Let’s start with an explanation as to what Nextcloud is? It's a fully open source storage and productivity platform that keeps you in control. It's a monster when it comes to features and you can seriously look to making it your full blown android/google and desktop as well as iCloud replacement!
Think about Dropbox, Slack and Trello having a child and that in turn allows you to connect to your cellphone in its an own cloud setup so all privacy focused and fully encrypted!
Nextcloud can be self-hosted (which we strongly recommend) or you can chose from any number of free or paid providers. We will go the self hosting path and at the end of this Chapter of the Privacy Cookbook, I will guide you on how to make the magic happen in as little as 5 minutes.
Additionally, Nextcloud is a fork of OwnCloud, which is still kicking out their own versions, but Nextcloud seems to have overgrown the originating version.
Once you have set up Nextcloud you have hundreds of apps from which to chose which can potentially make your Nextcloud setup an absolute powerhouse.
- Free and open source Self-hosted or hosted End-to-encryption (testing phase only)
- File versioning
- Easily share files
- Collaboration Stream media files Calendar, contacts, notes, and tasks
- Auto-upload photos from mobile devices
- Two-factor authentication (via backup codes, TOTP authenticator app, Yubikey and more)
- Hundreds of apps for advanced functionality
- Cross platform
- GDPR and HIPPA compliant
As I mentioned, so many apps, but let's dig into the really cool stuff.
'Version Control' provides simple file versioning for Nextcloud users. In the Files window, click on last 'Modified' date -> Versions tab to see any past versions of the file. How regularly these are saved and how long they are kept needs to be set in the Nextcloud administrator.
Easily share files
Individual files or folders can be shared across Nextcloud accounts or with a URL link with the sender having full control over the process. They can set an expiry date for the link, require a password to open the file, attach a note, whatever.
The Circles app allows sharing among custom groups.
Calendar, contacts, notes and tasks
The web interface features calendar, tasks, contacts and notes apps. Calendars can be synced with all mobile devices using the WebCAL framework.
Tasks, calendars, and contacts can be synced with Android devices using the DAVdroid app and notes can be synced to Android using the Nextcloud Notes app.
Apps sync perfectly with Nextcloud, tasks and contacts, no issues.
For the calendar, in theory the normal app should also works well, but I personally use Fantastical which picked up everything in no time!
NB: If you use 2FA to secure your Nextcloud, you will need to create an app specific password! This is easy and works well.
In addition to the sharing features above, Nextcloud users can also collaborate using Collabora Online. This is a LibreOffice-based online office suite that supports all main document, spreadsheet, and presentation file formats.
Nextcloud works incredibly well as an online streaming server with video and music streaming without issue, regardless of your OS, Desktop, Android or iOS.
Mobile Phone syncs
Now this where the magic really kicks in! You can literally replace everything you have including automatic picture upload from your gallery app to calendar entries, task, contacts and email!
Nextcloud offers various layers of encryption to keep your data secure.
Encryption during transit
Nextcloud secures data in transit using TLS, the encryption protocol from HTTPS. Although configured in the web server, Nextcloud issues admins with a warning, if TLS is not enabled for any reason. Hosted solutions, using HTTPS to secure the domain, will (should) have this enabled automatically.
Encryption at rest
Data at rest can be secured by using the AES-256 server-side Encryption app but this has significant limitations. Principal amongst these is that the encryption key is stored alongside data in the Nextcloud instance. This issue can be further compounded when it is stored within the server’s RAM where it could be accessed by hackers or a host server staff.
All the above is exacerbated by Nextcloud’s '30 second desktop synchronization schedule' is predictable and thus provides an attack surface for bad actors. Nextcloud’s server-side encryption is best employed to secure external storage accounts linked to your Nextcloud instance – e.g. Google Drive and Dropbox.
NB: only the contents of files are encrypted but not their name or folder structure.
If you don’t store data on remote storage services, it is best to apply 'per-file' encryption manually prior to uploading to Nextcloud and/or use full disk encryption on the server drives (e.g. with dm-crypt or EncFS).
Full disk encryption can be implemented with self-hosted cloud or self-managed cloud instances. With a fully-hosted account then this is outwith your control, although it is something your provider may do so ask them!
For increased privacy and security, Nextcloud can offer end-to-end encryption (E2EE). This allows you to encrypt your files locally prior to uploading to the cloud. These can then only be decrypted inside those apps for which you have a key.
E2EE can be enabled on a 'per-folder' basic and synced over. In addition to the actual content, file names and folder structure in E2EE folders are hidden.
X.509 certificates to verify public keys
AES-128-GCM (NoPadding) cipher to encrypt private keys
PBKDF2 with HMAC SHA1 authentication for key derivation
BIP39 mnemonic as a password.
Full details are available in the white paper.
While files and folders can be shared with other Nextcloud users, it doesn’t offer browser based E2EE cryptography. This is actually good for security since browser based cryptography remains vulnerable to the pushing of malicious code across from the server.
It does mean that you can not share files or folders that have been E2EE encrypted with non-Nextcloud users. Neither can you access E2EE files and folders via the web interface.
For most users, being able to move files between E2EE and regular folders mitigates any of the inconvenience this may cause.
The main issue here is that Nextcloud’s E2EE implementation is in alpha i.e. test mode. A warning is issued stating “don't use this in production and only with test data!”
Hopefully, you can see the potential that Nextcloud has and I believe that it is a great tool that really makes Dropbox, Google Drive and iCloud look like amateurs! It also allows you to coordinate, chat, video, call and work closely with business partners, work colleagues, family and friends. I personally moved everything across to Nextcloud recently and it seems to be working out ok.
We could go on about the hundreds of great apps, but I'll leave you to find them and decide which you use and why!
Let's dig into installing this beast!
Firstly, you need a cloud server! I have personally installed Nextcloud on two servers and both worked perfectly within minutes.
Hetzner, which is located in Germany, and is a cheap yet powerful setup! You can chose between a cloud in Finland or two locations in Germany. (ID is required but will be verified within minutes and destroyed afterwards). This option is via PGP encryption.
DigitalOcean is one of the best known and most trusted cloud servers around with hubs in Germany, the USA (San Francisco and New York), Singapore, London, Toronto and Bangalore.
I personally recommend having a server closer to your physical location in order to get maximum speed!
We install Nextcloud via the snappy package,
To download the Nextcloud
snap package and install it on the system, type:
sudo snap install nextcloud
To configure Nextcloud with a new administrator account, use the
You have to set a username and a password as arguments:
sudo nextcloud.manual-install adminusername password
Replace adminusername with your choice of an admin username and password
You should receive the following message now:
Nextcloud is not installed - only a limited number of commands are available Nextcloud was successfully installed
Now type and verify the installation and adjust the trusted domain
sudo nextcloud.occ config:system:get trusted_domains
As you verified only the localhost, it is added as a trusted domain
sudo nextcloud.occ config:system:set trusted_domains 1 --value=example.com
Replace example.com with your domain, verify again:
sudo nextcloud.occ config:system:get trusted_domains
Output localhost example.com
Lets also install an SSL certificate for your domain
First make sure your firewall allows these connections
sudo ufw allow 80,443/tcp
Next, request a Let’s Encrypt certificate by typing:
sudo nextcloud.enable-https lets-encrypt
Output In order for Let's Encrypt to verify that you actually own the domain(s) for which you're requesting a certificate, there are a number of requirements of which you need to be aware: 1. In order to register with the Let's Encrypt ACME server, you must agree to the currently-in-effect Subscriber Agreement located here: https://letsencrypt.org/repository/ By continuing to use this tool you agree to these terms. Please cancel now if otherwise. 2. You must have the domain name(s) for which you want certificates pointing at the external IP address of this machine. 3. Both ports 80 and 443 on the external IP address of this machine must point to this machine (e.g. port forwarding might need to be setup on your router). Have you met these requirements? (y/n)
Output Please enter an email address (for urgent notices or key recovery): firstname.lastname@example.org
Now, enter the domain name for your Nextcloud server:
Please enter your domain name(s) (space-separated): example.com
Output Attempting to obtain certificates... done Restarting apache... done
Congrats! You are now the proud owner of a Nextcloud server!
Click on apps, make it your own and don't forget to enable End-to-End Encryption which is under Disabled Apps!