ownCloud Advanced Security

Comprehensive Encryption

Safeguard data through state-of-the-art cryptographic measures. With its modular and flexible encryption architecture, ownCloud enables custom setups for every threat level and regulatory requirement.

Community Edition
Standard Edition
Enterprise Edition


ownCloud helps organizations keep their data safe. The comprehensive encryption architecture has three levels of encryption: In transit, at rest and end-to-end.

In-transit encryption is active by default and by design using HTTPS connections and the latest TLS protocol. Files can be encrypted either server-wide or on a per-user basis.

At rest, files can be encrypted either by master key or user specific keys. When encrypting with a master key, all files are encrypted using just one key pair. This prevents data to be read from storage. For added security, the keys can be stored in a hardware security module.

When encrypting with user keys, files are encrypted using keys based on the user’s passwords. To share files, they are encrypted with the public keys of the recipient. User key encryption brings a significant amount of safety, but also requires users to trust their ownCloud admins.

For the highest level of data secrecy, ownCloud provides an End-to-End-Encryption Plugin as an additional subscription to the Enterprise edition. Users can then encrypt any empty folder. Files are encrypted and decrypted in the browser using a JavaScript Plugin, optionally using a hardware smart key.

Please consider that stronger encryption also brings some inconveniences. Features not available when using strong encryption can, depending on the encryption level, include Collaborative editing, virus scanning, Impersonation, OAuth2, ElasticSearch and Office Integrations.

Illustration of End-to-End-Encryption as part of ownCloud's Comprehensive Encryption

Ready to get started?

Learn more about Comprehensive Encryption