About Encryption

Hello, I need some advice about security of my Nexctloud instance which I use for private use in replacement of my Google account.

I run a Nexctloud instance on a local hardware at home, physically accsessible.

I have multiple encrypted backups (borg), at home and remote, so I am sure to never lose anything, in case of robbery or fire or remote attack.

At first I didn’t think my data is worth encryption, but I realize now that anyone stealing my hard drive can have access to all my emails, IDs, insurance contract etc.

I never store plain text password, but I’m afraid I’m exposed to a steal of identity, and some kind of trouble if anyone with bad intentions steal my hard drive.

What would be a simple way to protect my data from this kind of attack ? If I understand well, server side encryption is useless here since, keys are stored on the server itself. The only thing I can think of is a full disk encryption, wich I think is way overkill since I only need to encrypt some sensistive folders of my Nextcloud and not all my photos, movies etc.

Any help will do :slight_smile:

What you need is the App End-to-End Encryption - end_to_end_encryption

occ app:install end_to_end_encryption

You have to setup the encryption on your mobile device. Then you can enable it on your desktop client. Files are stored on the server full encrypted and cannot be decrypted on the server, even not by you or an admin.

You get a mnemonic of 12 library words when you create the encryption. That is the only thing you have to notice somewhere. Only with those twelve words you are able to decrypt the encrypted folder(s).
After you created those encrypted folders, you can disable End-to-End Encryption on your device / client, so nobody can see the content of those folders, even when they stole your mobile device or laptop with client. You can at any time enable End-to-End Encryption again on the client of your choice, by entering the mnemonic of twelve words.

I would recommend you to read all the manuals about it thoroughly. I use it myself and am fully convinced of it. It’s industry-standard encryption and privacy

Two possible solutions:

1: As @ernolf is writing: use the e2ee app and feature. It brings some limitations though.

2: As your concern is what happens if your HDD drive is removed (stolen), I suggests to use whatever native whole drive encryption is delivered with the OS you are runnung, or use a build-for-purpose tool like veracrypt.

That is needed because the server must handle the data. Server side encryption is only useful if you use external storage at a different hoster.

Nowadays it is normal to encrypt laptops, since they are also moved. Distinguishing between important and unimportant data is the wrong approach here. Everything is simply encrypted.

Whether it is likely that someone will break into your home and steal the hard drive of your Nextcloud, you have to evaluate. Technically, hard disk encryption is not difficult. You should only be more careful with backups.

Thank you for these insights. I don’t consider E2E as a solution since files aren’t readable from the webclient, which is my main interface to access my files.

So I’m right to assume that I’d need to dig deeper into full disk encryption. Unfortunately, it’s not convinient at all once you have everything setup in production. I will give a look at vercrypt it seems indeed interesting.

I’m answering myself in case anyone find this thread useful.

Yes, I had to move to full disk encryption, using LUKS on ubuntu, for both my OS SSD and data HDD.
I had to bought a 2nd hand HDD to transfer data and backups, for temporary data migration.

I learnt in the process that data recovery is a delicate operation, especially when it comes to docker container and database. You don’t need to only have backups, but also be able to restore everything on a brand new OS with limited downtime.

I built scripts to extract data from backups and restore everything correctly.
For anyone concerned about this : yes, it is possible to remotely unlock (decrypt) the OS partition through SSH using dropbear SSH, along with open ssh for regular access.