Encrypt the home storage

I’ve been enabling encryption against home storage as a matter of default recently, though I just stumbled across this:

Encryption keys are stored only on the Nextcloud server, eliminating exposure of your data to third-party storage providers. The encryption app does not protect your data if your Nextcloud server is compromised, and it does not prevent Nextcloud administrators from reading user’s files. This would require client-side encryption, which this app does not provide. If your Nextcloud server is not connected to any external storage services then it is better to use other encryption tools, such as file-level or whole-disk encryption.

Indeed I noticed I can SSH into the server and see the files in each user directory with no issue.

I’d pictured encryption being done through some process involving keys and the database to chunk uploaded files into useless, undeterminable blobs on disk (that is to say NC does the encryption on the application layer before spitting the result onto disk).

So what is the purpose of home storage encryption if it doesn’t obscure uploads on disk as they’re added please?

when your data encrypted by nextcloud and stored on an external provider like google-drive (for example) they would have to crack the encryption to read it.

That accounts for the server side encryption, but not the home directory encryption @sackla

Seeing files is one thing. Being able to read the content is another one. The file names are not encrypted. Test case: put a new text file into your Nextcloud, then try to read the content via shell access.

I can read the contents of the file perfectly fine :slight_frown:

Also on new files?
There are little benefits of using encryption on the home storage. if you want to encrypt data, rather use hard disk encryption. Some providers use it to pretend that they don’t read their user’s data. The problem is that they can do it anyway (or being forced to do it).

That was a new file @tflidd on a user I created after enabling encryption.

That’s what I’m figuring; if disk encryption is essentially the same (better) than this, what does this offer? Inability to read userdata is exactly what I’m looking to achieve, though in order for that to be the case the onus is on the user to encrypt on the client side, which requires 3rd party software as it’s not possible with the desktop client today.

Hrmph :slight_frown:


I have the encryption turned on my server and i created a new user and placed a file and i was not able to see anything when i opened the file, it looks as it’s encrypted.

@AndyXheli do you have both home and server-side enabled? I’m only using home.

Well that isn’t overly clear.

Thanks Grouch :slight_smile:

I have both enabled.

Default encryption module: Enabled
Server-side encryption: Enabled
Encrypt the home storage: Enabled


maybe I am blind, but I don’t know of any other built-in encryption features?
please specify “home directory encryption” or point to the documentation or admin setting you are talking about.

– message sent mobile –

---- Jason Bayton schrieb ----

[https://help.nextcloud.com/user_avatar/help.nextcloud.com/jasonbayton/45/297_1.png] JasonBaytonhttps://help.nextcloud.com/users/jasonbayton
January 5

That accounts for the server side encryption, but not the home directory encryption @sacklahttps://help.nextcloud.com/users/sackla

Feel free to take a look at the screenshots I’ve supplied above.

@Guillaume I reverted your edit because it poses an interesting question -
I hadn’t thought about external storage up to this point, but it would appear it’s mandatory then in order to encrypt home storage.

I really only wanted home storage.

Additionally, would federated shares be affected?

I do not understand the difference in “enable server side encryption” and “encrypt home storage”, and how can you have home storage encryption without enabling server side encryption?
I enabled both of these when I setup my Nextcloud server and everything has been working fine. However I just tried migrating photos from Google and cannot open them. The log file says “bad signature”.