I was testing out Seafile’s E2EE feature and was surprise to find that on at least the Android mobile app it seems to upload the encryption password to the server.
Now according to the Seafile user manual under ‘Security and Encryption’ using the Desktop app to sync it won’t upload the password to the server.
But is there a way to achieve similar behavior when using Android app(iOS app? if it shares the same behavior)?
This is not possible at the moment. Currently the mobile app use the same logic as the Web UI, that is the password is sent to the server and let the server encrypt/decrypt the files.
We may improve it in the future, when we have more resource for the mobile clients.
Are you sure? The documentation seems to suggest 1 hour and the seafile server code seems to corroborate that. ie. seafile server passwd-mgr.c has this:
This is interesting. I just tested it but doesn’t seem like it’s fully working. The password doesn’t get sent to the server so that’s good. However it doesn’t appear like it’s doing any local decryption, viewing any file in an encrypted library would just show
Repo is encrypted. Please provide password to view it.
It’s working for me in both states in v3.0.2-pre. But I see “set password API calls” also in both states, so I guess the switch is ignored and it’s always server-side decryption.