Nextcloud generates a public and private key pair the first time a user enables end-to-end encryption in their client. The server creates a ‘certificate’ to verify the user identity (our Cryptographic Identity Protection feature) and stores it there. This allows other users to encrypt files that they wish to share with you. The private key gets encrypted with a locally, app-generated very secure and very long (12 word!) passcode which is displayed to the user and then the encrypted key gets stored on the server as well.
