diff -r b321a3be0a38 -r c743721d566f docs/html/encryption.html
--- a/docs/html/encryption.html	Thu Aug 03 14:32:36 2017 +0200
+++ b/docs/html/encryption.html	Thu Aug 03 18:29:00 2017 +0200
@@ -43,14 +43,55 @@
 	<div class="nav">
 		<h3>dav-sync</h3>
 			<ul>
-				<li><a href=".">.</a></li>
+				<li><a href="introduction.html">Introduction</a></li>
+				<li><a href="sync-commands.html">Commands</a></li>
+					<ul>
+						<li><a href="pull.html">pull</a></li>
+						<li><a href="push.html">push</a></li>
+						<li><a href="resolve-conflicts.html">resolve-conflicts</a></li>
+						<li><a href="delete-conflicts.html">delete-conflicts</a></li>
+						<li><a href="trash-info.html">trash-info</a></li>
+						<li><a href="empty-trash.html">empty-trash</a></li>
+						<li><a href="add-directory.html">add-directory</a></li>
+						<li><a href="list-directories.html">list-directories</a></li>
+						<li><a href="sync-check-config.html">check-config</a></li>
+						<li><a href="check-repositories.html">check-repositories</a></li>
+					</ul>
+				<li><a href="sync-configuration.html">Configuration</a></li>
 			</ul>
 	</div>
 </div>
 
 <!-- begin content -->
 <div class="content">
-
+<h1 id="encryption">Encryption</h1>
+<p>The davutils programs have an integrated client-side encryption feature, that allows you to encrypt and decrypt on the fly with AES256 or AES128. To use this feature, the server <strong>must</strong> support WebDAV dead properties.</p>
+<p>The tools support both, encryption of the resource content and encryption of the resource name. Each resource is encrypted separately. With activated name encryption, the actual resource name is random but the name used by the client is stored encrypted in WebDAV properties. This means, an attacker can see the directory structure and the file length, but can't see which files have the same name.</p>
+<p>To enable encryption a key must be configured in <code>$HOME/.dav/config.xml</code>. A key must have an unique name. To access encrypted resources, all clients must configure the same key with the same name. Currently a key can only be loaded from a file and not generated from a password.</p>
+<p>A configuration for a key looks like:</p>
+<pre><code>&lt;key&gt;
+    &lt;name&gt;mykey1&lt;/name&gt;
+    &lt;file&gt;keys/mykey1&lt;/file&gt;
+&lt;/key&gt; </code></pre>
+<p>The file path must be relative to <code>$HOME/.dav/</code>. In this example the file <code>$HOME/.dav/keys/mykey1</code> is loaded.</p>
+<p>To generate a key use <strong><code>dd</code></strong> on unix like systems.</p>
+<pre><code>dd if=/dev/random of=mykey1 bs=32 count=1</code></pre>
+<p>After a key is configured, you can enable encryption/decryption in two ways. You can use the dav option <strong><code>-c</code></strong> to enable encryption and specify your key with the <strong><code>-k</code></strong> option. The alternative is to enable encryption by default for a repository in the config.xml file.</p>
+<pre><code>&lt;repository&gt;
+    &lt;name&gt;myrepo&lt;/name&gt;
+    &lt;url&gt;http://example.com/webdav/&lt;/url&gt;
+    
+    &lt;default-key&gt;mykey1&lt;/default-key&gt;
+    &lt;full-encryption&gt;true&lt;/full-encryption&gt;
+&lt;/repository&gt;</code></pre>
+<p>See <a href="./configuration.html">Configuration</a> for details.</p>
+<h2 id="internals">Internals</h2>
+<p>When a resource is encrypted, some crypto properties (namespace: http://davutils.org/) are set for the resource.</p>
+<ul>
+<li>crypto-key: Contains the name of the key used for encryption. The presence of this property indicates that the resource is encrypted</li>
+<li>crypto-hash: A Hash of the cleartext, encrypted and base64 encoded</li>
+<li>crypto-name: The name of the resource, encrypted and base64 encoded. This property is not used if name encryption is disabled.</li>
+</ul>
 </div>
 <!-- end content -->
 </body>