Hi, I’m new to linux systems etc. I managed to install and run nextcloud on ubuntu server. But I have some concerns about security. I don’t know how this is working on linux machine, but in Windows you just encrypt whole drive, enter password to decrypt and it’s done. I have latest version of linux, and nextcloud. Server is installed in raid1. I tried to just enable encryption on server side in nextcloud administration settings and checked encrypt main catalog, becouse netxtcloud and storage is on the same hdd. But when I have this enable I can make a folder, but I can’t upload any files to it. I’m getting an error: “encryption is not ready: multi key encryption failed nextcloud”. When I disable root catalog encryption, everything is working fine again. So maybe whole disk encryption? Like:
Disk Encryption in a Linux Environment (oracle.com)
As I said, Linux is not mine primary system, I’m just starting. So if I go with the instructions in this article do I lose access to my files, or it will format the drive? How I could be using my nextcloud on another pc when my drive would be encrypted?
What I’m trying to achieve:
I have my PC with server and nextcloud installed in my home. And lets say, someone steals my PC, than he will have access to my files, and I don’t want that
In Windows if I have hdd ecnrypted, no one can get to my files if he stole my pc and dosn’t know the password, and if he steals the drive it will be also useless to him. I’m trying to just secure my data
This will be a question for Ubuntu server if your goal is:
LUKS / Full disk encryption is done when installing Ubuntu. See their documentation or search around for setup details.
But that doesn’t answer my question What can I do to secure my files
So I encrypted my home folder using that tutorial:
(107) Ubuntu 20.04 Tutorial: Encrypt Ubuntu After Installation (Home Folder & Swap Space) - YouTube
So question is, is my nextcloud files are even stored in my home folder? Is this encryption secured my files?
With LUKS you can encrypt the whole drive, similar to what Bitlocker does on Windows. But I would say, support on LUKS is kind of beyond the scope of this forum, because that’s a Linux thing and has nothing to do with Nextcloud. Nextcloud doesn’t even know whether your drive is encrypted or not.
Other Options provided by Nextcloud:
Nextcloud Server Side Encryption: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html
Note: Server-Side Encryption doesn’t provide the same level of protection as LUKS, in case someone gets physical access to your server. In order to, get a full, or near “Zero-Knowledge” setup you would have to use Client Side End-to-End encryption. Read here for details on the differences between the two encryption types and the thread models they can protect you from:
I’m not a security expert, but It should give you a similar level of protection as Bitlocker on Windows. So yes if someone gains physical access to your server, he or she can’t access the data on the encrypted partitons, without entering the password.
But does nextcloud keep my files in my home directory, or somewhere else where is not encrypted?
Nextcloud keeps the files in its dafolder. So it depends on how you installed / configured Nextcloud, respectively where your data folder is located. If the data folder is located on an encrypted disk or partition, then yes, your data is protected from physical access.
Nextcloud server side encryption is not really useful because an attacker can easily copy all encrypted files and decrypt them because the key is also on the server. Nextcloud server side encryption is more useful if you host the data on another server e.g. S3 storage at an different provider. https://en.wikipedia.org/wiki/Zero-knowledge_proof (e.g. Amazon S3 only sees encrypted data)
You can use linux e.g. luks mechanism for encryption. But if the server is running the data in not encrypted. But if the server is stolen, it makes sense.
Can I do that on existing linux server installation?
luks encryption or what?
Is it really useful?
Post something about your environment, location, goal, data, …
yes, luks. I just like to have all my files encrypted. So if someone will stole my drives or server that he cannot acess the files
It is a risk to encrypt the data. Especially for beginners. You can lost all data. Make a backup of all data without encryption or with another encryption. You better buy a safe for the not encrypted backup.
Search the internet for full but also partition encryption with luks. Maybe it is enough if you only encrypt the partitions with the Nextcloud data and the Nextcloud database.
For purely private use and unimportant files, I would perhaps do without it. You can encrypt very important data end-to-end with Nextcloud. However, this only works with the Nextcloud apps and not with the browser. This is not the server side encryption you posted in your first post.
You can also zip files encrypted first and then upload them to your Nextcloud. That I use with always the same and quite simple password. Also you can use tools e.g. Cryptomator.
I was under the impression you already did that…?
You have answered your own question with this post: Yes it’s possible! But I’m not going to watch the video in order to answer you whether the instructions in the video are correct… If you want to use it, make yourself familiar with how LUKS works, and try it on a test system first.
In general I think that LUKS is unproblematic, and it’s definitely less problematic or risky than Nextcloud’s built-in encryption methods. The only downside is, that you have to enter your password every time you reboot your server.
Other than that make sure you have a recent backup of your files before you start, like @devnull already said. This should actually go without saying, because something can always go wrong, and you always should have backups of all your important data.
This vague question is outside of Nextcloud in how it is written.
Closing this thread for now since Ubuntu and Linux questions can be asked elsewhere.