How do I block myself (server admin) from accessing my users' folders on my server?

I want to share my Nextcloud with friends, but understandably they need me to be unable to access their data, even though I wouldn’t do it. I can easily navigate into their user folders in my Linux server, where Nextcloud data is stored. Is there a way I, or they, can prevent me from seeing what’s inside their folders? If not block access directly, since I’m still the admin of the system, maybe somehow hide or encrypt the contents of the folders?

that’s the solution… encryption.
But well even this comes with some problems. Others could tell you more about it.

Anyways that’s a general problem that not only occurs to NC. It’s valid for all online-Storage.

Or they could store password-protected zip-files.

As JimmyKater already pointed out it is possible to encrypt the files but then you loose all the “Cloud” functionality like sharing, online edit etc. and you shiny cloud application becomes dumb storage. If you don’t encrypt content there is no way to prevent access by the system admin. this statement applies for every solution (for M365 and GSuite as well) - the question is if you trust or not the admin

1 Like

Just tell them that they are responsible for encrypting their own files and folders. You just provide the storage.

If data encryption is important it will always be up to them. Because, you will need access to their data in order to host it. :wink:

You must differ between different encryption types.

server side encryption
This encryption feature does not solve your problem. The admin on the Nextcloud server can still decrypt and access the data. It is more useful for External Storage (e.g. S3) if you do not trust the external cloud provider. I think most use this feature with the wrong ideas about security. Please do not use it.

The right encryption is End to End . This only works in the Nextcloud apps but your users loose a lot of Nextcloud features (video).

The last right encryption type is the user itself who encrypt the data on its own e.g. with encrypted ZIP files or other additional software.

I think the best thing is to use a Managed Nextcloud. I use different kinds of Nextclouds. On one Managed Nextcloud i am admin but i have no access to other users or the filesystem. But then also the app Impersonate is a risk for the other users. Do not install the app.

The hoster has access to all data. But he will probably be even less interested in the data than you are.