I need to evaluate Nextcloud’s encryption options, and I’m using Nextcloud installed oat a host provider. Could use some help with that.
The latest Nextcloud manual says: “If your Nextcloud server is not connected to any external storage services, then the encryption app does not protect your data if your Nextcloud server is compromised”.
I’m not entirely sure about the reasoning here. Are they referring to the fact that the encryption keys are stored within the server software, and that a potential intruder would be able to find those keys and understand how to implement them?
And if so, does this apply regardless if the “Encrypt home storage” is enabled or not?
The manual continues: “If your Nextcloud server is not connected to any external storage services, then it is better to use other encryption tools, such as file-level, per-user keys, or whole-disk encryption”.
I can’t really find any information on how to implement and test ‘per user keys’ encryption on my server, and I can’t see no settings that seem related to it. How does this work, and is it dependent on server-side encryption?
Same thing with “Whole-disk encryption”? What is it and how does one implement it to test it? By the name it sounds like something one might do if Nextcloud is installed on a local disk in a local computer, and you encrypt that whole disc? The whole installation, everything. Or do I misunderstand it?
There is a setting in the admin Settings panel, under Personal Privacy. It says “Encryption: Your files are not protected by encryption”. And if I click it, the text changes to a checkbox setting option, labelled “This server is using full-disk-encryption”. I can then choose to check the checkbox or not. But it is not clear to me what this does to the server? Does this actually enable “whole disk encryption” on the host server disk? And if not, what does things checkbox do?
Thank you for any comments or help
Philip