Encrypted Storage · 4 min read

Make your cloud truly zero-knowledge

Your ShadowNode cloud is already encrypted at rest. With end-to-end encryption (E2EE) you go one step further: your files are locked on your own device, and nobody — not even us — can read them. Here's how.

Contents
  1. The two layers of encryption
  2. Why NOT to enable it in the browser
  3. Step by step (desktop app)
  4. On your phone
  5. Your 12-word key — read this
  6. How to check it actually worked
  7. Good to know

The two layers of encryption

ShadowNode storage protects your data in two ways — it helps to know the difference:

Why NOT to enable it in the browser

When you use the web interface, the encryption code is delivered by the server every time you load the page. If the server were ever compromised, it could serve modified code designed to steal the key that protects your files — Nextcloud even warns you about this.

⚠ Use the desktop or mobile app — not the browser.
The apps are installed once on your device, so the server can't swap out their code. That's what keeps your key truly private. For zero-knowledge, always set up E2EE in an app.

Step by step (desktop app)

  1. Install the app. Get the Nextcloud desktop client from nextcloud.com/install (Windows, macOS, Linux).
  2. Log in. Server address: cloud.shadownodehosting.duckdns.org. Use the username and password from your ShadowNode console.
  3. Set up encryption. In the client, open Settings → your account → End-to-End Encryption and click Set up encryption. (Just installed the app? Fully quit and restart the client first so it sees the feature.)
  4. Save your 12-word key. The client shows a 12-word recovery passphrase — write it down and store it offline (see the warning below).
  5. Create a new, empty folder at the top level of your synced Nextcloud folder (not inside another folder).
  6. Wait for it to sync. A new folder first shows a cloud icon (not uploaded yet). Wait until it turns into a green check — on Windows you may need to right-click it → “Always keep on this device” to force the sync.
  7. Encrypt it. Right-click the green, empty folder → choose Encrypt. On Windows 11 the entry is hidden under “Show more options” (or press Shift+F10) → Nextcloud → Encrypt. A lock icon appears.
  8. Drop your files in. Anything you put into this folder is encrypted on your device before it ever leaves it.

That's it — there's nothing else to switch on. Note: encryption applies to this folder, not your whole account. Files outside it stay encrypted at rest, but not zero-knowledge.

💡 Folders stuck on a cloud icon? Turn off “Virtual Files”.
A cloud icon means the folder is online-only and not downloaded yet — you can't encrypt it until it's synced (green check). Easiest fix: in the desktop client, open the account menu () → Disable virtual file support. Everything then stays on your device automatically (always green), no more cloud icons. Or, per folder: right-click → “Always keep on this device.”

On your phone

Install the Nextcloudapp (iOS App Store / Google Play), log in to the same server, then enable end-to-end encryption in the app settings. You'll enter the same 12-word key you created on desktop — that's how your devices share access without the server ever seeing it.

Your 12-word key — read this

This is the whole point — and the whole risk.
  • Write the 12 words down and store them offline (paper, password manager).
  • Never share them, never type them into a website.
  • If you lose the key, your encrypted files are gone forever. Because it's zero-knowledge, we cannot reset it or recover your data — by design.

How to check it actually worked

Open your cloud in the browser and look at the encrypted folder. It will show as locked / not readable— you can't preview the files there. That's exactly right: if the web interface can't read them, neither can we.

Good to know

Advertisement
Get encrypted storage →Ask a question