Nextcloud is an incredibly flexible cloud storage system. You can configure it in many different ways, and integrate it with over one hundred third-party apps. This is all incredible, but our focus in this series of cloud storage reviews is secure cloud storage. While I will touch on other aspects of the product, my goal here is to talk about whether Nextcloud has the potential to be your next secure cloud storage product.
- End-to-end encryption not fully implemented yet
- Company-authorized, third-party scanning of your system
Nextcloud feature summary
Here is a quick summary of the core features of Nextcloud.
- FOSS that runs on Windows, Mac OS, Linux, Android, iOS, and major browsers
- Multiple data hosting options
- Data in transit protected with TLS
- Optional at rest encryption using AES-256
- Optional end-to-end encryption with AES-128-GCM (not yet fully implemented)
- Optional file versioning
- 2FA support
- File sharing with numerous control options
- Integrated Personal Information Management (calendar, contacts, notes, tasks)
- Media streaming
- Synchronizes across all your devices and browsers
Nextcloud GmbH is the German publisher of the Nextcloud software. Founded in 2016 by developers from ownCloud, Nextcloud is an Open Source fork of that project. Normally, at this point in a cloud storage review, we would be talking about how Germany is a 14 eyes country, and how that affects the privacy and security of your Nextcloud data. But Nextcloud doesn’t actually host any of your data or even sell you the software. This makes our usual concerns about German laws moot.
Note: Things are different if you are interested in Nextcloud Enterprise. I don’t plan on dealing with this version in any detail in this review. If you want to learn more about it, a good starting point would be in the Nextcloud prices section that appears later in this article.
Where does Nextcloud stores user data?
Obviously, your data is stored somewhere when you use Nextcloud. But I can’t tell you where it will be stored. That’s because Nextcloud works through partner hosting companies around the world. They are the ones who store your data, be they located in Germany, Switzerland, Kuala Lumpur, wherever. You can also self-host your data on any server you have access to anywhere in the world.
The Nextcloud approach to data storage is incredibly flexible. But it also puts the burden of deciding where your data should be stored on your shoulders. You’ll want to choose a country for your data based on your threat model, your country of citizenship, and where you are going to be located when you access that data.
Nextcloud Privacy and Legal Policy
Nextcloud publishes a combined Privacy and Legal Policy document. I reviewed this to see what impact it might have on how you use the product. But before I go into the details of that, we need to talk again about Nextcloud partners. Because the partners who do the hosting are independent companies, they have their own Terms of Service and Privacy Policies that you will want to consider.
The short summary of the Nextcloud privacy and legal policies are that they take the minimum amount of data possible, and delete it as fast as they can. For example, if you give them an email address to download a white paper, they delete that email address as soon as they send you the white paper. They do some tracking and marketing of visitors to their website, but promise to delete and anonymize it regularly, without sharing any of it with third parties.
The Nextcloud server and mobile apps are designed not to send any data to the company, although Google and Apple will get some data if you download your mobile client from their app stores. Specifically:
The Play Store version equal to or newer than 1.5.0 for Nextcloud supports push notifications which use the Google servers. However Google does not have access to the actual notification data. Only a header with a subject is sent via Google, but in encrypted form, and the rest of the content is retrieved directly from your Nextcloud server and not sent through Google. The iOS client works in a similar way.
For the utmost in protection against this, you can download an Android Nextcloud client from F-Droid, an app store that only allows Free and Open Source Software (FOSS).
If you would like to verify all this for yourself, you can find the Nextcloud Privacy and Legal Policy here.
Nexcloud security audits & other third-party tests
I wasn’t able to find any third-party security audits or penetration testing being done by Nextcloud. That said, I did find two types of auditing/testing you should be aware of.
Nextcloud Security Scan
The company does offer their own security scanning tool. The Nextcloud Security Scan is a system that, “…analyzes the security of your server and gives you an overview of what to improve.”
While this tool can’t replace an audit by an experienced third party, using it certainly can’t hurt!
Third-party scans of your installation
I did come across one type of third-party Nextcloud testing, and I’m not real happy about it. Nextcloud uses third-party services that scan the Internet looking for Nextcloud installations that they claim have security vulnerabilities. These services then report the “problem” to the German government’s Federal Cyber Security Authority (BSI). The BSI then sends a letter to whoever is hosting your servers, telling them to tell you to update your software. While this all appears to be a legitimate function of the BSI, I am not thrilled with the idea of the German government getting involved in monitoring the configuration of my Nextcloud server.
To dig into this particular issue further, you could check this discussion thread in the Nextcloud help section.
Nextcloud user interfaces
While there are over 100 apps in the Nextcloud app store, we’re just going to concentrate on the core user interfaces here: the desktop app, the web interface and the mobile apps.
Nextcloud desktop app
The desktop app is accessible through the system tray or equivalent area of your operating system.
It creates a Nextcloud folder in your system’s file structure. Anything you place in this folder gets synced to your cloud storage and from there to any other instance of Nextcloud you have installed. The desktop app also gives you direct access to the Nextcloud folder, controls synchronization, and can launch the web interface.
Using the Settings… option, this is also where you can control which folders get synchronized to the local device.
Nextcloud web interface
The fullest range of Nextcloud capabilities appear in the web interface. What those capabilities are (and how secure and private your Nextcloud installation is) will depend on the installed apps.
Even if you are self-hosting your data, a key determinant of the security of your Nextcloud installation is the security of the apps you are using.
Nextcloud mobile apps
The iOS and Android apps give you access to whatever is stored in the cloud. But they do not automatically download everything. This makes sense since you don’t want to burn all your mobile data and the storage space on your device syncing files you are never going to look at.
Here’s the Nextcloud Android client:
Nextcloud hands-on testing
For this review, I installed Nextcloud on a desktop running Ubuntu and also an Android phone. I used one of the Nextcloud partners for free hosting.
I’m not going to talk about self-hosting your data since that is beyond the scope of this Nextcloud review.
Installing Nextcloud when using one of the partner hosting services is pretty easy. Log into the Nextcloud website. Set up your account (username and password required). Choose one of the hosting partners that the site recommends and create an account there. Download and install the desktop apps and mobile apps for each device you want to sync with Nextcloud.
Once the software is installed, launch the desktop app. Open the Nextcloud folder and add files and folders you want synchronized to it. Repeat on each device.
Like installing Nextcloud, configuring it is easy if you are using one of the hosting partners. Once you’ve added the files and folders you want synced into the Nextcloud folder, you should be up and running.
Depending on your circumstances, you do have the option to configure a proxy, and limit the upload and download bandwidth, but in most cases you should be good to go with the defaults.
Basic use of Nextcloud is about what you would expect. Drop files or folders into the Nextcloud folder and after a short wait they will appear on all your devices running the service. A copy will physically appear in the Nextcloud folder of every desktop app, while a download link to the file will appear in each mobile app and the web interface.
Beyond that, everything depends on the additional apps that you have access to. For example, the web interface for the partner hosted installation I used for this article includes the following capabilities:
- Files (the basic sync feature)
Additional Nextcloud features
Nextcloud offers a huge variety of apps that give the product a wide range of features. We’ll take a quick look at the Nextcloud app store, then look at some of the non-app additional features you may have access to.
1. The Nextcloud app store
The huge collection of apps here is a great resource for anyone setting up a Nextcloud environment. However, it is also a (potential) security nightmare. You’ll want to evaluate any apps you are considering using against your threat model. To check out the app store, click here.
Below are some of the useful additional features of Nextcloud. Whether or not they are available to your particular installation will often depend on how you are configured, who is hosting your data, and whether you have a free or paid plan.
2. Nextcloud Hub
The Nextcloud Hub is a recent addition to the enterprise product line. It is designed to give your organization the benefits of online collaboration, without the compliance and security risks of third-party services. Comprised of Nextcloud Files, Nextcloud Talk, and Nextcloud Groupware, it lets you keep everything safe and secure by hosting Nextcloud on your own secure hardware.
3. GDPR Compliance Kit
Achieving GDPR compliance is a project under any circumstances. Doing so with a highly customizable product like Nextcloud has to be an even bigger job. To help with this, the company has created their GDPR Compliance Kit. If GDPR compliance is a concern for your application, you can learn more about the kit here.
4. HIPPA / HITECH support
The enterprise version of Nextcloud is designed to fit into a HIPPA / HITECH environment. The company provides white papers and other support for organizations that need it. You can learn more here.
5. File Versioning
Nextcloud has basic version control built in. The details of how many and how long versions are kept are under control of the Administrator. Some free third-party hosting plans do not include version control at all.
The support Nextcloud provides depends on which version of the product you are using. Nextcloud Enterprise gets the full range of support.
Users of the free version of Nextcloud get access to a complete set of documentation:
- User manual
- Admin manual
- Developer manual
They also get access to:
- Nextcloud forums
- Nextcloud IRC chat channel
- Nextcloud Facebook page
- Nextcloud Twitter feed
These are all users helping users channels of communication.
How secure and private is Nextcloud?
This is a tough question to answer. That’s not because Nextcloud is a bad product, with poor security or crummy privacy policies. It is because this is such a flexible product, with so many different options, that it is hard to give blanket answers. Let’s see what I can tell you about this…
To discuss Nexcloud security, we need to talk about a few different configurations: self-hosted configurations, and configurations where some other organization controls the data. Self-hosted configurations, whether on your own server or on someone else’s server but completely under your control, can be secure. That’s because you can apply strong encryption to the folders or disks where your data is stored. Assuming you hold the encryption keys, your data should be secure.
In cases where some other organization controls the data (Nextcloud hosting partners, for example) your data is not going to be very secure. Even if that other organization applies strong encryption, they will be the ones controlling the keys. That leaves the security of your data up to them.
What about Nextcloud’s end-to-end encryption?
This looks promising, but it isn’t fully implemented yet. Until such time as Nextcloud announces that end-to-end encryption is fully functional and ready for use, we won’t know for sure what to think of it.
As we saw earlier, Nextcloud’s privacy policies are pretty friendly. Where potential problems arise is with the third-party apps you can use with Nextcloud, and with the hosting services that you might use to store your data. Each of these will have their own privacy policies. You’ll have to evaluate each one to understand how private your own Nextcloud configuration actually is.
Nextcloud comes in two forms: FOSS and Enterprise. While I’m interested in the FOSS version, it is useful to know a bit about what Nextcloud Enterprise offers and what it might cost you. As the Nextcloud website says,
Nextcloud Enterprise is pre-configured, optimized and hardened for the special needs of large scale, production-critical enterprise deployments. It is backed by a Nextcloud Subscription which gives you access to our expertise, partner services and more.
The company offers three plans: Basic, Standard, and Premium:
To find out more about what you get with the various Nextcloud Enterprise plans, check out this FAQ.
Nextcloud Review Conclusion
Nextcloud is a powerful, flexible, and free cloud storage solution. Between the core product and the 100+ apps you can add to it, you can create anything from basic cloud storage to a complete environment for home or business use.
It remains an ideal solution for those looking to self-host while also offering lots of flexibility. Once end-to-end encryption is fully deployed, you can build a free (or low cost) cloud storage system with encryption that rivals any other provider. Nonetheless, it remains an excellent solution if you are self-hosting on secure servers.
We also have a guide on the best secure cloud storage. And check out these other cloud storage reviews from Restore Privacy:
- MEGA cloud storage review
- Sync.com review
- Tresorit review
- SpiderOak review
- pCloud review
- iDrive review
- NordLocker review
Last updated on April 11, 2020.