Hi, I’m new to linux systems etc. I managed to install and run nextcloud on ubuntu server. But I have some concerns about security. I don’t know how this is working on linux machine, but in Windows you just encrypt whole drive, enter password to decrypt and it’s done. I have latest version of linux, and nextcloud. Server is installed in raid1. I tried to just enable encryption on server side in nextcloud administration settings and checked encrypt main catalog, becouse netxtcloud and storage is on the same hdd. But when I have this enable I can make a folder, but I can’t upload any files to it. I’m getting an error: “encryption is not ready: multi key encryption failed nextcloud”. When I disable root catalog encryption, everything is working fine again. So maybe whole disk encryption? Like:
As I said, Linux is not mine primary system, I’m just starting. So if I go with the instructions in this article do I lose access to my files, or it will format the drive? How I could be using my nextcloud on another pc when my drive would be encrypted?
What I’m trying to achieve:
I have my PC with server and nextcloud installed in my home. And lets say, someone steals my PC, than he will have access to my files, and I don’t want that
In Windows if I have hdd ecnrypted, no one can get to my files if he stole my pc and dosn’t know the password, and if he steals the drive it will be also useless to him. I’m trying to just secure my data
With LUKS you can encrypt the whole drive, similar to what Bitlocker does on Windows. But I would say, support on LUKS is kind of beyond the scope of this forum, because that’s a Linux thing and has nothing to do with Nextcloud. Nextcloud doesn’t even know whether your drive is encrypted or not.
Note: Server-Side Encryption doesn’t provide the same level of protection as LUKS, in case someone gets physical access to your server. In order to, get a full, or near “Zero-Knowledge” setup you would have to use Client Side End-to-End encryption. Read here for details on the differences between the two encryption types and the thread models they can protect you from:
I’m not a security expert, but It should give you a similar level of protection as Bitlocker on Windows. So yes if someone gains physical access to your server, he or she can’t access the data on the encrypted partitons, without entering the password.
Nextcloud keeps the files in its dafolder. So it depends on how you installed / configured Nextcloud, respectively where your data folder is located. If the data folder is located on an encrypted disk or partition, then yes, your data is protected from physical access.
Nextcloud server side encryption is not really useful because an attacker can easily copy all encrypted files and decrypt them because the key is also on the server. Nextcloud server side encryption is more useful if you host the data on another server e.g. S3 storage at an different provider. https://en.wikipedia.org/wiki/Zero-knowledge_proof (e.g. Amazon S3 only sees encrypted data)
You can use linux e.g. luks mechanism for encryption. But if the server is running the data in not encrypted. But if the server is stolen, it makes sense.
It is a risk to encrypt the data. Especially for beginners. You can lost all data. Make a backup of all data without encryption or with another encryption. You better buy a safe for the not encrypted backup.
Search the internet for full but also partition encryption with luks. Maybe it is enough if you only encrypt the partitions with the Nextcloud data and the Nextcloud database.
For purely private use and unimportant files, I would perhaps do without it. You can encrypt very important data end-to-end with Nextcloud. However, this only works with the Nextcloud apps and not with the browser. This is not the server side encryption you posted in your first post.
You can also zip files encrypted first and then upload them to your Nextcloud. That I use with always the same and quite simple password. Also you can use tools e.g. Cryptomator.
I was under the impression you already did that…?
You have answered your own question with this post: Yes it’s possible! But I’m not going to watch the video in order to answer you whether the instructions in the video are correct… If you want to use it, make yourself familiar with how LUKS works, and try it on a test system first.
In general I think that LUKS is unproblematic, and it’s definitely less problematic or risky than Nextcloud’s built-in encryption methods. The only downside is, that you have to enter your password every time you reboot your server.
Other than that make sure you have a recent backup of your files before you start, like @devnull already said. This should actually go without saying, because something can always go wrong, and you always should have backups of all your important data.