A statement from ownCloud said this would ensure that the master key for decrypting files would always remain on the module and during the exchange only the sender and recipient could access the file in question.
Additionally, the integration of hardware security modules meant that even sysadmins could be excluded from being able to decrypt files at rest. This could be achieved by storing the master on a hardware device, with special algorithms ensuring that the key could not be accessed.
The company said that organisations looking for secure storage should take into account the possibility that a malicious sysadmin could gain access to their data.
Decrypted file keys were transmitted back to the ownCloud application server and a process inside the ownCloud application decrypted the actual files by using the corresponding decrypted file keys and then provided the decrypted files to users.
There would be no way for a sysadmin to read any content as long as the ownCloud application server's integrity was intact.
"Usually, encryption at rest solutions have a distinct disadvantage in regards of performance: any encryption operation normally needs cycles and makes ownCloud slower," the company said.
"For example, if you share 20,000 files with another user, a lot of keys must be added to the system and decryption and encryption of file keys must happen. For each file, a call to the hardware security module is needed."
It said this problem had been overcome through development of an enterprise-grade hardware security module solution by Securosys. "With their transaction throughput, load-balancing, and high-availability capabilities, the hardware security modules keep up with the demand of big organisations."