Encrypted Storage · 4 min read

Make your cloud truly zero-knowledge

Your ShadowNode cloud is already encrypted at rest. With end-to-end encryption (E2EE) you go one step further: your files are locked on your own device, and nobody — not even us — can read them. Here's how.

Contents

The two layers of encryption
Why NOT to enable it in the browser
Step by step (desktop app)
On your phone
Your 12-word key — read this
How to check it actually worked
Good to know

The two layers of encryption

ShadowNode storage protects your data in two ways — it helps to know the difference:

Encryption at rest (always on). Every file is stored AES-256 encrypted on our disks. This protects your data if hardware is ever lost or stolen. We don't scan or read your files — but technically, for the service to run, the server holds these keys.
End-to-end encryption (you turn it on). Your files are encrypted on your device with a key only you have. The server only ever sees scrambled data. This is real zero-knowledge — and the rest of this guide is about enabling it.

Why NOT to enable it in the browser

When you use the web interface, the encryption code is delivered by the server every time you load the page. If the server were ever compromised, it could serve modified code designed to steal the key that protects your files — Nextcloud even warns you about this.

⚠ Use the desktop or mobile app — not the browser.

The apps are installed once on your device, so the server can't swap out their code. That's what keeps your key truly private. For zero-knowledge, always set up E2EE in an app.

Step by step (desktop app)

Install the app. Get the Nextcloud desktop client from nextcloud.com/install (Windows, macOS, Linux).
Log in. Server address: cloud.shadownodehosting.duckdns.org. Use the username and password from your ShadowNode console.
Open Settings → End-to-End Encryption and click Enable encryption.
Save your 12-word key (see the warning below). This appears only once.
Create a new, empty folder at the top level of your synced Nextcloud folder.
Right-click it → Encrypt. A lock icon appears.
Drop your files in. They're encrypted on your device before they ever leave it.

On your phone

Install the Nextcloudapp (iOS App Store / Google Play), log in to the same server, then enable end-to-end encryption in the app settings. You'll enter the same 12-word key you created on desktop — that's how your devices share access without the server ever seeing it.

Your 12-word key — read this

This is the whole point — and the whole risk.

Write the 12 words down and store them offline (paper, password manager).
Never share them, never type them into a website.
If you lose the key, your encrypted files are gone forever. Because it's zero-knowledge, we cannot reset it or recover your data — by design.

How to check it actually worked

Open your cloud in the browser and look at the encrypted folder. It will show as locked / not readable— you can't preview the files there. That's exactly right: if the web interface can't read them, neither can we.

Good to know

Only empty, top-level folders can be encrypted — not subfolders, and not folders that already contain files.
Encrypted folders are managed through the apps; the web interface intentionally can't open them.
Files outside an encrypted folder are still safe at rest (AES-256), just not zero-knowledge.

Get encrypted storage →Ask a question