Is there a way to stop mobile app from uploading encryption password to server?

I was testing out Seafile’s E2EE feature and was surprise to find that on at least the Android mobile app it seems to upload the encryption password to the server.

Now according to the Seafile user manual under ‘Security and Encryption’ using the Desktop app to sync it won’t upload the password to the server.

But is there a way to achieve similar behavior when using Android app(iOS app? if it shares the same behavior)?

1 Like

This is not possible at the moment. Currently the mobile app use the same logic as the Web UI, that is the password is sent to the server and let the server encrypt/decrypt the files.

We may improve it in the future, when we have more resource for the mobile clients.

What about this setting in the Android app? When activated, it states that data is decrypted locally. :thinking:

Is there anyway to change the password cache duration, eg. something like modifying seafile.conf or similar?

This feature can work on 2.x version. But we have removed the feature in the coming version 3.0, as it is not very easy to maintain.

This is not possible yet. The current duration is 30 minutes.

Are you sure? The documentation seems to suggest 1 hour and the seafile server code seems to corroborate that. ie. seafile server passwd-mgr.c has this:

#define REAP_THRESHOLD 3600

Then it is 1 hour. I mixed it with other features that hold for 30 minutes.

The screenshot is from v3.0.2-pre. :grin:

I will give it a check.

This is interesting. I just tested it but doesn’t seem like it’s fully working. The password doesn’t get sent to the server so that’s good. However it doesn’t appear like it’s doing any local decryption, viewing any file in an encrypted library would just show

Repo is encrypted. Please provide password to view it.

I’m guessing this is still a work in progress?

It’s working for me in both states in v3.0.2-pre. But I see “set password API calls” also in both states, so I guess the switch is ignored and it’s always server-side decryption.