

Hardware Security Modules

Besides using smartcards for the user’s KEKs, the support for hardware security modules can be a good idea. The HSM can be used to protect the system-KEK or recovery-KEK or to sign configuration data. Otherwise a user with the right to only read encrypted data could escalate his rights to “assign-new-users to the encryption group” by flipping some bytes in the database.

 

Reencryption

We already said that reencrypting the data is a bad idea and should be avoided. Nevertheless, it can be necessary. E.g. if the symmetric encryption algorithm used to encrypt the files is known to have weaknesses. This is especially important if you need to upgrade the encryption algorithm. In a worst-case scenario, the system- or backup-key could be compromised. Then these keys need to be changed.

The solution should provide the possibility to reencrypt the data.

 

Possible Solutions

There is a quite nice long list of commercial products, which cover those requirements. Some are better and more convenient in smartcard support, some in group management and some in automation.

It is always a good idea, to identify your own needs and evaluate the right solution. Most of the tools are products of companies located in Germany and thus comply to the (still) strict data protection laws.

 

Why is there no open source?

Nevertheless, there is no open source tool which is capable of covering the requirements and competing with the commercial tools available. This might be due to the scratch-your-own-itch concept of open source development. Individuals start open source projects, which will provide a solution to their own problem. A perfect example is the tool cryptomator. It does a great job in file encryption and covers a lot of requirements but totally lacks the key management and because of this will only work for a single user, but not for project groups in a company.

Another reason might be, that the customers for such an enterprise file encryption tool in 95% of the cases runs Windows on their clients and may thus be used to install and use closed source software – so why should the software vendor bother about an open source business model?

 

With the growing pressure of undemocratic surveillance requests, even from the German government, the threat through backdoors and unpublished zero days increases dramatically. In a sensitive area like data encryption, where data obviously is to be protected from preying eyes, open source solutions can help to regain the trust in such software.

So, I urge all open source companies with data storage centric products to think about enhancing their portfolio with an open source project for a trustworthy, modern, enterprise ready file encryption solution.

In my opinion, this is not only a gap in the market but would also be a great help for a mature and democratic society.

read more



ownCloud
Good bye apps.owncloud.com
July 4, 2017

After so many years it’s time to say good bye to our old appstore. While it never really did fit into the scope of ownCloud app distribution, the UX feels like from the last century and our security engineers are going nuts with the architecture. We have to say thank you and bye-bye to https://apps.owncloud.com.

Welcome marketplace!

All ideas and feature requests we collected all these years are flowing into the new marketplace. The marketplace is specialized in distributing ownCloud apps to the community and will provide add-on features like services and tools which fit into the ownCloud ecosystem. In addition to the old appstore the marketplace will soon allow publishers to distribute paid apps to open up the enterprise side of the ownCloud ecosystem. The marketplace natively integrates with ownCloud X (aka 10.0) via the new developed market app which provides the link between the two.

Here is how easy an app installation through the marketplace is with ownCloud 10.0

via GIPHY

So the easiest is to upgrade your ownCloud to 10.0 – but …..

What about ownCloud 9.0 and 9.1?

We invested some time to implement an integration for ownCloud 9.0 and 9.1 (technically 8.2 will work as well but 8.2 has reached end of life …). Many apps in the marketplace provide compatibility with 9.0 and 9.1 – so if you want to get the latest and freshest apps from marketplace into your 9.0 or 9.1 instance please follow these few simple and easy steps:

  1. insert the following configuration value into config/config.php – this will connect your instance with the marketplace

    appstoreurl => https://marketplace.owncloud.com/api/v0,

  2. open up the apps management page and you will find all the categories as they exist in the marketplace and within the categories compatible apps are listed.

 

Clicking the enable buttons just as you are used to do will install the app.

Please note: In case you are sitting behind a firewall and cannot reach the marketplace or if you just feel like doing it: you can also just download the app packages from the marketplace, unpack the tar balls into the apps folder and they will be listed under disabled apps, where you can enable them with one click.

Where are all the apps?

 

You might realize that there are not yet that much apps available on the marketplace compared to the appstore. It might be good looking at this from an evolution point of view. But it might be frustrating to not find the beloved app anymore.In case you miss an app feel free to ping the developers and ask them to publish their apps on https://marketplace.owncloud.com. In case of any questions feel free to ping us on – https://central.owncloud.org this should be a quite decent place to discuss any questions of public interest.

 

App Maintainers: Move your app to the marketplace now!

Make sure your app is widely distributed and runs on productive instances.

 

 

read more