Let’s start with an explanation as to what Nextcloud is?  It's a fully open source storage and productivity platform that keeps you in control. It's a monster when it comes to features and you can seriously look to making it your full blown android/google and desktop as well as iCloud replacement!

Think about Dropbox, Slack and Trello having a child and that in turn allows you to connect to your cellphone in its an own cloud setup so all privacy focused and fully encrypted!

Nextcloud can be self-hosted (which we strongly recommend) or you can chose from any number of free or paid providers. We will go the self hosting path and at the end of this Chapter of the Privacy Cookbook, I will guide you on how to make the magic happen in as little as 5 minutes.

Additionally, Nextcloud is a fork of OwnCloud, which is still kicking out their own versions, but Nextcloud seems to have overgrown the originating version.

Once you have set up Nextcloud you have hundreds of apps from which to chose which can potentially make your Nextcloud setup an absolute powerhouse.

  • Free and open source Self-hosted or hosted End-to-encryption (testing phase only)
  • File versioning
  • Easily share files
  • Collaboration Stream media files Calendar, contacts, notes, and tasks
  • Auto-upload photos from mobile devices
  • Two-factor authentication (via backup codes, TOTP authenticator app, Yubikey and more)
  • Hundreds of apps for advanced functionality
  • Cross platform
  • GDPR and HIPPA compliant

As I mentioned, so many apps, but let's dig into the really cool stuff.

File versioning

'Version Control' provides simple file versioning for Nextcloud users. In the Files window, click on last 'Modified' date -> Versions tab to see any past versions of the file. How regularly these are saved and how long they are kept needs to be set in the Nextcloud administrator.  

Easily share files

Individual files or folders can be shared across Nextcloud accounts or with a URL link with the sender having full control over the process. They can set an expiry date for the link, require a password to open the file, attach a note, whatever.

Circles

The Circles app allows sharing among custom groups.

Calendar, contacts, notes and tasks

The web interface features calendar, tasks, contacts and notes apps. Calendars can be synced with all mobile devices using the WebCAL framework.

Tasks, calendars, and contacts can be synced with Android devices using the DAVdroid app and notes can be synced to Android using the Nextcloud Notes app.

iOS

Apps sync perfectly with Nextcloud, tasks and contacts, no issues.

For the calendar, in theory the normal app should also works well, but I personally use Fantastical which picked up everything in no time!

NB: If you use 2FA to secure your Nextcloud, you will need to create an app specific password! This is easy and works well.

Collaboration

In addition to the sharing features above, Nextcloud users can also collaborate using Collabora Online. This is a LibreOffice-based online office suite that supports all main document, spreadsheet, and presentation file formats.

Streaming

Nextcloud works incredibly well as an online streaming server with video and music streaming without issue, regardless of your OS, Desktop, Android or iOS.

Mobile Phone syncs

Now this where the magic really kicks in! You can literally replace everything you have including automatic picture upload from your gallery app to calendar entries, task, contacts and email!

Technical security

Nextcloud offers various layers of encryption to keep your data secure.

Encryption during transit

Nextcloud secures data in transit using TLS, the encryption protocol from HTTPS. Although configured in the web server, Nextcloud issues admins with a warning, if TLS is not enabled for any reason. Hosted solutions, using HTTPS to secure the domain, will (should) have this enabled automatically.

Encryption at rest

Data at rest can be secured by using the AES-256 server-side Encryption app but this has significant limitations. Principal amongst these is that the encryption key is stored alongside data in the Nextcloud instance. This issue can be further compounded when it is stored within the server’s RAM where it could be accessed by hackers or a host server staff.

All the above is exacerbated by Nextcloud’s '30 second desktop synchronization schedule' is predictable and thus provides an attack surface for bad actors. Nextcloud’s server-side encryption is best employed to secure external storage accounts linked to your Nextcloud instance – e.g. Google Drive and Dropbox.

NB: only the contents of files are encrypted but not their name or folder structure.

If you don’t store data on remote storage services, it is best to apply 'per-file' encryption manually prior to uploading to Nextcloud and/or use full disk encryption on the server drives (e.g. with dm-crypt or EncFS).

Full disk encryption can be implemented with self-hosted cloud or self-managed cloud instances. With a fully-hosted account then this is outwith your control, although it is something your provider may do so ask them!

End-to-end encryption

For increased privacy and security, Nextcloud can offer end-to-end encryption (E2EE). This allows you to encrypt your files locally prior to uploading to the cloud. These can then only be decrypted inside those apps for which you have a key.

E2EE can be enabled on a 'per-folder' basic and synced over. In addition to the actual content, file names and folder structure in E2EE folders are hidden.

Nextcloud uses:

X.509 certificates to verify public keys

AES-128-GCM (NoPadding) cipher to encrypt private keys

PBKDF2 with HMAC SHA1 authentication for key derivation

BIP39 mnemonic as a password.

Full details are available in the white paper.

While files and folders can be shared with other Nextcloud users, it doesn’t offer browser based E2EE cryptography. This is actually good for security since browser based cryptography remains vulnerable to the pushing of malicious code across from the server.

It does mean that you can not share files or folders that have been E2EE encrypted with non-Nextcloud users. Neither can you access E2EE files and folders via the web interface.

For most users, being able to move files between E2EE and regular folders mitigates any of the inconvenience this may cause.

The main issue here is that Nextcloud’s E2EE implementation is in alpha i.e. test mode. A warning is issued stating “don't use this in production and only with test data!”

Hopefully, you can see the potential that Nextcloud has and I believe that it is a great tool that really makes Dropbox, Google Drive and iCloud look like amateurs! It also allows you to coordinate, chat, video, call and work closely with business partners, work colleagues, family and friends. I personally moved everything across to Nextcloud recently and it seems to be working out ok.

We could go on about the hundreds of great apps, but I'll leave you to find them and decide which you use and why!

All apps - App Store - Nextcloud
The Nextcloud App Store - Upload your apps and install new apps onto your Nextcloud

Let's dig into installing this beast!

Firstly, you need a cloud server! I have personally installed Nextcloud on two servers and both worked perfectly within minutes.

Truly thrifty cloud hosting - Hetzner Online GmbH
Cloud servers starting at € 2.49. A little money gets you lots of cloud. Our flexible billing model and clever interface make it easy to use our cloud servers for all your IT needs.

Hetzner, which is located in Germany, and is a cheap yet powerful setup! You can chose between a cloud in Finland or two locations in Germany. (ID is required but will be verified within minutes and destroyed afterwards). This option is via PGP encryption.

DigitalOcean – The developer cloud
Helping millions of developers easily build, test, manage, and scale applications of any size – faster than ever before.

DigitalOcean is one of the best known and most trusted cloud servers around with hubs in Germany, the USA (San Francisco and New York), Singapore, London, Toronto and Bangalore.

I personally recommend having a server closer to your physical location in order to get maximum speed!

We install Nextcloud via the snappy package,

To download the Nextcloud snap package and install it on the system, type:

sudo snap install nextcloud


To configure Nextcloud with a new administrator account, use the nextcloud.manual-install command.

You have to set a username and a password as arguments:

sudo nextcloud.manual-install adminusername password

Replace adminusername with your choice of an admin username and password

You should receive the following message now:

Nextcloud is not installed - only a limited number of commands are available
Nextcloud was successfully installed

Now type and verify the installation and adjust the trusted domain

sudo nextcloud.occ config:system:get trusted_domains
Output
localhost

As you verified only the localhost, it is added as a trusted domain

sudo nextcloud.occ config:system:set trusted_domains 1 --value=example.com

Replace example.com with your domain, verify again:

sudo nextcloud.occ config:system:get trusted_domains
Output
localhost
example.com

Lets also install an SSL certificate for your domain

First make sure your firewall allows these connections

sudo ufw allow 80,443/tcp

Next, request a Let’s Encrypt certificate by typing:

sudo nextcloud.enable-https lets-encrypt
Output
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n)

Type y

Output
Please enter an email address (for urgent notices or key recovery): your_email@domain.com

Now, enter the domain name for your Nextcloud server:

Please enter your domain name(s) (space-separated): example.com
Output
Attempting to obtain certificates... done
Restarting apache... done

Congrats! You are now the proud owner of a Nextcloud server!

Click on apps, make it your own and don't forget to enable End-to-End Encryption which is under Disabled Apps!

Enjoy