Data security / Passwords

CGG · August 17, 2022, 10:15am

Hello!

is there any option to ASK password each time (official Nextcloud Apps) (win-mac) just like mobile app (face-id on each load or PIN) on every system start as well as on each “sleep mode” return and so on… meant need to secure folders with user authorization

and is there any option to hide folders data as well if user are logged out?

upd: AWS @ LEMP - Nextcloud latest, for personal use

Thanks.

bb77 · August 17, 2022, 11:01am

Hi @CGG

I’m nort sure if there is such an option. But I don’t think it would make much sense if you had to login to the Desktop Client everytime you login to your system. The hole point of a synchronisation client ist to automatically sychronize the files on your Nextcloud to your computer. If you don’t want those files to be permantly available on your computer, you could use either the WebUI, where you obviously can log out after you are finished using it, or you could map your Nextcloud as a WebDAV drive and don’t save the password, so you have to enter it again, when you re-connect the drive.

No. And again, that doesn’t make much sense imho. If you don’t want the files on the computer, don’t sync them.

But maybe you could explain in more detail why you would need such features, respectively what the threat vector is from which you are trying to protect you. Most likely, there are better methodes or workflows to protect yourself against those threats, than the ones you are proposing.

CGG · August 17, 2022, 11:11am

Hi, Thanks for fast reply!

got the idea, it seems i just need use WebDAV as an option, avoiding using official Desktop client

idea is to hide personal data from unauthorized use nothing special, that aint meant i need some strong protection with encryption and that, just in case of loosing laptop and that, cloud is a cloud, and once app not logged = no data on it.

bb77 · August 17, 2022, 11:20am

Yeah that’s an option for sure. And I forgot to say that you can logout from the Desktop Client too. But the files that are already synchronized, will of course remain on the hard drive of your computer.

The best way to achieve that is to encrypt the local drive of your laptop, maybe in combination with Secure Boot. Newer Windows Laptops are using this by default. If you are using Linux you have to fidle arround with things a little bit, especially if you want to integrate it with Secure Boot. However most distributions provide a drive encryption option in the installer nowdays, which automatically encrypts the drive with a password, which you then have to enter in order to boot the OS. For common threats, this method is safe enough, in my opinion.

devnull · August 17, 2022, 11:29am

@CGG and @bb77
To not download files to the client additional to WebDAV maybe you can use the Nextcloud client (with your problems above) and the option virtual files.

bb77 · August 17, 2022, 11:31am

Good point. I forgot about that.

@CGG
But you also have to manually uncheck / delete the local copy again after you used it, otherwise the files you used with VirtualDrive will remain on the local drive, at least for some time.

Not something I would do, but maybe there is a way to script the deletion of the local copys created by VirtualDrive… Then you could run this script before every shutdown.

devnull · August 17, 2022, 11:33am

@CGG
Because of temp files and security reason please encrypt your hdd/ssd. If your computer is stolen, parts of your data may be accessed. But if you always unlock your pc then i think you do not need an additional password for your Nextcloud Client.

bb77 · August 17, 2022, 11:36am

This! And then the other things we have discussed are probably not even necessary anymore.

devnull · August 17, 2022, 11:38am

Yes, with an encrypted hard disk you can leave confidential data lying around on the hard disk with a clear conscience, including passwords or keys (without passwords) to remote systems.

CGG · August 17, 2022, 12:26pm

Thanks for your answers, All!

i ll check this option

i have a reason to not encrypt entire partition nor using some containers-drives
that the reason to find way to use Nextcloud infrastructure to private data storage.

but system password (windows) is nothing to secure private data, right?

interesting idea, need to check dev docs, that could be great with scripting on the server back-end
dropping session / wiping files

devnull · August 17, 2022, 12:29pm

Yes. You might as well do without the password altogether.

Seems to me somehow a crutch

And wipe every time seems to me a crutch, too.

Then maybe use only browser with “Private browsing” to access Nextcloud.

bb77 · August 17, 2022, 12:39pm

I cannot think of a good reason…

If your drive is encrypted, it is as secure as your password and you can further enhance security by using MFA. But If your drive is not encryted, anybody can just remove the drive and connect it to another computer, or boot from a usb drive and access the data that way. Ok the latter can maybe be prevented or at least made more difficult with appropriate BIOS settings and a BIOS password. Nevertheless, there are imho no good reasons to omit the encryption. Except maybe on really old hardware.

CGG · August 17, 2022, 1:40pm

jeje

well, absolutely right
so that the answer why i still looking to make secured cloud, and avoid using entire partition encryption