Welcome to ownCloud.com

When you create a profile on owncloud.com, you can access premium content and receive product announcements. We promise to never sell or share your information without your permission and you can edit your profile and preferences at any time. Privacy Policy

Already have an account?   Login here

ownCloud Login


by Frank Karlitschek

posted on Tuesday, January 15th, 2013

posted in General

We were having some debates internally here a few months back over when you could call something secure. Is it ok to call something secure, for instance, if it lacks encryption?

My answer to this is actually a (qualified) yes.

Having server side encryption is great – and ultimately is a very important check-box” feature but I would argue it is ultimately the control you have over your data that is more important to its security.

What we do at ownCloud is give customers as much openness and control as possible over their data – through integration with their monitoring, firewall policies as well as their own storage (or even third-party storage they choose).

Availability as security -- If you own your data it can't be lost because someone is shutting the cloud service down, or if AWS/Dropbox goes down.
Integration as security -- ownCloud can be integrated in existing firewalls and auditing tools.
Openness as security -- ownCloud can run on top of encrypted file systems to have full encryption. It is open source so you or someone else
can review the code and make sure that no backdoors exist.

•Control as security -- ownCloud runs in an environment you control. So you can be sure that the most secure server environment is used. You can use a hardened and certified infrastructure.
Firewall as security -- It can be used completely internally in an organization behind a strong firewall or in an intranet.

As I said, encryption is (ultimately) a very important “checkbox” feature, but all the encryption in the world won’t make you secure without control.

24 Comments on this post:

  1. febs

    Indeed. But I have my data on a hosted owncloud setup, so I don’t have neither control nor cryptography !

    • Frank

      True. For this scenario encryption is an important feature and we are working on it. You can expect something cool really soon.

  2. Genscher

    Actually, it is the way around:
    “All the control won’t make you secure without encryption”.
    Because at the end of the day: Whoever admin got access to the server also has access to the data and the user is left with no control over his data at all.

    • Frank

      I think it all depends on the scenario that you have. At the end of the day it’s always a question who you trust.
      And just to make this clear. We are working on a new and hugely improved encryption system.

  3. Mark

    Any ETA on this?

  4. Lautrivta

    Encryption before interception is all we need. Afterwards we are free to trust everybody.

  5. Pit

    Secure to me means that the person how uses owncloud can be sure

    – data is not lost (on the harddrive)
    – data is not intercepted or copied (on the way trough the internet to the device)
    – data is not accessed by other than access granted (on the server)

    and of course you are controlling your own data.

    I feel encryption can help building trust, in addition to a really “Easy” setup

  6. Max

    That’s an incredibly simple question with an automatic answer for anyone even slightly interested in security: nobody in the world but myself, and for certain things I don’t even trust myself (like never leaving “keep me logged in” stuff checked etc.). Of course, as long as the server machine is under my direct control (and going with the assumption that it is physically secure) encryption can be a lesser issue.

  7. Sevil Natas

    Client side encryption please! With the key being stored on the server you run the risk of having the same controversy Dropbox went through a year or so ago. Your application ends up being very similar to Dropbox when it is hosted on a third party hosting service. I would prefer a something more like Wuala’s encryption solution.

  8. Titus

    Hi there, I was wondering how soon soon is 🙂 Given this post is now 3 months old… Server-side encryption would be make me sleep better at night, I do have to admit. Nevertheless good post up above and very true..


    Any progress on file encription fron client?

    • Holger

      We are currently working on the new server side encryption feature which will ship in Q2 2013. End to End encryption is on the roadmap for later and depends on the requests by our subscription customers.

  10. 0ctatron

    Hi Frank,

    Any idea on how to switch on server side encryption when installed on third party hosting?

    I can still see my data files through ftp 🙁

    Or is client side + server side out now?



  11. Bruno Jesus

    Will every file be encrypted? What about the mp3 player? WIll it have to decrypt every file before playing? If yes, where will it store the file temporarily?

  12. Unencrypted Customer

    It’s nearly June and I see the most recent update (5.x) fixed a LOT of security issues, but how’s the encryption coming? Still on track for a Q2 release?

    • Holger

      Yes, still on track for Q2 … as you can see from the 5.x releases there is work going and we continue to work on ownCloud Enterprise Edition 5.

  13. John

    yes please….

  14. Steven Schauer

    Any idea when this software will offer client-side encryption? I don’t care if it means I have to sacrifice the website access and can only access via desktop, phone, etc. Thanks!!! I would be more than happy to pay money for this feature and software that has very robust end-to-end security features.

    • Holger

      It depends on demand from our Enterprise Edition subscription customers. For end users there are tools available who encrypt user specific content, or they run their ownCloud at home and therefor don’t need encryption on the client side.

  15. My Clear Text Data

    How is going the client-side encryption project? Is it still planned? Are there folks working on this actually ? I would be really happy to hear about it!

  16. Zdenko

    Client-side encryption should at least be an option. Consider how far Tresorit have come in 2 years simply by offering a Dropbox alternative that has client-side encryption (zero-knowledge). They don’t even have access via a website because it’s less secure than using a client. SpiderOak, another zero-knowledge service, have both website and client access but strongly advise against the website access because it’s less secure. Very many people/businesses use Tresority and SpiderOak.

    Please, for the love of security, develop client-side encryption for ownCloud.

Leave a Reply

Your email address will not be published. Required fields are marked *