Do NextCloud exports contain encrypted data?


I am currently backing up my nextcloud instance using the nextcloud.export linux command and I was wondering if the export contained the encrypted data of my users and if so, could the data be decrypted if the exported data got into the wrong hands? I.e. are the private keys also contained in the export?

If the private keys are not in the export then how exactly does the nextcloud.import command work?

Thank you for your time :slight_smile:

Because of “nextcloud.export” i think you use “snap”. I i do not use a snap-installation.

Which kind of encryption do you use? Do you use a server-side-encryption or a client-side-encryption?

If you use a server-side-encryption then i think you find the encryption/decryption key in config/config.php . The server-side-encryption is more a feature to encrypt data on another space (e.g. primary or external storage on S3). If you host key and data on the same nextcloud server the provider and the owner of the backup can (and must) decrypt the data.

If you use client-side-encryption than there is no key on the nextcloud. The data could not be decrypted with the backup containing config.php and data.

For both encrypted ways:
Please develop a backup and restore concept. Please test it.

I’m not exactly sure what you mean by clientside encryption, do you mean if I encrypt my files locally on my PC and then those files are syncronized to NextCloud?

I run my own NextCloud server at home, there’s no external synchronization to AWS or anywhere else.

Primarily what I’m concerned about is data theft. If my backups were stolen could they be decrypted?

Ok. Please explain wich encryption do you use. Where and how have you configured it?
If you have no encryption you can ZIP your backup and use a password for it (use 7-Zip).

I have the “Default encryption module” app installed and the “Server side encryption” and “Encrypt the home storage” options enabled.

I can’t use 7zip because password protecting it means putting a password in plain text in the backup script.

Ok this is the server-side-encryption. Please test your backup and restore.

Yes. But on the server the encrypted data can also be decrypted. So you can use on the server a plaintext password and copy it not to client side e.g. external hdds/sdds or cloud-storage like Dropbox.