The ownCloud comprehensive file encryption architecture is designed to offer up to three levels of file encryption to ensure that your sensitive data is protected and secure at all times.
File encryption in transit:
In-transit file encryption is active by default and design with the use of HTTPS connections and the latest TLS protocol. As a user of ownCloud comprehensive file encryption application, you can encrypt your files server-wide and/or end-to-end. In fact, in-transit encryption is mandatory to comply to General Data Protection Regulation (GDPR).
File encryption in rest:
Encryption at rest refers to the process to encrypt files saved from the ownCloud application server prior to saving them on the actual storage. In this setup, ownCloud uses a single master key encryption method, allowing only the administrator holding the key to decrypt the files, ensuring a high level of protection against data breach even in the instance of stolen hard disk.
For added security, the keys can be stored in a hardware security module (HSM).
End-to-End Encryption Plugin:
ownCloud provides an End-to-End (E2EE) file encryption plugin that is strongly recommended for highly valuable and sensitive data. This plugin enables users and authorized guest users to share fully-encrypted files across all modern browsers, as well as via email.
How comprehensive file encryption works:
As soon as the app is enabled by your ownCloud administrator, all of your ownCloud data files are automatically encrypted.
File Encryption is server-wide. So, once enabled, keeping your files unencrypted is not possible. You can use your ownCloud login credentials as the password for your unique private encryption key.
Certain resources, including but not limited to file names, image thumbnails, existing files in the trash bin, file previews, the search index from the full text search app, third party app data and existing files in Versions, are not encrypted.