Whitepaper

Data Protection
and Data Secrecy
in ownCloud
WHITEPAPER

Introduction which require internal corporate data to be

handled in a stringent manner.

Data Protection is more important than

Data Protection, as regulated by the GDPR
ever. The GDPR regulation in the European
in the European Union, can be achieved
Union, which is effective since May 2018,
by combining physical protection and
with similar principles being adopted by
organizational protection. Physical
other governments worldwide, have led
protection is to make sure that nobody can
to a prominent focus on data protection.
enter your data center and get manual access
The regulation and subsequent national
to the servers and organizational protection
laws require all data processors to apply
is to make sure your admi-nistrators are
state-of-the-art technology to data of all
informed and all actions are logged and
users containing personally identifiable
auditable. In many cases, these two layers
information. Personal data should be
of protection are enough to comply with the
protected against leakage to the public,
GDPR.
failing which the organization may face legal,
monetary or reputational implications.
Data Secrecy is different. Generally all data is
Data Secrecy, in contrast, means to protect
segregated between users inside ownCloud
any type of data which is important to an
itself. If files are not shared with another
organization or to specific people. It can also
user, the other user cannot, under any
be important to other organizations that
circumstance, access such files.There are
certain data is kept private as obligated by
policies available which prevent
contracts such as non-disclosure agreements

2
sharing or accessing certain files in certain
ways through the ownCloud File Firewall
or the ownCloud Document Classification
extensions. Such policies, however, still allow
the system administrator to read all the data
accessible by ownCloud. Therefore such data
must be encrypted in order to prevent access
by the system administrator.
Three Layers of Encryption
ownCloud comes equipped with various
mechanisms to ensure data protection and
secrecy within an organization. Both data
protection and data secrecy can benefit from
encryption. This paper discusses the different
options of encryption available in ownCloud
and how these options can help you
implement data protection and data secrecy
in your ownCloud content collaboration
platform.
For both data protection and data secrecy,
encryption can be an absolute duty, a helpful
utility or a cumbersome practice to work
with. Data can be encrypted at three different
levels in an ownCloud setup – in transit, at
rest and at the endpoint. The last option is
also called end-to-end encryption.
1. Encryption in Transit
Encryption in transit is available in ownCloud
by design and by default. This is assured
by using HTTPS leveraging the newest TLS
protocols in all supported browsers and
clients. The same is true for all connections to
storage, directory and authentication servers
or the supported collaborative editing
services. Encryption in transit is mandatory
under GDPR for data protection and already
considered state-of-the-art by several court
rulings. It is equally mandatory for ensuring
3
data secrecy.
2a. Encryption at Rest
Encryption at rest means to encrypt all files
saved from the ownCloud application server
prior to saving them on the actual storage.
ownCloud uses a master key encryption
method for this which is supported on all file
systems. For S3 object storage, the native
S3 encryption mechanism is recommended.
Master key encryption prevents files to be
read from the storage. They are encrypted
with a file key that is encrypted with the
master key. As the master key is located on
the storage, the system administrator can
combine both, the file and the master key
to decrypt files. This form of encryption is
sufficient to prevent data secrecy issues
related to physical access to the storage
including stolen hard disks.
2b. Encryption at Rest with Master
Key in Hardware Security Module
(HSM)
In order to exclude the system administrator
from the ability to decrypt files, ownCloud
makes it possible to put the master key into
a HSM. This means that the file key is sent to
the HSM and decrypted there from a process
inside the ownCloud application. As long as
the integrity of the ownCloud application
server is intact there is no way for the system
administrator to read the content.
For practical reasons file names cannot
be encrypted, so they should not contain
secrets, which is a preferred practice. This
ensures data secrecy is taken care of as
long as you have proper organizational
mechanisms in place to prevent and detect
malicious behaviour.
A HSM or a hardware security module,
which secures the master key reacts only
on the request of the ownCloud application.
Today HSMs are also available as software,
appliance solutions or small hardware
dongles, which fit into an USB port.
ownCloud supports certified HSMs via PKCS
11.
The above encryption at rest solutions
have a distinct disadvantage in regards of
performance: any encryption operation
needs cycles and makes ownCloud slower. If
you share 20,000 files with another user, a lot
of keys must be added to the system and
decryption and encryption of file keys
must happen. For each file, a call to the
HSM is needed. In this case either a second
ownCloud instance can be installed which
holds all the data with additional protection
needs or an end-to-end encryption solution
is recommended.
3. End-to-End Encryption
In order to truly assure that neither the
system administrators nor anybody else in
your organization is able to access encrypted
data only end-to-end encryption is a viable
solution. This is the highest level of data
secrecy combined with the highest level of
data protection. Disadvantages are that the
user needs to think about the secrecy or
data protection requirements of files in each
folder, the performance overhead on the
client side and the system administrator can’t
recover any data for the user. If the private
key is lost, the data cannot be decrypted in
any other manner.
ownCloud provides an End-to-End
Encryption plugin in addition to the
ownCloud Enterprise Edition subscription.
4
The plugin subscription pricing starts at 1000
EUR/ year for up to 50 users. When the plugin
is enabled for a user, such a user can encrypt
any empty folder. Through sharing additional
users can be invited.
For every file uploaded, the uploader can
see to how many people and to whom this
file has been sent. Before uploading to the
server the file is encrypted inside the browser
leveraging a JavaScript plugin delivered to
the user’s browser securely. The files are
encrypted with public keys fetched from the
server. The decryption mechanism happens
inside the browser as well. This requires the
presence of the private key in the browser.
For maximum security ownCloud provides
an additional key service. The key service
assures that the private key can be kept
outside of the browser, even in the form
of a smart key, a piece of hardware which
prevents that the private key of the user is
ever known on the end user, living exclusively
on the hardware device.
With end-to-end encryption enabled, it is
not possible to leverage collaborative editing
or any server-side function including virus
scanning. However, as the solution is inside
the web browser it is very convenient, easy to
use and needs no additional software to be
installed.
 Bob Alice

Smar t Share
Smar t
Key Key
Encr ypted
Decr ypted
File
Decr yptedF ile File
Decr ypt
Encrypted File
Smart Ke y /
Hardware T oken

End-to-end encryption with a key service fulfills the highest needs for data secrecy and data protection.

The Role of the Outlook Plugin in
Encryption
Email is still the number one file sharing
utility, even though it is usually non-
encrypted. ownCloud provides the Outlook
Plugin which helps your users to deal
with email attachments. Any attachment
is automatically put into ownCloud and
replaced with a link, where such a link can be
password protected.
Exception: Medical data according to
article 9 sentence 2.h in conjunnection
with sentence 3
Together with the ownCloud End-to-End
encryption plugin all such attachments are
encrypted using the receiver public key.
If your organization deals with medical data
you will need to apply either the master key
in HSM or the end-to-end encryption method
or assure that your system administrators are
legally obligated to secrecy.
Summary
ownCloud has a solution for any challenges
in regards to data protection or data secrecy.
Discuss your needs with us, including the
attack vectors you would like to be protected
against. A proper ownCloud setup with
the proper add-ons will deliver the highest
security needs even for the most sensitive
data, no matter the size of the organization.

5
 Whitepaper Data Protection & Secrecy EN 202103
About ownCloud

ownCloud develops and provides open-source software for content collaboration, allowing teams to easily
share and work on files seamlessly regardless of device or location. More than 100 million users worldwide
already use ownCloud as an alternative to public clouds – and thereby opt for more digital sovereignty,
security and data protection.

For further information, please visit owncloud.com or find @ownCloud on Twitter.

ownCloud GmbH Contact:

Rathsbergstr. 17 owncloud.com/contact twitter @ownCloud
90411 Nürnberg Phone: +49 911 14888690 facebook facebook.com/owncloud
Germany owncloud.com linkedin linkedin.com/company/owncloud

Copyright 2021 ownCloud. All Rights Reserved. ownCloud and the ownCloud logo are
registered trademarks of ownCloud in the United States and/or other countries.