Having Encryption issues with Object Storage

First of all, let me just say that documentation surround deploying Nextcloud and setting up Object Storage is lacking to a comical degree. I have had to learn how to use snap and reference commands from outside sources and obscure documentation pages outside the install. Furthermore the article on setting up Object Storage is of virtually no use.

The problem I am having is with accessing the encryption keys. Normally these would be available in the /var/snap/nextcloud/common/data folder, for master-key deployments. However, this is not the case for deployments who wish to use Object Storage. One nuance of deploying Object Storage is that you must enable it before you can enable encryption - enabling the default encryption module requires that you log in, and logging in before setting up Object Storage in the config file breaks Nextcloud and disables any future possibility of using Object Storage.

So the problem is, how do we make copies of the encryption keys? Its impossible with Object Storage, because the keys themselves are stored in (my case) S3, and because of the nature of Object Storage its impossible to retrieve or use them. And because you can’t enable Object Storage in Nextcloud after you’ve logged in to enable encryption, this poses a problem. It literally means that you have to either pick between using Object Storage or double encryption.

This normally wouldn’t be a problem. I could just as easily setup external storage mounts with S3 using the server encryption keys and S3 encryption and call it a day.

But in a HIPAA environment, this is not acceptable for two reasons. First, it would require employees without technical knowledge to reliably upload patient data to the correct folders, and failing to do so would leave patient files vulnerable as they would be left on the server, stored next to their own encryption keys. Secondly, S3 does not encrypt metadata, meaning that filenames containing patient information would theoretically be vulnerable to compromise, even if the actual file was not.

We are aiming for a theoretical maximum security instance, but at the same time we cannot have patient data become unavailable in the event hard drives fail and are unrecoverable. Having the encryption keys stored alongside objects in S3 is unacceptable, is it leaves to chance for data recovery, even if regular database backups are maintained.

So I suppose the question is, how do I get a copy of the encryption keys used to encrypt data when Object Storage is being used as the primary file system.