Services

How to check if the services offered by /e/OS are online?

You can check the status of /e/OS services at status.e.foundation and Murena Cloud services at status.murena.io.

Is my data on the /e/OS servers encrypted?

• All Murena Cloud files are encrypted by server-side encryption.
• This means the keys to decrypt the data are only available in the servers hosting the application.
• Only a handful of senior administrators and lead developers have access to those servers to perform maintenance and troubleshooting.
• Decryption is only authorized as part of a disaster recovery procedure, initiated by a user request on helpdesk@murena.com or as part of a legal obligation to answer a binding request coming from legal authorities in the European Union.
• All backups are encrypted with a different key, not stored on the application servers. Only a few administrators have access to the servers hosting the backups.
• True end-to-end encryption for Murena Cloud files, full database encryption, and encryption for mails is in our plans as long-term features.

Can I delete my Murena Cloud ID?

Yes you can. Refer to this document to understand how this can be done.

What can I do if I lost my phone?

If you have access to the credentials and can log into Murena Cloud:

• Revoke all sessions and application passwords except the one you are currently using on Murena.io security settings, Devices and sessions.
• Immediately change your Murena Cloud password and store it in a safe place (typically, a password manager).
• Monitor for a few hours to make sure no other device or application appears in the list of sessions on murena.io.

If you lost your 2FA system, don’t have your credentials at hand or cannot do this on time:

• Request an account deactivation by sending a mail to helpdesk@murena.com. This is reversible and your data will remain safe in our cloud.
• For the request use your Murena Cloud ID or the recovery email you set to recover your password.
• DO NOT delete your account as this will also delete all your data on the Murena Cloud as well.

As you may know Murena Cloud is forked from Nextcloud which offers a “Wipe Device” functionality. This implementation has not been added as yet into /e/OS so unfortunately it cannot be used.

Can the Murena Cloud admin access my data

On any Nextcloud instance, an administrator can see your files and all the information in the database. Not only Nextcloud admins, but also server admins (i.e. root) have this access. In our case this means a handful of trusted administrators and lead developers. The only way to make files inaccessible is by using end-to-end encryption.

Nextcloud has no plans for database encryption as per our understanding. We are planning to provide an additional service down the line, maybe based on EteSync. The team needs to investigate its feasibility and the User Experience to provide a seamless operation between the phone and the web interface.

Our Murena Cloud admins need to make backups, perform upgrades, reset passwords, etc. We have implemented Nextcloud’s server side encryption on our servers. We do not intend to enable end to end encryption (E2EE) plugin from Nextcloud because it is not satisfactory in its current state and can lead to data loss, as shown on the user reviews.

You can also host your own Murena Cloud or a plain Nextcloud (no e-mail server included in that case).

Can the Murena Cloud admin read our emails ?

Only a few team members can read your emails, unless some encryption mechanism is used like PGP. This is the case on any e-mail provider except custom non-standard solutions. Our goal at Murena is also to set up something that works out of the box including key creation, discovery and seamless experience between /e/OS and Murena webmail. This will need specific R&D. For now, you can already configure PGP on /e/OS Mail and on Murena Cloud webmail.

I want to know more about the security on Murena Cloud

Since this is a common query from /e/OS users, we would like to clarify a few points:

• murena.io is a modified version of murena-cloud-selfhosting, which is based upon several open source projects.
• We have implemented Nextcloud’s server side encryption on our servers. As you maybe aware SSE is a requirement for E2EE.
• We have a long-standing relationship with a security expert in charge of hardening and monitoring our systems, including murena.io.
• Nextcloud security scanner’s score doesn’t accurately reflect the security of Murena Cloud
• Read more about it on your Murena Cloud instance

A few of the improvements applied to murena.io in regards to the base murena-cloud-selfhosting instance:

• Performance tuning adapted to the scale of the service (number of users, storage size, etc).
• High availability for all core services: nextcloud, mariadb and redis, behind a HAProxy load balancer.
• We try to always keep the infrastructure and applications in compliance with the best available security hardening guidelines available such as DevSec Hardening Framework and CIS Benchmark for Ubuntu.
• We apply process confinement techniques and mitigation provided by AppArmor and systemd.
• We use Wazuh monitoring for threat detection.

If you think (or can prove) that there is a security vulnerability in murena.io or the murena-cloud-selfhosting project, please contact us directly: security@murena.io. Please do not use this address for any other purpose.

Kindly use the following key to encrypt any sensitive disclosure: https://keys.openpgp.org/vks/v1/by-fingerprint/F242DB4B0F002ED0AB73A5D06E25E121E5939DAF

How can I contact Murena Cloud Data Protection Officer (DPO)?

Please write your inquiry to dpo@murena.com and the person currently performing this role will coordinate the necessary action and reply in the shortest delay. If you have a general question or concern about the services and their implementation, please write to helpdesk@murena.com instead.

Can a custom cloud be configured to connect to /e/OS?

You can configure /e/OS to talk to another Nextcloud instance, though you won’t get all the features like common username for all services including mail etc. You can also selfhost Murena Cloud on your own servers if you want.

Where is Murena Cloud data stored?

The Murena Cloud servers are located in Finland and run on renewable energy. You can read more here.

How are backups handled on Murena Cloud?

Murena Cloud user data is stored in a replicated storage cluster at Hetzner’s data center in Helsinki, Finland (code named - HEL1) with server side encryption provided by Nextcloud server application. Every day, a snapshot (copy) of the data is stored in the same datacenter and every copy is kept for seven days.

Additionally, we create a second copy of these snapshots and synchronize them every day to Hetzner’s data center in Falkenstein, Germany (code named - FSN1). These incremental cold backups are kept for up to three months to serve as a safe off-site backup in case of a disaster at Finland’s data center.