Nextcloud Self-hosted Cloud Storage Review
Nextcloud is open source cloud storage software that allows you to back up and store files to the cloud from anywhere. Think Dropbox, Google Drive, or iCloud, except that you have complete control over where and how your files are stored.
The Nextcloud software essentially comes in two parts:
- Server software which provides the backend infrastructure needed to store your files in the cloud. This can be installed on your own computer in your own in your home (self-hosted) or on a remote server operated and maintained by someone else (hosted).
- Client software which is used to upload and access your files on a day-to-day basis. Client apps are available for Windows, macOS, Linux (many distros), iOS, and Android.
Nextcloud is a fork of Owncloud, but it has grown so rapidly over the last year that many consider it the successor to Owncloud despite the fact that Owncloud is still very much up and running.
If you set up your own Nextcloud instance, either self-hosted or on your personal web space (see later), then you have full access to all Nextcloud’s features. We list some popular core features below, but you can choose from over a hundred apps which hugely expand Nextcloud’s functionally.
If you take the easy route and allow a Nextcloud partner to set up a fully-hosted cloud for you, then it controls which features are available to your account.
Free fully-hosted accounts typically restrict access to features such file versioning and end-to-end encryption, while premium accounts usually provide full administrator access which allows you to install apps and otherwise tinker to your heart’s content.
- Free and open source (although hosted server space may cost money)
- Self-hosted or hosted
- End-to-encryption (testing phase only)
- File versioning
- Easily share files
- Stream media files
- Calendar, contacts, notes, and tasks
- Auto-upload photos from mobile devices
- Two-factor authentication (via backup codes, TOTP authenticator app, Yubikey and more)
- Hundreds of apps for advanced functionality
- Cross platform
- GDPR and HIPPA compliant
As noted, the actual feature set is highly customizable. Highlights include:
Version Control provides simple file versioning for Nextcloud users. In the Files window simply click on the last Modified date -> Versions tab to see past versions of the file. How regularly these are saved and how often they are kept is defined by the Nextcloud administrator.
We’ve noticed that with many fully-hosted accounts, file versioning is not available to free users.
Easily share files
Individual files or folders can be shared with selected individuals across Nextcloud accounts, or with anyone via a simple URL link, with the sender having a great deal of control over the process. They can, for example, set an expiry date for the link, require a password to open the sent file, attach a note, and so on.
The Circles app allows fine-grained sharing among custom groups.
Calendar, contacts, notes, and tasks
The web interface offers calendar, contacts, notes, and task apps. Calendars can be easily synced with all mobile devices using the WebCAL framework.
In theory, iOS apps can use WebDAV to sync calendars and tasks, and CardDAV to sync contacts, but in practice, this is a frustrating experience. Notes are, however, saved as .txt files in the regular upload by default and are therefore readily accessible from all devices.
In addition to the sharing features mentioned above, Nextcloud users can collaborate on files using Collabora Online. This is a LibreOffice-based online office suite which supports all major document, spreadsheet, and presentation file formats.
Stream media files
Nextcloud works very well as an online media streaming server. It comes with a built-in music player, and the web interface and iOS apps happily played every video we file we threw at them.
All videos previewed fine in Android, but in our tests the Android app was a little fussier with what media files it would play in full-screen mode. Curiously, we also encountered occasional problems in Android even when streaming content using an external player such as VLC.
Auto-upload photos from mobile devices
This very handy feature auto-uploads photos taken on your Android device or iPhone. Unlike other could storage apps we have tested it allows fine-grained control over which folders are monitored, as well allowing you to specify that uploads only occur over WiFi and such like. This means that it won’t try to unload your entire video collection to the cloud!
Nextcloud client apps are available for Windows, macOS, Android, iOS, and just about every Linux distro out there. And because Nextcloud uses WebDAV to synchronize files, you can use any WebDAV client or app with your Nextcloud instance.
The full functionality of Nextcloud, however, is accessed and managed through its web interface via any modern browser on any platform.
If you want to self-host Nextcloud then it can be installed on any Linux computer. It can also be installed in Windows and macOS systems using a Virtual Machine.
A popular option is to use a Raspberry Pi as a low-cost Nextcloud server. We do have concerns about whether these machines have the oomph needed for the job, although this may be addressed by the much more capable new Raspberry Pi 4 (especially models with 4GB of RAM).
Given the low cost of physical storage these days, plus the fact that it costs nothing in terms of subscription fees, self-hosting Nextcloud is a very economical approach to cloud storage. It is also inherently very secure, as you have total physical control over the server. End-to-end encryption should ensure hosted solutions which use it are secure too, although this is still in the testing stage.
Dedicated Nextcloud devices
Setting up Nextcloud on a self-hosted Linux box is not a job for the casual user, so why not let the professionals do it for you? A variety of very reasonably priced devices are available which ship with Nextcloud pre-installed for you.
For the true offsite cloud storage experience, you will need to rent server space from a third-party provider. Here you have two options – you can install the server software yourself on server space that you have independently rented, or you can let a Nextcloud partner setup and manage an account for you.
Hosted server space
Installing Nextcloud on independently rented server space gives you complete control over your cloud server, much as you would have over a self-hosted server. The main benefits over self-hosting are that your data is safe in the event of a fire or burglary at home and that you don’t need to have a computer running at home all the time.
Installing Nextcloud on rented web space is fairly easy. Not as easy as a fully hosted solution (see below), but much easier than installing on a self-hosted Linux box.
The main concern is that files will not be encrypted by default at rest on the server. The server provider might encrypt its drives, but it will have the encryption keys and so can itself access data stored on them.
You can, however, implement additional encryption measures as discussed later in this review.
Letting a cloud provider setup and manage your Nextcloud account is an insanely easy option, as the process is pretty much entirely automated.
Most fully-hosted Nextcloud accounts come in at least two kinds: a “personal” account with a limited feature set, and an advanced account which gives you full administrator access, including the ability to add features via Nextcloud apps.
Free accounts are invariably of the first kind, although storage for both kinds of account can usually be expanded for a fee. Some providers also offer various “enterprise” tiers, these are not the focus of this review.
Providers who offer fully-hosted Nextcloud accounts usually boast must better privacy credentials than Google, Dropbox, and the like. It is important to understand, however, that the provider has full administrator access to your account, and can, therefore, access files and other data stored in it (such as calendars and notes).
Accounts with administrator access can enable end-to-end encryption of files to mitigate against this problem (albeit in “testing stage” form at present), but at the end of the day, you do not have total control over your account.
Privacy and security
Nextcloud is developed by Nextcloud GmbH, a German company started by ownCloud inventor Frank Karlitschek. As open source software that can self-hosted or remote-hosted anywhere, however, where Nextcloud GmbH is based is largely irrelevant.
What is relevant is the jurisdiction under which the data is stored. In most countries, police have the right to seize personal computer equipment suspected of being involved in a crime, and data centers will always operate in accordance with local data retention and surveillance laws.
If you intend to use Nextcloud to store sensitive data then it is advisable to familiarize yourself with how different countries’ privacy and surveillance landscape. Performing your own encryption (see below), though, can heavily mitigate against any dangers presented by the jurisdiction your data is stored in.
Nextcloud GmbH collects some anonymous website usage statistics, but its apps send no information to the company.
It is worth noting, though, that third-party apps abide by their own privacy policies, for which Nextcloud GmbH is not responsible.
The Google Play Store version of the app sends push notifications in which include a header and subject are sent to Google, but if you don’t like this then you can download the apk directly or obtain the app from F-Droid.
Hosted solution data centers and providers will each have their own privacy policies, although the use of end-to-end encryption will ensure that they can have no access to your data.
Nextcloud offers various layers of encryption to keep your data secure.
Encryption during transit
Nextcloud secures data in transit using TLS, the encryption protocol used by HTTPS. This is configured in the webserver, but Nextcloud will issue administrators with a warning if TLS is not enabled for any reason. Hosted solutions which use HTTPS to secure the domain should have this enabled automatically.
Encryption at rest
Data at rest can be secured using the AES-256 server-side Encryption app, but this has severe limitations. The main problem is that the encryption key is stored alongside the data in the Nextcloud instance, a problem compounded by the fact that when used it is stored in the server’s RAM where it can be accessed by hackers or a hosted server’s operators.
This problem is not helped by the fact that Nextcloud’s 30 seconds desktop synchronization schedule is very predictable and therefore provides an easy attack surface for malicious actors. As such, Nextcloud’s server-side encryption is best used to secure external storage accounts which are linked to your Nextcloud instance – such as Google Drive and Dropbox accounts.
An additional problem is that only the contents of files are encrypted, not their name or folder structure.
If you don’t store data on remote storage services, then it is much better to deploy per-file encryption manually before uploading to Nextcloud and/or use full disk encryption on the server drives (for example using dm-crypt or EncFS).
Full disk encryption is fairly easy to implement with self-hosted cloud or self-managed cloud instances. If you have a fully-hosted account then this is out of your control, although it is something your provider may do anyway (so ask).
For ultimate privacy and security, Nextcloud offers end-to-end encryption (e2ee). This means you encrypt your own files locally before uploading them to the cloud. They can then only be decrypted inside apps for which you have the key.
E2ee can be enabled on a per-folder basic and synced across. In addition to the actual content, file names and folder structure in e2ee folders are hidden from the server.
Nextcloud uses X.509 certificates to verify public keys, an AES-128-GCM (NoPadding) cipher to encrypt private keys, PBKDF2 with HMAC SHA1 authentication for key derivation, and a BIP39 mnemonic as a password. Full details are available in a white paper.
Files and folders can be shared with other Nextcloud users. What Nextcloud doesn’t offer is browser-based e2ee cryptography. This is good for security because, despite the development of various mitigations over the last few years, browser-based cryptography remains vulnerable to the possibility of malicious code being pushed from the server.
It does mean, however, that you can’t share files or folders that have been e2ee encrypted with non-Nextcloud users, and you can’t access e2ee files and folders via the web interface. For most people, the fact that you can readily move files between e2ee and regular folders should mitigate against any inconvenience this might cause.
The main problem is that Nextcloud’s e2ee implementation is still in “alpha” or “testing” phase, with a clear warning which says “don’t use this in production and only with test data!”
Given that use of e2ee is freely recommended throughout the site for those wanting maximum security and privacy, we suspect that implementation is more robust than this warning suggests. The Edward Snowden’s of this world, however, should probably look elsewhere for now.
Ease of Use
How easy it is to set up a Nextcloud instance depends very much on how you want to host it, ranging from something your mother could do to really quite advanced. Once set up, however, Nextcloud is a breeze to use…
The desktop app
The desktop app for Windows, macOS and Linux creates a Nextcloud folder which syncs all files placed in it across all devices configured to use your Nextcloud account. You can choose which folders get synced and ask for confirmation before uploading files over a specified size.
In Windows (but not macOS and Linux) you can right-click on files in the Nextcloud folder to share them.
Other than that, the desktop app is very similar on all platforms.
The web portal
Nextcloud’s more advanced features are available via the web interface. The exact features which are available very much depend on which apps you (or whoever has admin access for your account) have installed.
If you have administrator access, then you can choose from a huge list of apps to install…
The mobile apps
Mobile apps are available for Android and macOS. As already noted, the Android as is available outside the Play Store for the more Google-phobic of you out there.
Unlike with the desktop apps, files are not synced to local storage default. But you can choose to download files, upload files (accepting iOS’ usual built-in restrictions on this front), or sync any folders you like.
Nextcloud is an insanely fully-featured cloud backup solution which works beautifully across multiple devices and platforms. Indeed, its potential feature set, easily expanded by administrators through a one-click app installation, puts the likes of Dropbox, Google Drive, and iCloud to shame.
The biggest pull, of course, is that Nextcloud provides you with total control over how and where your files are stored. This is a big privacy win, although the fact that end-to-end encryption remains at the “trial” stage does introduce privacy concerns when using third-party (hosted) storage space.
We get the strong impression that e2ee is in reality considered fairly robust even at this stage, but until a stable version is released, it is not possible to recommend for sensitive data. That said, encrypting the entire instance with something like EcnFS should provide more than enough security for most users.
Setting up a fully hosted Nextcloud account is so easy that your mother could do it, and is certainly a privacy improvement over using a big name cloud service. It does, though, miss out on the real privacy benefits of running your own Nextcloud instance as it requires trusting a third-party provider to manage it for you.
Setting up a self-hosted Nextcloud Linux box is not for the casual Dropbox user, although techies should not find it too hard and there are plenty of guides and help available. Or you can just buy one!
A half-way house is setting up a Nextcloud server on hosted web space.