How secure is Nextcloud encryption?

If the server has been hacked and root access has been gained, does normal encryption with the standard module provide protection? Are only the masterkey file and the file to be decrypted needed for decryption?

The meaning of the documentation of the stable branch is not clear to me then:
docs.nextcloud.com/server/stable/admin_manual/configuration_files/encryption_details.html
It is said that there are four key types:

• master key
• public sharing key
• recovery key
• user key

Since these four types exist (or may only have existed in previous versions), this would imply that the decryption of a file requires both the key files and the input of a password. The documentation says:

The advantage of the master key encryption is that the encryption is transparent to the users but has the disadvantage that the server administrator is able to decrypt user files without knowing any user password.

The user keys are protected by the user passwords. The advantage is that the server administrator is not able to decrypt user files without knowing any user password […]

These two statements contradict each other. The former implies that no additional password entry is required for decryption, but the latter implies that a password entry is necessary, since the administrator naturally has access to the user key files. However, if both statements are correct, it would mean that using user keys would be safer in the event of an attack.
1. Does decryption always require the key file and his corresponding password? Is it also true in regard to the master key?

So even if our Nextcloud server was hacked, when using user key files, an attacker shouldn’t be able to decrypt the files unless they know the corresponding passwords. He would only have access to the publicly shared files, as the password for those is empty. He would also gain access to files that are encrypted with a master key, as the corresponding password ist written in the config.php.

Currently, it seems to be impossible to activate user keys on a fresh install of nextcloud 18.0.4.

occ $ encryption:status
  - enabled: true  - defaultModule: OC_DEFAULT_MODULE
occ $ encryption:disable-master-key
aborted.
occ $ encryption:enable-master-key
Master key already enabled

Disabling the master key and thereby enabling the user keys is aborted.

2. Has the activation of user keys and recovery keys been completely deactivated for performance reasons?

3. If a file is uploaded by a user, is it encrypted with the master key, the master key password from the config.php and his password? So it could be decrypted with the master key file and either the master key or the user password?

4. As soon as this user shares this file with another user, is this file also encrypted with his password?

Using the master key seems insecure, as the password for decryption is derived from the config.php and can be viewed as plain text.
5. Is there no way to change the master key?

Thank you for your help!

You are speaking of the server-side encryption. This is done on the server and once someone has root access, this can’t protect anything, they can intercept files after being encrypted, log passwords, …

The different options you have is just if you are able that you can reset new passwords. If that is enabled, a admin user can always recover files (and also check out user data).

The whole thing was designed to have protection on external storage, e.g. you Nextcloud communicates with your user and the data are stored at some storage provider. This storage provider would then only see encrypted data. If everything is under your control, there is no good protection and you increase the complexity of code. There have been a few users with problems and if there are problems and you need files quickly, you want to rely on tested backup recovery procedures.

I haven’t used the server-side encryption for some time to answer the other questions.

I’m exactly in the same thoughts at this time. I’m trying to use Group Folders together with encryption, and these two just don’t like each other. Best option is to turn off encryption, then Group Folders works, but it kind of makes you feel vulnerable.

I think part of Nextclophi’s question, is how well encryption can protect the contents of the Nextcloud installation if an intruder finds an unknown exploit or vulnerability. (unless I got it wrong)

Because, if an intruder has gotten his hands on user or admin credentials and password – and Nextcloud’s file encryption seems connected to login passwords – then we’re screwed. Nothing can stop him from getting to the files - but perhaps two factor logins?

So encryption wouldn’t help if someone logs in normally. Encryption would only potentially help if someone tried to … ‘dig themselves in from another direction than the front door’. And if so, which encryption would be the best option there. That’s my take on the question. However I hope I’m not hijacking the thread now.

You can create a user called “group1” an share it’s files with a group called “group1”. You can then have encryption for those files. There is no need for the group folders addon.

There are further questions regarding the passwords. If user or administrator passwords are stored unencrypted in the Nextcloud database, these security gaps should generally be closed quickly.

We have to distinguish between a temporary server break-in and a permanent one. In the event of a temporary break-in, it would be possible for a hacker to copy all the data. The question is whether the passwords of the users are exposed in the data, or whether the hacker would have to read the content of the connections between the Apache server and Nextcloud or the content of the internal memory to get the passwords. A much greater effort and a permanent breach would be required for the latter.

Most answers can be found in this document: https://www.infosecurityeurope.com/__novadocuments/590535?v=636929218648130000

1. Does decryption always require the key file and his corresponding password? Is it also true in regard to the master key?
Yes, decryption does require a password, which is stored in the php-session of a user. In a default nextcloud installation, all files can be decrypted with following two components:

1. the master key file and
2. a) the master key password, which is stored in plain text on config.php
   b) the user password of the file owner
   c) the user password of users with whom the file was shared
   –> Once your server was breached, your data is exposed when using the master key encryption instead of user key encryption.

2. Has the activation of user keys and recovery keys been completely deactivated for performance reasons?
The performance for shared files is slower when using the user key file encryption method. Nevertheless, when activating a recovery key, the performance issue is resolved, as the files will be encrypted with a recovery key. If I understand it correctly, however, the functionality differs from a master key. The recovery key is probably not stored on the server in clear text. Only the associated public recovery key is stored on the server. The recovery password must only be used when a user has forgotten his password.
Each encrypted file can be decrypted with any user password, of users whom those file is shared with. In case of a server breach, very versatile hackers might be able to log the passwords of currently logged in users and can decrypt all files, to which the user has access too. But they won’t get access to files of other users, unless they log their password as well.
The intruders have to use one of these options:

• Modification of the Nextcloud program code to intercept the user password or the private key.
• Memory dump at runtime to extract sensitive data such as keys.
• Record traffic
  Still, when using a regular master key, an intruder wouldn’t need to make those efforts.
  https://knowledgebase.hkn.de/knowledgebase/nextcloud-serverseitige-verschluesselung/

3. If a file is uploaded by a user, is it encrypted with the master key, the master key password from the config.php and his password? So it could be decrypted with the master key file and either the master key or the user password?
The file is encrypted with the public master key. It can be decrypted with either the master key password from the config.php oder with the user password.

4. As soon as this user shares this file with another user, is this file also encrypted with his password?
Yes.

5. Is there no way to change the master key?
This question is still open.

No, it does not.

From documentation:

https://docs.nextcloud.com/server/18/admin_manual/configuration_files/encryption_configuration.html

Warning

Encryption keys are stored only on the Nextcloud server, eliminating exposure of your data to third-party storage providers. The encryption app does not protect your data if your Nextcloud server is compromised, and it does not prevent Nextcloud administrators from reading user’s files. This would require client-side encryption, which this app does not provide. If your Nextcloud server is not connected to any external storage services then it is better to use other encryption tools, such as file-level or whole-disk encryption.

Note also that SSL terminates at or before Apache on the Nextcloud server, and all files will exist in an unencrypted state between the SSL connection termination and the Nextcloud code that encrypts and decrypts files. This is also potentially exploitable by anyone with administrator access to your server. Read How Nextcloud uses encryption to protect your data for more information.

Encrypting your data on the server does not prevent hackers from accessing files because the server needs to be able to decrypt the data for usage. The means of decryption is accessible on the system, therefore it is also recoverable by a hacker.

You can do full disk encryption to guard against physical theft of the server, and encryption of files to secure data on external storage. And of course you can use TLS to encrypt data in transit.

Beyond that, you have to take steps to secure the server against hacking. As with any other system, once the attacker has gained root access, that’s checkmate. At that point you’re done.

Hello Karl,
thank you for your answer!

However, it is only true in regard to the standard encryption with the master key. See my previous post.

Of course E2E-Encryption is always more secure, but not possible to realise for a multi-user Nextcloud without losing most of nextclouds functionality.

It’s true for the encryption options available with Nextcloud, both included and external.

If you want your data to be unavailable to the server hosting it, then the data must be unreadable to that server, which means no software on that server can read it either, e.g. running iSCSI over SSH and doing full disk encryption from the client side.

If you were to do client-side per-file encryption at the client, the files would sync, but there would be no way to use them through the web interface.

I’m reading hours through the net and come now to this nearly a year old article where the same questions are asked as I have but not fully answered:

If i disable Masterkey (enable userencryption) and disable recovery too the only way files can get exposed is:?

1. A hacker knows what he’s doing and he seddles between apache and nextcloud-code or read the user passwords from memory
2. A file is public shared

am I right?

Is this a stable setup?
We just wan’t to use standard file sync and share functionality, no 3rd party apps.

Thanks for your answers!

The really question is: Do you use external storage from an untrusted source?
Then and only then server side encryption is useful for security reason.

No we’re using lokal storage. But why is the documentation then saying if users loose their password the files wouldn’t be recoverable, just because its not in GUI?

The questions above are still active as I want to know it, even if there’s lokally always a way to look for passwords in memory or such things…

No, there are at least these two ways.

you just add one line of code and extract all the passwords over time. It’s not that difficult!

Either you can trust the server or not. If not there is no real protection with server side encryption, but you get all the disadvantages of this solution (more complex code, more difficult backup and restore, …). Use end to end encryption on not trusted server, or split the data with more sensitive one only on a trusted server.

OK so if sombody knows what to do its not rocketsience to get to the passwords when on the system… OK. But I have the same situation with external storage too - the external storage is safe but not if somebody has access to my system.

So customers have to trust their hoster and there’s no way to prevent Admins or hackers acessing this data then using E2E-Encryption with loss of funktionality.

Now its clear, thanks!

E2E is the only option if data privacy actually matters to you more than convenience. Loss of functionality is treated as a feature… that is what stops the hackers and admins. Good luck in your search.