File versioning app delete question (ransomeware protection)

According to the docs, old (deleted, versioned) files are purged when the storage reaches 50% of the user’s currently available free space. Depending on the versions_retention_obligation setting, various options can be set depending on aging.

But how exactly are files purged? Is purging done by calculating age of all old versions per file och is purging done by calculating age of all old versions for all files? The latter case can mean that files which have old timestamps can have no old versions at all?

The source for this question is to have a protection again ransomeware. If a client is infected, the storage on the server is starting to be populated with new (ransomware encrypted) version of all files. It sure would be nice if nextcloud at least cuold retain one old (not ransomeware encrypted) version of each file.
Of course, this also depends on the quota settings, but what next cloud setting shall I use to minimize file loss if ransomeware strikes?

From reading the docs, I understand that once reaching the quota, the oldest versions (more than 2 weeks old) of all files will be deleted (newer versions will be kept). For the ransomware problem, this should be ok, because the ransomware created a new version recently.
The absolute minimum quota would be 3 times the size of your total amount of data (the half of the remaining free space (2/3 of quota) would be 1/3 of the quota).

Please keep in mind, this can be useful for a customer to recover quickly some files but it has a few problems:

  • you completely rely on the versioning code
  • encryption could increase the file size
  • ransomware might figure out such kind of protection and circumvents it (creating random data, writing several times, …).
  • ransomware can have bugs encrypting several times, you can get more than one ransomware
  • …

only a real backup is really secure. Best is to have some offline backups as well. If people have important data, they can also do a manual copy on a usb stick from time to time.

Never rely on one strategy alone, allow failure (of a disk, of a software, of a person, …).

There are some more explanations for the setting in the config.php:

    /**
     * If the versions app is enabled (default), this setting defines the policy
     * for when versions will be permanently deleted.
     * The app allows for two settings, a minimum time for version retention,
     * and a maximum time for version retention.
     * Minimum time is the number of days a version will be kept, after which it
     * may be deleted. Maximum time is the number of days at which it is guaranteed
     * to be deleted.
     * Both minimum and maximum times can be set together to explicitly define
     * version deletion. For migration purposes, this setting is installed
     * initially set to "auto", which is equivalent to the default setting in
     * Nextcloud.
     *
     * Available values:
     *
     * * ``auto``      
     *     default setting. Automatically expire versions according to expire 
     *     rules. Please refer to :doc:`../configuration_files/file_versioning` for
     *     more information.
     * * ``D, auto``   
     *     keep versions at least for D days, apply expire rules to all versions 
     *     that are older than D days
     * * ``auto, D``   
     *     delete all versions that are older than D days automatically, delete 
     *     other versions according to expire rules
     * * ``D1, D2``    
     *     keep versions for at least D1 days and delete when exceeds D2 days
     * * ``disabled``  
     *     versions auto clean disabled, versions will be kept forever
     */
    'versions_retention_obligation' => 'auto',

Unless the actual storage size not reaches above 50% of my quota, there is still room for at least one old version of each file (encryption size not considered). How did you come to the conclusion that minimum quota would be 3 times the size of your total amount of data?

Besides this, I cannot stop thinking of the purge mechanism. Wouldn’t it be nice to have a setting which saves a minimum (configurable) old versions for each file when the actual storage size reaches above 50% of the quota?

Example: V2, auto
Keeps two old versions for each file, Automatically start expiring from version three and above, beginning at the file which have most number of old versions until storage quota is met.

V3, D10
Keeps at least three old versions for each file, Automatically expire all old versions which are older than 10 days, beginning at the oldest file version until storage quota is met.

And of course I cannot only rely on the server for my ransomeware protection. But it is a good start. :slight_smile:

It says that it “never uses more that 50% of the user’s currently available
free space” (https://docs.nextcloud.com/server/10/admin_manual/configuration_files/file_versioning.html).

So if you use 1/3 of the total quota, the available free space is 2/3 and half of it 1/3.

If you use 50% of the quota, you can only use 25% for versions (not all files).