FDE vs FLE and implementation

Only just realizing now that the file encryption in Nextcloud is more useful for external storage, I’m looking for an alternative. Did anyone applied FDE or FLE on their system?

Quoted from Nextcloud docs.

Warning
Encryption keys are stored only on the Nextcloud server, eliminating
exposure of your data to third-party storage providers. The encryption app
does not protect your data if your Nextcloud server is compromised, and it
does not prevent Nextcloud administrators from reading user’s files. This
would require client-side encryption, which this app does not provide. If
your Nextcloud server is not connected to any external storage services then
it is better to use other encryption tools, such as file-level or
whole-disk encryption.
Note also that SSL terminates at or before Apache on the Nextcloud server,
and all files will exist in an unencrypted state between the SSL connection
termination and the Nextcloud code that encrypts and decrypts files. This is
also potentially exploitable by anyone with administrator access to your
server. Read How Nextcloud uses encryption to protect your data for more information.

I started to look in to this subject when my Collabora setup did not work with default Nextcloud encryption enabled and did when disabled.

Also how would this work, granting www-data access to the /data dir? And what about a VPS to decrypt it, when you have no physical access to the machine? And the SQL user access to the DB?
This is just a brain fart, still reading up on the subject as we speak. I thought it might be useful for some users to look into the subject.

Here is an article about FDE and FLE

1 Like

You can use full disk encryption or file level encryption on your server together with Nextcloud. It’s more an issue about how to set it up on your operating system. But like all server-side encryption, there is no protection when Nextcloud is running because Nextcloud will send an unencrypted version of the file. If someone steals the hard drive or gets their hand on the old disks, they can’t recover the files. Advantage of the FDE and FLE over owncloud encryption app is that they are much better tested and don’t have to deal with some specific problems (e.g. no user-specific encryption which is a challenge for sharing, on FDE/FLE everything is encrypted by the OS).

To defeat a malicious admin, you will need client-side encryption.

We’ll indeed every system has a specific use case. In my case I run a VPS and IMO FDE is out of the question, well no one is going to run away with my .VMDK its also located in a data center…

So I’m aiming on somewhat of a mix of FLE and client side, but I guess client side is hard to implement together with Nextcloud… Right?

There are efforts to implement it but as you said it is not so easy: https://github.com/owncloud/client/issues/4327. If you don’t need sharing you can use cryptomator.org or encrypted containers (VeraCrypt).

If your hoster retires old hard disks and sells them, someone could try and restore files.

You gave me some stuff to think about, good points. Will post my findings on implementing.

Todo:

  • Remote decrypt (VPS, FDE)

Use SSD drives which support FDE and use Intel’s AMT to manage them remotely. That requires using an enterprise motherboard and a processor which supports vPro.

1 Like

Wow Oliver, thanks for the reply. But its a VPS hosted by a company so no control over that. For home solutions that would do it if you have a small jar of gold, I guess :stuck_out_tongue_winking_eye:

Edit: at home I also use AMD…

Just checked the specs of the VPS contains intel XEON processors so it might work… Going to read up on it, thanks agian.

Ah, yes, if you only have access to a slide, then I think it’s pretty much game over with any server-side encryption since you don’t control the host, but it may be worth reading about the security mechanisms put in place by the hypervisor used since there may be ways to segregate and protect all VPS resources…

1 Like

True, but I did read an article about Ubuntu 14.04 with decryption over SSH, sounds hard I know. I’ll dig it up just a sec.

Edit: Can’t find it anymore but I found this, although I don’t know if this is really what I’m looking for.