🔒 Vault: E2EE for Spaces

[tbsbdr]

Description

Value

• Zero trust, E2EE: even the sysadmins can not access files in a vault
• Strong access control: MFA can be enabled for vaults (step up authentication)

Release Note

Vault: End-to-End encryption for Spaces

Vaults are Spaces with maximum confidentiality. You can turn a Space into a Vault by enablinig the Vault option for any Space. Files in Vaults are end-to-end encrypted which means, that even sysdamins can not read these files. You can also enforce strong authentication (MFA) for Vaults. Vaults are only accessible via the Web Interface to ensure that sensitive data leave no trance on your device. Vaults come with some limitations: No search or co editing. No Public links (options?) or sharing. No virus scanning.

[tbsbdr]

see also opencloud-eu/web-extensions#381

[suse-coder]

Many companies are looking for true client-side end-to-end encryption for spaces (“encrypted spaces”). It would be highly valuable if OpenCloud supported this.

A good approach would be to follow the model used by Element and the Matrix Protocol: each space is protected by keys generated and managed on the client. Encryption relies on Megolm for group messaging, where session keys are securely shared between user devices.

A space admin should be able to add new users by verifying their devices and securely sharing the required keys (e.g., the current group session key) via E2EE. Optionally, a passphrase-based mechanism can be used for secure key backup, cross-device access, and recovery directly through the OpenCloud app—similar to how it is handled in Element X.

This results in a secure and user-friendly system with true end-to-end encryption, where the server has no access to the data.