I see that in my config.php, there is a parameter called secret='blablabla..'. I have enabled server side encryption. Is the secret in my config.php the key to decrypt all data? stored in paintext? If so, I don’t understand the point of enabling server side encryption. My VPS provider (I know they won’t be interested) can get root access and see the secret in my config file and get all the data.
Also, as mentioned in Documentation about Encryption, the admin can decrypt any user’s data using the master key. How to disable this? Is there an encryption scheme that nextcloud supports which encrypts the data using user’s own keys?
The purpose of the server side encryption module has been to protect data stored on untrusted storage. A long time ago, that would be places like the google drive or dropbox apps, but it is also useful if an S3 bucket is used.
There is support for end-to-end crypto coming. It was announced quite some time ago, but it was a preview not recommended for use. There seems to be more work put into it again, but I am not sure when the do not use on production data disclaimer will dissapear. Please do note that using this comes with quite a few caveats.
I think it is all more complicated. Nextcloud is a file sharing software. There is a big problem with per-user-encryption if you want to share files with other persons. Other software ( e.g. https://www.dracoon.com ) uses javascript encryption but this is a security risk, too because you must trust the from the provider programmed and/or hosted javascript programs for clientside encryption and decryption.
server-side-encryption is a nice feature for third-party-filesystems (e.g. S3). Because i use a server my provider stores the data i do not use server-side-encryption. But i pay for my provider and i trust him. Also real private data i do not store there or i use zip-files with passwords.
Here a solution from a nextcloud provider.
Because client-side-encryption is not stable the provider recommends “duplicati”.
It uses WebDAV with Nextcloud and i think it works with all nextcloud servers.
You can use it only for your secret folders.
Watch the short movie.