When people say their files are "encrypted" in Google Drive or OneDrive, they're usually describing something very different from what security professionals mean by end-to-end encryption. Google and Microsoft encrypt your files — that's true. But they hold the encryption keys. This means Google and Microsoft can read your files whenever they choose. They can scan them for policy violations, use them for AI training, hand them over in response to legal requests, or access them if their systems are compromised.
End-to-end encryption (E2EE) is fundamentally different. With E2EE, files are encrypted on your device before they leave it. The encryption keys never touch the server. Not the cloud provider, not the system administrator, not even someone with physical access to the server hardware can read your files. Only you — and the people you explicitly share keys with — can decrypt the content.
Nextcloud offers true end-to-end encrypted file sharing. As of 2026, Google Drive and OneDrive still do not. This isn't a minor feature gap. For organizations handling sensitive legal documents, medical records, financial data, intellectual property, or classified information, E2EE is the difference between "we trust our cloud provider" and "even our cloud provider can't access our data."
This guide explains how encryption works at each level, what Google and Microsoft actually provide, how Nextcloud's E2EE implementation works, and when you should (and shouldn't) use it. It's part of our complete guide to replacing Google and Microsoft with Nextcloud.
Three Levels of File Encryption
Understanding the encryption landscape requires distinguishing between three distinct approaches. They're often conflated, but they provide very different security guarantees.
In-Transit Encryption (TLS/HTTPS)
In-transit encryption protects files while they're being transferred between your device and the server. This is what HTTPS provides. Every major cloud service uses it. When you upload a file to Google Drive, the data is encrypted during the upload. If someone intercepts the network traffic, they see encrypted gibberish.
But once the file arrives at the server, the in-transit encryption ends. The file is decrypted and then stored — potentially re-encrypted, but with the server's keys, not yours.
In-transit encryption protects against network eavesdropping and man-in-the-middle attacks. It does not protect against the cloud provider accessing your data, insider threats at the cloud provider, government subpoenas or legal requests, or server breaches where attackers gain access to stored files.
Server-Side Encryption (At-Rest Encryption)
Server-side encryption means files are encrypted when stored on disk. If someone steals a hard drive from Google's data center, the files are unreadable. Both Google Drive and OneDrive use server-side encryption for all stored files. Google uses AES-256, Microsoft uses BitLocker and per-file encryption.
This sounds reassuring, but there's a critical detail: the cloud provider holds the encryption keys. The encryption protects against physical theft of hardware and certain types of infrastructure compromise. It does not prevent the provider itself from accessing your files. Google can decrypt any file in Google Drive. Microsoft can decrypt any file in OneDrive. They do this routinely for content scanning, legal compliance, and feature functionality (like full-text search and preview generation).
Server-side encryption is a lock on the filing cabinet where the building owner keeps a master key.
End-to-End Encryption (E2EE)
End-to-end encryption means files are encrypted on your device, using keys that only you possess, before they're uploaded to the server. The server stores encrypted blobs that it cannot decrypt. The encryption keys never leave your devices.
Even if the server is completely compromised — root access, database dumps, everything — the attacker gets only encrypted data with no way to decrypt it. Even the server administrator cannot read E2EE-protected files. Even a court order served to the hosting provider cannot produce readable files, because the provider genuinely does not have the ability to decrypt them.
E2EE is the gold standard for protecting sensitive data in the cloud. It's also the most restrictive, as we'll discuss in the limitations section.
What Google Drive and OneDrive Actually Provide
Google Drive Encryption
Google encrypts files at multiple layers. All data in transit uses TLS 1.3. All data at rest uses AES-256. Google also offers client-side encryption (CSE) for Google Workspace Enterprise Plus customers, which allows organizations to use their own encryption keys managed through an external key management service.
However, Google's CSE is not true E2EE. The key management still involves Google's infrastructure during the encryption/decryption process. Google refers to it as "client-side encryption" rather than "end-to-end encryption" for this reason. Additionally, CSE disables Google's ability to process file contents, which means features like search, spell-check, and real-time collaboration are degraded or unavailable for CSE-protected files.
CSE is also only available on the most expensive Workspace tier (Enterprise Plus, approximately $25/user/month). Consumer Google Drive and lower Workspace tiers have no option for customer-managed encryption keys.
OneDrive Encryption
Microsoft encrypts OneDrive files at rest using per-file encryption keys, plus disk-level BitLocker encryption. Transit uses TLS. Microsoft also offers Customer Key for Microsoft 365, which lets organizations provide their own encryption keys via Azure Key Vault.
Like Google's CSE, Microsoft's Customer Key is not true E2EE. Microsoft's services still access the decrypted data during processing. Customer Key provides an additional layer of control and the ability to revoke access by destroying your keys, but during normal operation, Microsoft can still read your files for indexing, compliance scanning, and feature functionality.
Customer Key is available only with Microsoft 365 E5 or the E5 Compliance add-on — premium pricing that starts at approximately $57/user/month.
The Bottom Line for Google and Microsoft
| Feature | Google Drive | OneDrive |
|---|---|---|
| In-transit encryption | Yes (TLS 1.3) | Yes (TLS 1.2/1.3) |
| At-rest encryption | Yes (AES-256) | Yes (AES-256 + BitLocker) |
| Customer-managed keys | CSE (Enterprise Plus only) | Customer Key (E5 only) |
| True end-to-end encryption | No | No |
| Provider can read your files | Yes | Yes |
| Zero-knowledge architecture | No | No |
Neither Google Drive nor OneDrive offers a mode where the provider genuinely cannot access your file contents. Their encryption protects against external threats, not against the provider itself.
How Nextcloud E2EE Works
Architecture Overview
Nextcloud's end-to-end encryption is designed as a true zero-knowledge system. The server stores encrypted files and encrypted metadata, but never has access to the decryption keys. The architecture works as follows:
- Key generation: When you enable E2EE, a public/private key pair is generated on your device. The private key is encrypted with a passphrase (your mnemonic) and stored on the server in its encrypted form. The server cannot decrypt it without the mnemonic.
- File encryption: When you place a file in an E2EE folder, the Nextcloud client encrypts it locally using AES-256-GCM before uploading. Each file gets a unique encryption key.
- Metadata encryption: File names, folder names, and sharing information are also encrypted. The server sees only opaque identifiers.
- Sharing: When you share an E2EE folder with another user, the file keys are encrypted with the recipient's public key and stored on the server. Only the recipient's private key can decrypt them.
- Device sync: To access E2EE files on a new device, you enter your 12-word mnemonic passphrase. This decrypts your private key, which then decrypts file keys, which decrypt files. The mnemonic never touches the server.
Enabling E2EE in Nextcloud
Setting up E2EE requires a few steps:
- Install the E2EE app: The server admin installs the "End-to-End Encryption" app from the Nextcloud App Store.
- Enable on the client: In the Nextcloud desktop client, go to Settings and enable end-to-end encryption. This generates your key pair and displays a 12-word mnemonic.
- Save the mnemonic: Write down the 12-word mnemonic and store it securely. If you lose it, you lose access to all E2EE files permanently. There is no recovery mechanism — by design.
- Mark folders as encrypted: Right-click any folder in the Nextcloud client and select "Encrypt." All contents of that folder will be encrypted from that point forward.
Critical: The 12-word mnemonic is your only recovery mechanism. If you lose it and lose access to all your devices, your E2EE files are permanently unrecoverable. This is not a bug — it's the fundamental guarantee of zero-knowledge encryption. No one, including MassiveGRID or Nextcloud GmbH, can recover your data.
What the Server Sees
When E2EE is enabled on a folder, the Nextcloud server stores encrypted file blobs (unintelligible without the key), encrypted metadata (file names replaced with random identifiers), encrypted sharing records, and public keys for each user. The server admin, looking at the data directory, sees files with names like e2e-3f7a2b1c with contents that are pure encrypted data. No file names, no content previews, no searchable text.
Use Cases for E2EE
Legal Documents
Law firms handling attorney-client privileged documents need absolute confidentiality. E2EE ensures that even if the hosting infrastructure is compromised, privileged documents remain protected. The hosting provider cannot be compelled to produce readable documents because they physically cannot decrypt them.
Medical Records
Healthcare organizations storing patient records (PHI under HIPAA, health data under GDPR) can use E2EE to add a layer of protection beyond what server-side encryption provides. Even in a data breach scenario, E2EE-protected medical records are unreadable without the encryption keys.
Financial Data
Financial institutions, accounting firms, and organizations handling sensitive financial records (tax returns, bank statements, audit documents) benefit from E2EE's zero-knowledge guarantee. Regulatory frameworks like FINRA and SOX increasingly expect data-at-rest protections that go beyond basic server-side encryption.
Intellectual Property
Companies developing proprietary technology, trade secrets, or competitive research can use E2EE to protect this information even from their own hosting provider. This is particularly relevant when using third-party hosting infrastructure rather than on-premises servers.
Whistleblower and Journalist Communications
Journalists receiving sensitive documents from sources need guarantees that no third party — including the infrastructure provider — can access those documents. E2EE provides this guarantee architecturally, not just through policy.
Limitations and Trade-offs
E2EE comes with significant trade-offs. Understanding these is essential before enabling it. For a comprehensive treatment of Nextcloud security beyond E2EE, see our Nextcloud security hardening guide.
No Server-Side Search
The server cannot search encrypted file contents because it cannot read them. Full-text search across E2EE files is impossible. The desktop client can search local copies of decrypted files, but Nextcloud's web-based search won't find content within E2EE folders.
No Server-Side Previews
Thumbnails, document previews, and file type-specific rendering require the server to read file contents. E2EE files show generic icons instead of previews in the web interface. You need the desktop or mobile client with your encryption keys to view the actual content.
No Server-Side Processing
Any feature that requires the server to read files won't work with E2EE content: Collabora/Nextcloud Office cannot open E2EE documents for collaborative editing, the Recognize app cannot process E2EE photos for AI tagging, OCR processing cannot extract text from E2EE PDFs, and antivirus scanning cannot scan E2EE files.
Limited Web Interface Functionality
E2EE files have reduced functionality in the web interface. You can see that encrypted folders exist and manage sharing permissions, but viewing or editing the actual content requires a client with the decryption keys. The web interface shows encrypted folders with a lock icon but cannot display their contents.
Key Management Responsibility
With E2EE, you are responsible for key management. Lose the mnemonic and all devices, and your data is gone forever. Organizations need to establish secure key escrow procedures — storing mnemonic phrases in physical safes, splitting them across multiple custodians, or using hardware security modules.
When to Use E2EE vs Server-Side Encryption
Not all files need E2EE. In practice, most organizations use a tiered approach:
| Data Category | Recommended Encryption | Reasoning |
|---|---|---|
| General documents | Server-side encryption | Full functionality (search, preview, collaboration) |
| Team wikis and notes | Server-side encryption | Need full-text search and web access |
| Photos and media | Server-side encryption | Need thumbnails, AI tagging, gallery features |
| Contracts and legal docs | E2EE | Confidentiality outweighs convenience |
| Medical/health records | E2EE | Regulatory requirements, maximum protection |
| Financial statements | E2EE | Sensitive data requiring zero-knowledge |
| Trade secrets / IP | E2EE | Must protect even from hosting provider |
| HR and personnel files | E2EE | Employee privacy, legal sensitivity |
The practical approach is to E2EE-protect specific sensitive folders while keeping the majority of your file system on standard server-side encryption. This gives you full Nextcloud functionality for daily work and maximum protection for sensitive content.
E2EE and GDPR Compliance
For organizations operating under GDPR, E2EE provides an additional compliance layer. GDPR Article 32 requires "appropriate technical and organisational measures" to ensure security, specifically mentioning encryption. E2EE goes beyond the minimum by ensuring that even the data processor (your hosting provider) cannot access personal data. For a complete treatment of GDPR-compliant Nextcloud deployment, see our guide on deploying Nextcloud on GDPR-compliant infrastructure.
GDPR's breach notification requirements (Article 33) also interact favorably with E2EE. If E2EE-protected data is involved in a breach, the encrypted data is unusable to the attacker. While the breach must still be reported to the supervisory authority, the risk to data subjects is dramatically lower, which affects both the required response and potential penalties.
Nextcloud E2EE vs Third-Party Encryption Tools
Some users add E2EE to Google Drive or OneDrive using third-party tools like Cryptomator or Boxcryptor (now part of Dropbox). These tools create encrypted containers or encrypt files before upload, providing E2EE-like protection on top of standard cloud storage.
Nextcloud's built-in E2EE has advantages over this approach: native integration with the sync client (no extra software), integrated sharing (share encrypted files with other Nextcloud users natively), and consistent user experience. Third-party tools require additional software on every device, often have their own subscription fees, and sharing encrypted files requires all recipients to use the same tool.
The disadvantage of Nextcloud's approach is that it's an all-or-nothing per-folder setting. You can't E2EE-protect individual files within a regular folder — you mark entire folders as encrypted, and everything inside is encrypted.
Looking at E2EE and Nextcloud's AI Features
As Nextcloud expands its AI capabilities — including the AI Assistant for text generation, image creation, and document analysis — there's an inherent tension with E2EE. AI features require the server to process file contents, which is impossible with E2EE-protected files. Organizations need to be intentional about which files live in E2EE folders (maximum protection, no AI features) versus regular folders (full AI functionality, server can access contents). For more on Nextcloud's AI capabilities, see our comparison of Nextcloud AI Assistant vs Gemini and Copilot.
Experience Nextcloud on Enterprise Infrastructure
MassiveGRID's managed Nextcloud hosting comes pre-configured with all apps and integrations. Full data sovereignty, no per-user fees.
Explore Managed Nextcloud HostingEnd-to-end encryption is Nextcloud's strongest differentiator in the cloud storage market. It's the feature that Google Drive and OneDrive fundamentally cannot offer because their business models depend on being able to process your data. Nextcloud's business model doesn't. That architectural difference translates into a security guarantee that no amount of marketing from Google or Microsoft can match: your encrypted files are yours alone, and no one else — not even the people running your server — can read them.