Hi folks,
I have what I hope is a quick question looking for some clarification on encryption. While reading up on encryption on the Nextcloud encryption blog post, it mentioned that there are two methods to encrypt your storage… you can either do it with a server-wide key, or with a per-user key.
I recently inherited our Nextcloud environment from one of our employees who left not too long ago. We are set up so that there is an LDAP connection syncing people’s usernames and passwords from Active Directory, and he turned on encryption for the storage. If I understand everything correctly, I believe that employee enabled per-user encryption keys… when a user changes their AD password, they then need to go into the cloud and enter new and old passwords to update their encryption keys.
The problem we’re running into is that some users don’t use or access the cloud very often. So when multiple passwords go by in between logins, those users often don’t remember their password from the last time they used the cloud. If they don’t have password recovery enabled (which we’re finding, many don’t), my research appears to indicate that they may just be up a creek at that point.
So, my questions are…
-
Is my assumption correct that per-user encryption keys are enabled on this server? Or is there a command to definitively tell for certain?
-
If my assumption is correct, how do I make the switch from per-user encryption keys to server-wide keys? I’ve looked through the instructions related to encryption a couple times, and it looks like the only instructions I could find will result in per-user keys being turned on. Are there instructions floating around to make the switch to just using a server-wide key, or (if I decrypt the storage) enabling JUST a server-wide key?
-
Is there any possibility of having the password recovery option enabled by default in the future, or any way to administratively enable it for all your users? If I’m sitting down one-on-one with a user to show them the cloud for the first time, the first thing I always do is make sure they turn that option on. But that doesn’t necessarily help me if I’m showing it to a whole department during a presentation or if some users find out about the cloud from another user.
Thanks for any info you’ll be able to provide!
Tom Londe