Files in subfolders of encrypted folders are not encrypted

[SonRiab]

Expected behaviour

When adding subfolders to an encrypted folder, these folders should be encrypted as well. The Android app works as expected (version 3.3.1). When creating encrypted subfolders using the Android App they should be decrypted on the desktop client side.

Actual behaviour

After adding several subfolders and files, the client sync them without encrypting the files in these subfolders. The client doesn't flag the subfolders as encrypted in the GUI as well even if they are encrypted. Encrypted content in subfolders which were created using the Android App are not decrypted. It works with the iOS app, see https://github.com/nextcloud/desktop/issues/816#issuecomment-440694036.

Steps to reproduce

files not encrypted

1. encrypt a folder using one of the clients
2. add a subfolder to the encrypted folder
3. add a non-empty text file to this subfolder
4. start synchronization using the desktop client
5. check if the file is encrypted on the server

   encrypted files not decrypted

6. encrypt a folder
7. add a subfolder using the Android App
8. upload a file to this subfolder
9. synchronize these changes using the desktop client
10. check if the file is decrypted

Client configuration

Client version: 2.5.0rc1 (build 20181026)

Operating system: macOS High Sierra (10.13.6)

OS language: German

Installation path of client: /Applications/Nextcloud.app

[ntimo]

Hello, I am also experiencing this issue. A subfolder in a E2E encrypted folder is not getting encrypted. This is a huge security issue. When I create a new subfolder using the iOS app the subfolder is encrypted.

[ntimo]

I just saw that 2.5.0 has been released and tested the final version. The bug that a subfolder in a E2E encrypted folder is not E2E encrypted still exists. When is this going to be fixed? This is a huge security problem.

[e-alfred]

I also faced this problem and Nextcloud doesn't even show any kind of error message or warning that the user uploaded all their subfolders unencrypted to the server. This means the user gets compromised 100% without even knowing it.

[shwebstart]

Same issue with Version 2.5.0v2.5.0 (build 20181112). Windows 10 - 1803 Build 17134.407 Nextcloud 14.04 server installation

[mossy-nw]

Same issue with Version 2.5.0 (build 20181112) Fedora 29 AppImage.

I agree this is a critical bug -- it would be far better to disable end to end encryption until such behavior is fixed than give users false sense of security!

IMO the folder-level granularity of end to end encryption (encrypt some folders in a tree, but not others) is a huge mistake in design -- as with encrypted messengers, those that require affirmative steps (e.g. Telegram, WhatsApp) to encrypt are intrinsically dangerous (minor user error allows sensitive data to be sent unencrypted). While others that send only encrypted messages (Signal, Wire, keybase.io) provide no opportunity for user error or confusion.

Could nextcloud client enforce encryption of only lowest-level folders? I.e. no encrypted subfolder of plaintext parent folder allowed? This would at least allow user mental model partition between plaintext and encrypted workspaces.

[chrsch]

This is critical bug with legal impact if you use Nextcloud with sensitive data that needs end-to-end encryption!

[ThomGr]

I read the "official" information and really hoped e2ee would be the solution to my use case, so reading this report is a big disappointment. Cryptomator is fine but extra hassle, and it seems e2ee in NC is right around the corner - but unfortnunately, this issue is a true blocker. I am not involved in NC development at all, so can't help myself, but I am surprised this issue is not picked up by the devs. Any thoughts?

[hkiang01]

possibly related to #1000

[jamiljonna]

So has there been any movement on this? Virtually all of our files are in subfolders so, effectively, E2E isn't working at all. Yet this issue remains 5 months later.

[ncodeyx]

Also waiting for this to be fixed 5 months later. Such an essential feature, yet takes so long to properly fix.

[ncodeyx]

It's been more than 6 months. @jospoortvliet While I understand that this is marked as an "experimental feature" and that this is an open source project, thus it takes time to implement this stuff, then this feature should be not available in the public version of Nextcloud for several reasons.

You're marketing Nextcloud as being "privacy oriented" and "secure" on Twitter and other social media while this essential feature has been broken for so long. https://twitter.com/Nextclouders/status/1136911932206833665?s=20 https://twitter.com/Nextclouders/status/1126161084891770880?s=20 "Looking for a secure communication channel which doesn't leak the crucial meta-data of who-communicates-with-whom?" https://twitter.com/nextclouders/status/960816208802205697?lang=en and many more.

I have moved my cloud storage to OneDrive and have started using Cryptomator as an open source solution to encrypt my data. This program also works with Nextcloud, to anyone interested. Unlike Nextcloud, they fix privacy and security oriented issues rather quickly.

As @anon471 has stated, this has been going on for too long for Nextcloud to be trustworthy. The Nextcloud team should issue an apology and a warning not to use E2EE until the issue is fixed, especially because many people use the feature and think their data is actually encrypted!

[KopfKrieg]

While I understand that this is marked as an "experimental feature"

End to end encryption is/was the feature of Nextcloud 13 and it's still not working reliable.

and that this is an open source project

With a company behind (Nextcloud GmbH).

[End-to-End-is-the-way]

I agree. I'm very happy with Nextcloud in general, but the E2E-feature is still unusable after quite a long period of time. Nextcloud GmbH should be embarrassed for advertising it way too early.

[gknoop]

So initially, I thought it was the case that my files weren't being encrypted, but they are! I was just thrown for a loop because the file names aren't altered.

[ghost]

I agree. I'm very happy with Nextcloud in general, but the E2E-feature is still unusable after quite a long period of time. Nextcloud GmbH should be embarrassed for advertising it way too early.

Completely dysfunctional E2E and the extremely unrealiable and super slow iOS client. Everything else is mint. Development however seems to be concentrated on adding nonsense apps in the web interface (that I only ever touch to upgrade the server software) instead of getting the basics working: fast, reliable, and secure data synchronisation.

Not that any other iOS cloud files service besides the exorbitantly priced Dropbox is any better. Dropbox: works, but cannot afford it. OneDrive: No Unicode in Files.app integration in 2020, prone to failed saves generating phantom files that cannot be deleted or moved, constant 100% CPU in the macOS client. NextCloud: the iOS app is super slow, I guess it always checks the server when opening a directory, frequently does not give access to (offline) files through the iOS Files.app integration, does not sync offline files automatically in the background (OneDrive very much appears to, so it's possible), every update introduces new bugs and unrealiability especially in the Files app integration, randomly deletes/forgets entire accounts and gigabytes of offline files, author refuses to even consider E2E through Files.app (I'm sure there are ways at least with offline directories). iCloud Drive: Reasonably priced, but no offline files, so forget about it. Not particularly reliable sync; can sometimes take days. Google Drive: Google is spyware, forget about it.

I'm almost considering hacking a reliable encrypted no-nonsense syncing system based on Borg backup (main re-engineering would involve it not currently efficiently supporting multiple clients due to the way the cache works)… but I refuse to pay Apple $90/year for the basic right of being able to run my own apps on my own device, and distribute them to others. Even more so I refuse to use Google's spyware (Android).

Software is shit. Period.

[rugk]

Yay! https://github.com/nextcloud/desktop/pull/2128 says it fixes that! Thanks, @er-vin. :smiley: :tada:

[er-vin]

Don't go getting the champ bottle out just yet. There are a few more blockers along the way and due to some of the needed changes to make that interoperable with the other clients it's unclear how the move with 2.7 will go for those who have encrypted folders with older desktop clients (and I suspect in some cases we won't be able to do much about it). As usual: make sure you backup your data if you test this PR.

[tobiasKaminsky]

As the whole E2E is currently alpha state with a big warning, it is assumed that users should create a new encrypted dir for 2.7 / stable version. @er-vin so you do not have to spend any time in migration…

[1989gironimo]

As the whole E2E is currently alpha state with a big warning, it is assumed that users should create a new encrypted dir for 2.7 / stable version. @er-vin so you do not have to spend any time in migration…

Where can I see that warning?

[tobiasKaminsky]

https://apps.nextcloud.com/apps/end_to_end_encryption

End-to-end encryption is still in alpha state, don't use this in production and only with test data!

[Morganlej]

Yet, it have been very visible in marketing since a year soon...

[rugk]

People claim it works in the latest Windows version:

Seems to be working for the latest Windows client in 2021.

https://github.com/nextcloud/desktop/issues/816#issuecomment-766484803

[rugk]

https://apps.nextcloud.com/apps/end_to_end_encryption

End-to-end encryption is still in alpha state, don't use this in production and only with test data!

BTW, @tobiasKaminsky , that sentence is not stated there anymore… Yet, @zylstra still seems to have problems… :thinking: (I may also try it again soon.)

[zylstra]

It's not just subfolders I have an issue with: I cannot share any encrypted file with anyone. It's not just me that has this issue. See my Nextcloud help forum post, https://help.nextcloud.com/t/implement-end-to-end-encryption-on-nextcloud/118281 .

I am willing to work directly with Nextcloud designers and developers if they would like.

[FlexW]

@zylstra Sharing e2ee files is not supported at the moment. See also the discussion here https://github.com/nextcloud/desktop/issues/2490#issuecomment-858499109