Client Side encryption with OwnCloud

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Client Side encryption with OwnCloud

Paul Greindl
Hi!

A friend and I are planning to start a non-profit project called Molnet.
As the goal with the project is to provide a secure and private cloud
storage for those who are not able to set up their ownCoud we wanted to
implement client side encryption to ensure maximum security.

I'll post some details about how we want to do this if there is any
interest!

For now I just wanted to know if you have any thoughts on how to best
implement such a feature or if there are any plans on doing this in
ownCloud/mirall? If so, how can we contribute?

(our website (with not up-to-date text): http://molnetstorage.com/)

Best regards

Paul

and the Molnet Team (Magnus and me ;-) )
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Chris-3
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Bernhard Posselt-3
In reply to this post by Paul Greindl
Iirc The general opinion was that we focus more on bug fixing than on features that are very likely to come with tons of bugs, are hard and time intensive to implement and add little value to the overall user experience

Chris <[hidden email]> schrieb:

>Hi,
>
>there are some discussion about client-side encryption available at the
>bugtrackers:
>
>https://github.com/owncloud/core/issues/106
>https://github.com/owncloud/mirall/issues/275
>
>but i don't know if there are any real plans for client-side encryption at
>the moment.
>
>
>
>--
>View this message in context: http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html
>Sent from the ownCloud mailing list archive at Nabble.com.
>_______________________________________________
>Owncloud mailing list
>[hidden email]
>https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Paul Greindl
Hi!

That was what I was talking about, we are going to implement it.
Regarding the value, in our project it actually was a quite often
requested feature and I personally find it important, too! As I
mentioned, not all users have the possibility to host their own server.
That's why we decided to focus on encryption. It's all about security!

What we need is the opinion of the ownCloud and sync app developers as I
guess they have been thinking about how they would like such a feature
to be implemented. Also we could check how seafile implemented their
client side encryption.

regards

Paul



On 2013-10-25 15:47, Bernhard Posselt wrote:

> Iirc The general opinion was that we focus more on bug fixing than on features that are very likely to come with tons of bugs, are hard and time intensive to implement and add little value to the overall user experience
>
> Chris <[hidden email]> schrieb:
>
>> Hi,
>>
>> there are some discussion about client-side encryption available at the
>> bugtrackers:
>>
>> https://github.com/owncloud/core/issues/106
>> https://github.com/owncloud/mirall/issues/275
>>
>> but i don't know if there are any real plans for client-side encryption at
>> the moment.
>>
>>
>>
>> --
>> View this message in context: http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html
>> Sent from the ownCloud mailing list archive at Nabble.com.
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Klaas Freitag-3
On 25.10.2013 16:16, Paul Greindl wrote:

> Hi!
>
> That was what I was talking about, we are going to implement it.
> Regarding the value, in our project it actually was a quite often
> requested feature and I personally find it important, too! As I
> mentioned, not all users have the possibility to host their own server.
> That's why we decided to focus on encryption. It's all about security!
>
> What we need is the opinion of the ownCloud and sync app developers as I
> guess they have been thinking about how they would like such a feature
> to be implemented. Also we could check how seafile implemented their
> client side encryption.
Well, you would encrypt every file before you upload it with a local
key. Sounds simple, is probably doable for small files, becomes tricky
for larger files. You must permit uploads through the web interface and
webdav.

I think it does not make too much sense because you loose almost all
features of the ownCloud web interface, such as viewing files, music etc.

Klaas

>
>
> On 2013-10-25 15:47, Bernhard Posselt wrote:
>> Iirc The general opinion was that we focus more on bug fixing than on
>> features that are very likely to come with tons of bugs, are hard and
>> time intensive to implement and add little value to the overall user
>> experience
>>
>> Chris <[hidden email]> schrieb:
>>
>>> Hi,
>>>
>>> there are some discussion about client-side encryption available at the
>>> bugtrackers:
>>>
>>> https://github.com/owncloud/core/issues/106
>>> https://github.com/owncloud/mirall/issues/275
>>>
>>> but i don't know if there are any real plans for client-side
>>> encryption at
>>> the moment.
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html
>>>
>>> Sent from the ownCloud mailing list archive at Nabble.com.
>>> _______________________________________________
>>> Owncloud mailing list
>>> [hidden email]
>>> https://mail.kde.org/mailman/listinfo/owncloud
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Paul Greindl
Hi Klaas!

We would try make client side encryption available for each individual
file, making it possible to encrypt the files you want while preserving
ownClouds web functionality. Then we of course need to be clear about
how to use it and what the encryption feature encrypts. But I think it's
the best solution for owncloud and leaves the freedom to decide to the
user. I don't think that the lack of web interface support for those
encrypted files would be a problem for those seeking maximum security,
at least if we are clear about it from the beginning.

Thanks for your input!

Paul


On 2013-10-25 16:41, Klaas Freitag wrote:

> On 25.10.2013 16:16, Paul Greindl wrote:
>> Hi!
>>
>> That was what I was talking about, we are going to implement it.
>> Regarding the value, in our project it actually was a quite often
>> requested feature and I personally find it important, too! As I
>> mentioned, not all users have the possibility to host their own server.
>> That's why we decided to focus on encryption. It's all about security!
>>
>> What we need is the opinion of the ownCloud and sync app developers as I
>> guess they have been thinking about how they would like such a feature
>> to be implemented. Also we could check how seafile implemented their
>> client side encryption.
> Well, you would encrypt every file before you upload it with a local
> key. Sounds simple, is probably doable for small files, becomes tricky
> for larger files. You must permit uploads through the web interface
> and webdav.
>
> I think it does not make too much sense because you loose almost all
> features of the ownCloud web interface, such as viewing files, music etc.
>
> Klaas
>
>>
>>
>> On 2013-10-25 15:47, Bernhard Posselt wrote:
>>> Iirc The general opinion was that we focus more on bug fixing than on
>>> features that are very likely to come with tons of bugs, are hard and
>>> time intensive to implement and add little value to the overall user
>>> experience
>>>
>>> Chris <[hidden email]> schrieb:
>>>
>>>> Hi,
>>>>
>>>> there are some discussion about client-side encryption available at
>>>> the
>>>> bugtrackers:
>>>>
>>>> https://github.com/owncloud/core/issues/106
>>>> https://github.com/owncloud/mirall/issues/275
>>>>
>>>> but i don't know if there are any real plans for client-side
>>>> encryption at
>>>> the moment.
>>>>
>>>>
>>>>
>>>> --
>>>> View this message in context:
>>>> http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html 
>>>>
>>>>
>>>> Sent from the ownCloud mailing list archive at Nabble.com.
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> [hidden email]
>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>> _______________________________________________
>>> Owncloud mailing list
>>> [hidden email]
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Michael Grosser
The simplest solution in my opinion is to add one functionality to the
sync client. Having one encrypted/secure folder, which gets synced
additionally to the usual folders a user wants. All files in the
encrypted/secured folder will be encrypted/decrypted before the sync
client uses them. So compatibility won't change really.

secure/* -> encryption -> owncloud/secure/*-encrypted (your layer of
de-/encrypting)
owncloud/* -> sync-client -> server (usual sync-client functionality)

This way you don't interfere with the sync functionality or the
webinterface behaviour.

For the actual encryption I would prefer gpg/pgp like asynchronous
libs (do not try to reinvent encryption).

Cheers
Michael (scalbility-junk)

On Fri, Oct 25, 2013 at 5:00 PM, Paul Greindl <[hidden email]> wrote:

> Hi Klaas!
>
> We would try make client side encryption available for each individual file,
> making it possible to encrypt the files you want while preserving ownClouds
> web functionality. Then we of course need to be clear about how to use it
> and what the encryption feature encrypts. But I think it's the best solution
> for owncloud and leaves the freedom to decide to the user. I don't think
> that the lack of web interface support for those encrypted files would be a
> problem for those seeking maximum security, at least if we are clear about
> it from the beginning.
>
> Thanks for your input!
>
> Paul
>
>
>
> On 2013-10-25 16:41, Klaas Freitag wrote:
>>
>> On 25.10.2013 16:16, Paul Greindl wrote:
>>>
>>> Hi!
>>>
>>> That was what I was talking about, we are going to implement it.
>>> Regarding the value, in our project it actually was a quite often
>>> requested feature and I personally find it important, too! As I
>>> mentioned, not all users have the possibility to host their own server.
>>> That's why we decided to focus on encryption. It's all about security!
>>>
>>> What we need is the opinion of the ownCloud and sync app developers as I
>>> guess they have been thinking about how they would like such a feature
>>> to be implemented. Also we could check how seafile implemented their
>>> client side encryption.
>>
>> Well, you would encrypt every file before you upload it with a local key.
>> Sounds simple, is probably doable for small files, becomes tricky for larger
>> files. You must permit uploads through the web interface and webdav.
>>
>> I think it does not make too much sense because you loose almost all
>> features of the ownCloud web interface, such as viewing files, music etc.
>>
>> Klaas
>>
>>>
>>>
>>> On 2013-10-25 15:47, Bernhard Posselt wrote:
>>>>
>>>> Iirc The general opinion was that we focus more on bug fixing than on
>>>> features that are very likely to come with tons of bugs, are hard and
>>>> time intensive to implement and add little value to the overall user
>>>> experience
>>>>
>>>> Chris <[hidden email]> schrieb:
>>>>
>>>>> Hi,
>>>>>
>>>>> there are some discussion about client-side encryption available at the
>>>>> bugtrackers:
>>>>>
>>>>> https://github.com/owncloud/core/issues/106
>>>>> https://github.com/owncloud/mirall/issues/275
>>>>>
>>>>> but i don't know if there are any real plans for client-side
>>>>> encryption at
>>>>> the moment.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>>
>>>>> http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html
>>>>>
>>>>> Sent from the ownCloud mailing list archive at Nabble.com.
>>>>> _______________________________________________
>>>>> Owncloud mailing list
>>>>> [hidden email]
>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> [hidden email]
>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>>>
>>> _______________________________________________
>>> Owncloud mailing list
>>> [hidden email]
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
>
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Cornelius Schumacher
In reply to this post by Klaas Freitag-3
On Friday 25 October 2013 Klaas Freitag wrote:
>
> I think it does not make too much sense because you loose almost all
> features of the ownCloud web interface, such as viewing files, music etc.

To me client-side encryption is the one big missing feature in ownCloud. This
would enable hosting it on an server you don't control, and still have full
ownership and control of your data.

Of course you would lose some convenience and some features, but if it's all
about convenience and features, and not about control of your data, then I can
also go with Google or similar services.

Is it hard to implement such a feature? Hell yes. But that's part of the fun
and the value.

--
Cornelius Schumacher <[hidden email]>
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Paul Greindl
In reply to this post by Michael Grosser
Hi Michael!

This is exactly how we thought we'd implement it :)
We'll hopefully start working on this next week!

Cheers


On 2013-10-25 18:20, Michael Grosser wrote:

> The simplest solution in my opinion is to add one functionality to the
> sync client. Having one encrypted/secure folder, which gets synced
> additionally to the usual folders a user wants. All files in the
> encrypted/secured folder will be encrypted/decrypted before the sync
> client uses them. So compatibility won't change really.
>
> secure/* -> encryption -> owncloud/secure/*-encrypted (your layer of
> de-/encrypting)
> owncloud/* -> sync-client -> server (usual sync-client functionality)
>
> This way you don't interfere with the sync functionality or the
> webinterface behaviour.
>
> For the actual encryption I would prefer gpg/pgp like asynchronous
> libs (do not try to reinvent encryption).
>
> Cheers
> Michael (scalbility-junk)
>
> On Fri, Oct 25, 2013 at 5:00 PM, Paul Greindl <[hidden email]> wrote:
>> Hi Klaas!
>>
>> We would try make client side encryption available for each individual file,
>> making it possible to encrypt the files you want while preserving ownClouds
>> web functionality. Then we of course need to be clear about how to use it
>> and what the encryption feature encrypts. But I think it's the best solution
>> for owncloud and leaves the freedom to decide to the user. I don't think
>> that the lack of web interface support for those encrypted files would be a
>> problem for those seeking maximum security, at least if we are clear about
>> it from the beginning.
>>
>> Thanks for your input!
>>
>> Paul
>>
>>
>>
>> On 2013-10-25 16:41, Klaas Freitag wrote:
>>> On 25.10.2013 16:16, Paul Greindl wrote:
>>>> Hi!
>>>>
>>>> That was what I was talking about, we are going to implement it.
>>>> Regarding the value, in our project it actually was a quite often
>>>> requested feature and I personally find it important, too! As I
>>>> mentioned, not all users have the possibility to host their own server.
>>>> That's why we decided to focus on encryption. It's all about security!
>>>>
>>>> What we need is the opinion of the ownCloud and sync app developers as I
>>>> guess they have been thinking about how they would like such a feature
>>>> to be implemented. Also we could check how seafile implemented their
>>>> client side encryption.
>>> Well, you would encrypt every file before you upload it with a local key.
>>> Sounds simple, is probably doable for small files, becomes tricky for larger
>>> files. You must permit uploads through the web interface and webdav.
>>>
>>> I think it does not make too much sense because you loose almost all
>>> features of the ownCloud web interface, such as viewing files, music etc.
>>>
>>> Klaas
>>>
>>>>
>>>> On 2013-10-25 15:47, Bernhard Posselt wrote:
>>>>> Iirc The general opinion was that we focus more on bug fixing than on
>>>>> features that are very likely to come with tons of bugs, are hard and
>>>>> time intensive to implement and add little value to the overall user
>>>>> experience
>>>>>
>>>>> Chris <[hidden email]> schrieb:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> there are some discussion about client-side encryption available at the
>>>>>> bugtrackers:
>>>>>>
>>>>>> https://github.com/owncloud/core/issues/106
>>>>>> https://github.com/owncloud/mirall/issues/275
>>>>>>
>>>>>> but i don't know if there are any real plans for client-side
>>>>>> encryption at
>>>>>> the moment.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> View this message in context:
>>>>>>
>>>>>> http://owncloud.10557.n7.nabble.com/Client-Side-encryption-with-OwnCloud-tp11109p11110.html
>>>>>>
>>>>>> Sent from the ownCloud mailing list archive at Nabble.com.
>>>>>> _______________________________________________
>>>>>> Owncloud mailing list
>>>>>> [hidden email]
>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>> _______________________________________________
>>>>> Owncloud mailing list
>>>>> [hidden email]
>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> [hidden email]
>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>>> _______________________________________________
>>> Owncloud mailing list
>>> [hidden email]
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Paul Greindl
In reply to this post by Cornelius Schumacher
Hi again!

@Cornelius For us who will be hosting ownCloud for other people to use
this is likewise important as I can't expect anyone to fully trust our
project...

I'm also wondering if there is any chance to get a feature like this
merged with the main owncloud sync client? Otherwise it will mean much
wasted resources if we need to patch each and every new release of the
client. Hope to hear from one of the core developers :)

regards

Paul


On 2013-10-25 18:34, Cornelius Schumacher wrote:

> On Friday 25 October 2013 Klaas Freitag wrote:
>> I think it does not make too much sense because you loose almost all
>> features of the ownCloud web interface, such as viewing files, music etc.
> To me client-side encryption is the one big missing feature in ownCloud. This
> would enable hosting it on an server you don't control, and still have full
> ownership and control of your data.
>
> Of course you would lose some convenience and some features, but if it's all
> about convenience and features, and not about control of your data, then I can
> also go with Google or similar services.
>
> Is it hard to implement such a feature? Hell yes. But that's part of the fun
> and the value.
>

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Klaas Freitag-3
In reply to this post by Cornelius Schumacher
On 25.10.2013 18:34, Cornelius Schumacher wrote:
> On Friday 25 October 2013 Klaas Freitag wrote:
>>
Hi Cornelius,

>> I think it does not make too much sense because you loose almost all
>> features of the ownCloud web interface, such as viewing files, music etc.
>
> To me client-side encryption is the one big missing feature in ownCloud. This
> would enable hosting it on an server you don't control, and still have full
> ownership and control of your data.
Well, you own the data on the server, but its useless there for you. So
what is the use case of the entire ownCloud (filemanagement) then? Just
a hub to synchronize from one device to the other?

Actually yes, that's a feature. But I think we were hoping to make more
out of ownCloud. And that made the idea slipping further down the
priority list I think.
>
> Of course you would lose some convenience and some features, but if it's all
> about convenience and features, and not about control of your data, then I can
> also go with Google or similar services.
I think both points are valid.

> Is it hard to implement such a feature? Hell yes. But that's part of the fun
> and the value.
Does that mean you're in? Great! :-D

regards,
Klaas

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Klaas Freitag-3
In reply to this post by Paul Greindl
On 25.10.2013 18:47, Paul Greindl wrote:

Hey,
>
> @Cornelius For us who will be hosting ownCloud for other people to use
> this is likewise important as I can't expect anyone to fully trust our
> project...
What kind of project is it?
>
> I'm also wondering if there is any chance to get a feature like this
> merged with the main owncloud sync client? Otherwise it will mean much
> wasted resources if we need to patch each and every new release of the
> client. Hope to hear from one of the core developers :)
Yes, of course we can work together to merge it :-)
Just find us on IRC if you have questions.

Before you start, please read [1] on how to contribute.

regards,

Klaas

[1] http://owncloud.org/contribute

>
> regards
>
> Paul
>
>
> On 2013-10-25 18:34, Cornelius Schumacher wrote:
>> On Friday 25 October 2013 Klaas Freitag wrote:
>>> I think it does not make too much sense because you loose almost all
>>> features of the ownCloud web interface, such as viewing files, music
>>> etc.
>> To me client-side encryption is the one big missing feature in
>> ownCloud. This
>> would enable hosting it on an server you don't control, and still have
>> full
>> ownership and control of your data.
>>
>> Of course you would lose some convenience and some features, but if
>> it's all
>> about convenience and features, and not about control of your data,
>> then I can
>> also go with Google or similar services.
>>
>> Is it hard to implement such a feature? Hell yes. But that's part of
>> the fun
>> and the value.
>>
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Paul Greindl
Hi,

On 2013-10-25 21:18, Klaas Freitag wrote:
> On 25.10.2013 18:47, Paul Greindl wrote:
>
> Hey,
>>
>> @Cornelius For us who will be hosting ownCloud for other people to use
>> this is likewise important as I can't expect anyone to fully trust our
>> project...
> What kind of project is it?

A non-profit security and privacy prioritized cloud storager service. As
earlier stated we want to provide secure and flexible storage to all
those people (and they are many) who are not able to host their own
server. See our website (text is currently outdated):
http://molnetstorage.com/

>>
>> I'm also wondering if there is any chance to get a feature like this
>> merged with the main owncloud sync client? Otherwise it will mean much
>> wasted resources if we need to patch each and every new release of the
>> client. Hope to hear from one of the core developers :)
> Yes, of course we can work together to merge it :-)
> Just find us on IRC if you have questions.

I'll drop by sometime the next days, OK?

>
> Before you start, please read [1] on how to contribute.
>
I will!

> regards,
>
> Klaas
>
> [1] http://owncloud.org/contribute
>
>>
>> regards
>>
>> Paul
>>
>>
>> On 2013-10-25 18:34, Cornelius Schumacher wrote:
>>> On Friday 25 October 2013 Klaas Freitag wrote:
>>>> I think it does not make too much sense because you loose almost all
>>>> features of the ownCloud web interface, such as viewing files, music
>>>> etc.
>>> To me client-side encryption is the one big missing feature in
>>> ownCloud. This
>>> would enable hosting it on an server you don't control, and still have
>>> full
>>> ownership and control of your data.
>>>
>>> Of course you would lose some convenience and some features, but if
>>> it's all
>>> about convenience and features, and not about control of your data,
>>> then I can
>>> also go with Google or similar services.
>>>
>>> Is it hard to implement such a feature? Hell yes. But that's part of
>>> the fun
>>> and the value.
>>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud

_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Cornelius Schumacher
In reply to this post by Klaas Freitag-3
On Friday 25 October 2013 Klaas Freitag wrote:
> On 25.10.2013 18:34, Cornelius Schumacher wrote:
> >
> > To me client-side encryption is the one big missing feature in ownCloud.
> > This would enable hosting it on an server you don't control, and still
> > have full ownership and control of your data.
>
> Well, you own the data on the server, but its useless there for you.

It's only useless for any server-side processing, and that's the whole point.

> So
> what is the use case of the entire ownCloud (filemanagement) then? Just
> a hub to synchronize from one device to the other?

Yes, accessing the data from multiple clients. And that could well be web
clients as well. But the processing would be on the client, and not on the
server.

Sharing with others becomes tricky, because it would mean some kind of
exchange of keys, but even that might be a solvable problem.

> Actually yes, that's a feature. But I think we were hoping to make more
> out of ownCloud. And that made the idea slipping further down the
> priority list I think.

More control, more privacy, more security, that's what I personally expect
from ownCloud. For just writing fancy web applications there are many other
projects which do a good job. Not saying that it's a bad thing to do it ;-)

> > Is it hard to implement such a feature? Hell yes. But that's part of the
> > fun and the value.
>
> Does that mean you're in? Great! :-D

That's a trick question, right? Let me say for now I'm in as a supporter of
the idea ;-)

--
Cornelius Schumacher <[hidden email]>
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Michael Grosser
On Fri, Oct 25, 2013 at 10:44 PM, Cornelius Schumacher
<[hidden email]> wrote:

> On Friday 25 October 2013 Klaas Freitag wrote:
>> On 25.10.2013 18:34, Cornelius Schumacher wrote:
>> >
>> > To me client-side encryption is the one big missing feature in ownCloud.
>> > This would enable hosting it on an server you don't control, and still
>> > have full ownership and control of your data.
>>
>> Well, you own the data on the server, but its useless there for you.
>
> It's only useless for any server-side processing, and that's the whole point.
>
>> So
>> what is the use case of the entire ownCloud (filemanagement) then? Just
>> a hub to synchronize from one device to the other?
>
> Yes, accessing the data from multiple clients. And that could well be web
> clients as well. But the processing would be on the client, and not on the
> server.
Could be done via the client overlay or later on with a browserplugin,
perhaps even a browser on a usb stick with your private key so you can
launch it from a usb, when you need it and semitrust the computer...

>
> Sharing with others becomes tricky, because it would mean some kind of
> exchange of keys, but even that might be a solvable problem.
True, but public keys of other users could be managed by the server
and used for encrypting the shared file and reuploaded for the other
user. A bit more complicated and bandwidth/resource intensive, but as
you said solvable.
>
>> Actually yes, that's a feature. But I think we were hoping to make more
>> out of ownCloud. And that made the idea slipping further down the
>> priority list I think.
>
> More control, more privacy, more security, that's what I personally expect
> from ownCloud. For just writing fancy web applications there are many other
> projects which do a good job. Not saying that it's a bad thing to do it ;-)
\o/

>
>> > Is it hard to implement such a feature? Hell yes. But that's part of the
>> > fun and the value.
>>
>> Does that mean you're in? Great! :-D
>
> That's a trick question, right? Let me say for now I'm in as a supporter of
> the idea ;-)
>
> --
> Cornelius Schumacher <[hidden email]>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Arthur Schiwon (Blizzz)
On Sa, 2013-10-26 at 11:37 +0200, Michael Grosser wrote:

> On Fri, Oct 25, 2013 at 10:44 PM, Cornelius Schumacher
> <[hidden email]> wrote:
> > On Friday 25 October 2013 Klaas Freitag wrote:
> >> On 25.10.2013 18:34, Cornelius Schumacher wrote:
> >> >
> >> > To me client-side encryption is the one big missing feature in ownCloud.
> >> > This would enable hosting it on an server you don't control, and still
> >> > have full ownership and control of your data.
> >>
> >> Well, you own the data on the server, but its useless there for you.
> >
> > It's only useless for any server-side processing, and that's the whole point.
> >
> >> So
> >> what is the use case of the entire ownCloud (filemanagement) then? Just
> >> a hub to synchronize from one device to the other?
> >
> > Yes, accessing the data from multiple clients. And that could well be web
> > clients as well. But the processing would be on the client, and not on the
> > server.
> Could be done via the client overlay or later on with a browserplugin,
> perhaps even a browser on a usb stick with your private key so you can
> launch it from a usb, when you need it and semitrust the computer...

At least something that is signed and can checked and verified by the
users computer, JS alone won't do. Easy to compromise, especially if you
can do MITM on SSL.

Cheers
Arthur

>
> >
> > Sharing with others becomes tricky, because it would mean some kind of
> > exchange of keys, but even that might be a solvable problem.
> True, but public keys of other users could be managed by the server
> and used for encrypting the shared file and reuploaded for the other
> user. A bit more complicated and bandwidth/resource intensive, but as
> you said solvable.
> >
> >> Actually yes, that's a feature. But I think we were hoping to make more
> >> out of ownCloud. And that made the idea slipping further down the
> >> priority list I think.
> >
> > More control, more privacy, more security, that's what I personally expect
> > from ownCloud. For just writing fancy web applications there are many other
> > projects which do a good job. Not saying that it's a bad thing to do it ;-)
> \o/
> >
> >> > Is it hard to implement such a feature? Hell yes. But that's part of the
> >> > fun and the value.
> >>
> >> Does that mean you're in? Great! :-D
> >
> > That's a trick question, right? Let me say for now I'm in as a supporter of
> > the idea ;-)
> >
> > --
> > Cornelius Schumacher <[hidden email]>
> > _______________________________________________
> > Owncloud mailing list
> > [hidden email]
> > https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud


_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Michael Grosser
On Sat, Oct 26, 2013 at 12:40 PM, Arthur Schiwon <[hidden email]> wrote:

> On Sa, 2013-10-26 at 11:37 +0200, Michael Grosser wrote:
>> On Fri, Oct 25, 2013 at 10:44 PM, Cornelius Schumacher
>> <[hidden email]> wrote:
>> > On Friday 25 October 2013 Klaas Freitag wrote:
>> >> On 25.10.2013 18:34, Cornelius Schumacher wrote:
>> >> >
>> >> > To me client-side encryption is the one big missing feature in ownCloud.
>> >> > This would enable hosting it on an server you don't control, and still
>> >> > have full ownership and control of your data.
>> >>
>> >> Well, you own the data on the server, but its useless there for you.
>> >
>> > It's only useless for any server-side processing, and that's the whole point.
>> >
>> >> So
>> >> what is the use case of the entire ownCloud (filemanagement) then? Just
>> >> a hub to synchronize from one device to the other?
>> >
>> > Yes, accessing the data from multiple clients. And that could well be web
>> > clients as well. But the processing would be on the client, and not on the
>> > server.
>> Could be done via the client overlay or later on with a browserplugin,
>> perhaps even a browser on a usb stick with your private key so you can
>> launch it from a usb, when you need it and semitrust the computer...
>
> At least something that is signed and can checked and verified by the
> users computer, JS alone won't do. Easy to compromise, especially if you
> can do MITM on SSL.
Yeah that's where the plugin comes in, checkable download, with
delivery of local js.

>
> Cheers
> Arthur
>
>>
>> >
>> > Sharing with others becomes tricky, because it would mean some kind of
>> > exchange of keys, but even that might be a solvable problem.
>> True, but public keys of other users could be managed by the server
>> and used for encrypting the shared file and reuploaded for the other
>> user. A bit more complicated and bandwidth/resource intensive, but as
>> you said solvable.
>> >
>> >> Actually yes, that's a feature. But I think we were hoping to make more
>> >> out of ownCloud. And that made the idea slipping further down the
>> >> priority list I think.
>> >
>> > More control, more privacy, more security, that's what I personally expect
>> > from ownCloud. For just writing fancy web applications there are many other
>> > projects which do a good job. Not saying that it's a bad thing to do it ;-)
>> \o/
>> >
>> >> > Is it hard to implement such a feature? Hell yes. But that's part of the
>> >> > fun and the value.
>> >>
>> >> Does that mean you're in? Great! :-D
>> >
>> > That's a trick question, right? Let me say for now I'm in as a supporter of
>> > the idea ;-)
>> >
>> > --
>> > Cornelius Schumacher <[hidden email]>
>> > _______________________________________________
>> > Owncloud mailing list
>> > [hidden email]
>> > https://mail.kde.org/mailman/listinfo/owncloud
>> _______________________________________________
>> Owncloud mailing list
>> [hidden email]
>> https://mail.kde.org/mailman/listinfo/owncloud
>
>
> _______________________________________________
> Owncloud mailing list
> [hidden email]
> https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud
Reply | Threaded
Open this post in threaded view
|

Re: Client Side encryption with OwnCloud

Bjoern Schiessle
In reply to this post by Paul Greindl
Hi Paul,

On Fri, 25 Oct 2013 15:11:54 +0200 Paul Greindl wrote:
> For now I just wanted to know if you have any thoughts on how to best
> implement such a feature or if there are any plans on doing this in
> ownCloud/mirall? If so, how can we contribute?

While implementing server-side encryption we thought about how it could
be extended to client-side encryption.

Let me explain the idea:

At the moment every user has a private and a public key. Additional
there are file-keys and share-keys. See [1] for some more details.

For server side encryption the public-key password is the same as the
users log-in password. The basic idea for client-side encryption was
that we change the private-key password to something else than the
log-in password. The client can upload/download the keys and than
encrypt/decrypt the files on the client side. This would also make it
possible to switch easily between client and server side encryption.
The only difference would be a flag in the db which tells owncloud
which encryption mode is used and the private key password.

On the server side we would need to implement the OCS API to get/set
the keys and the interface to switch between server and client
encryption.

[1] http://blog.schiessle.org/2013/05/28/introduction-to-the-new-owncloud-encryption-app/

cheers,
Björn

--
Björn Schießle <[hidden email]>
Software Developer
ownCloud GmbH - www.owncloud.com

Your Data, Your Cloud, Your Way!

ownCloud GmbH, GF: Markus Rex, Holger Dyroff
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
_______________________________________________
Owncloud mailing list
[hidden email]
https://mail.kde.org/mailman/listinfo/owncloud