If the server has been hacked and root access has been gained, does normal encryption with the standard module provide protection? Are only the masterkey file and the file to be decrypted needed for decryption?
The meaning of the documentation of the stable branch is not clear to me then:
It is said that there are four key types:
- master key
- public sharing key
- recovery key
- user key
Since these four types exist (or may only have existed in previous versions), this would imply that the decryption of a file requires both the key files and the input of a password. The documentation says:
The advantage of the master key encryption is that the encryption is transparent to the users but has the disadvantage that the server administrator is able to decrypt user files without knowing any user password.
The user keys are protected by the user passwords. The advantage is that the server administrator is not able to decrypt user files without knowing any user password […]
These two statements contradict each other. The former implies that no additional password entry is required for decryption, but the latter implies that a password entry is necessary, since the administrator naturally has access to the user key files. However, if both statements are correct, it would mean that using user keys would be safer in the event of an attack.
1. Does decryption always require the key file and his corresponding password? Is it also true in regard to the master key?
So even if our Nextcloud server was hacked, when using user key files, an attacker shouldn’t be able to decrypt the files unless they know the corresponding passwords. He would only have access to the publicly shared files, as the password for those is empty. He would also gain access to files that are encrypted with a master key, as the corresponding password ist written in the config.php.
Currently, it seems to be impossible to activate user keys on a fresh install of nextcloud 18.0.4.
occ $ encryption:status - enabled: true - defaultModule: OC_DEFAULT_MODULE occ $ encryption:disable-master-key aborted. occ $ encryption:enable-master-key Master key already enabled
Disabling the master key and thereby enabling the user keys is aborted.
2. Has the activation of user keys and recovery keys been completely deactivated for performance reasons?
3. If a file is uploaded by a user, is it encrypted with the master key, the master key password from the config.php and his password? So it could be decrypted with the master key file and either the master key or the user password?
4. As soon as this user shares this file with another user, is this file also encrypted with his password?
Using the master key seems insecure, as the password for decryption is derived from the config.php and can be viewed as plain text.
5. Is there no way to change the master key?
Thank you for your help!