How to make data inaccessible for the admin and still being able to use the web browser?

Hi all!

I am a longtime NextCloud user and admin and I am planning to upgrade my family-cloud from a Raspberry Pi 4 to a Pi 5 including a completely fresh install.
I am the administrator and my users have the valid argument that I can access all their data on the Raspberry Pi via SSH or so.

I saw that the E2EE (end to end encryption) feature would resolve that problem. But I (and all others) definitely want to access the data via a web browser on foreign computers like the working laptop or the like. Is there a way to make that possible like in that approach?

Is there a(nother) possibility that the NextCloud data files can not be accessed from the Raspberry Pi by an administrator but via a web browser?

Thank you for any help in advance!

Not really, no. Sorry but that is the truth of it. You COULD use server side encryption, however you have access to the key, so that is an empty insurance.

The only other way is external storage. However that pretty much defeats the purpose.

For now, then there is no way to avoid that the admins with access to the host system, will be able to access the data.

Thanks for your answer!

That’s sad to hear… Is E2EE with browser access or something similar planned, do you know that?
How could external storage solve the issue?

Well there is a paradox in the E2EE and the browser, as the browser can leak the encrypted data simply because you would either have to enter a pass phrase to unencrypt it, or store the client certificate somewhere. The thing is that each browser is an independant client, hence every time you access with a “new” client, you need to go through the enitre trust chain again. I am not that much into the details, but allowing through browser in the current design, is an enormous effort.

External storage - or at least enabling that each user can mount own external storage like a goggle drive, usb drive, network folder/ftp/samba/whatever or similar - provides the freedom for each independant user to choose where files are located, which is NOT on the nextcloud instance own infrastructure. The NC admin cannot access those storage areas as they are not actually part of the file system. Rather they mount as a folder for the personal user only. It is a less desired solution, as it is uggly.

The point is though that the Nextcloud server need to be able to see and access the file to do file caching, indexing and enable search, as well as being able to create previews of photos and files if the user chooses to use the grid view. For this reason, then no matter what solution you chooses, you can always get the access needed if you have administrative rights to the config.php as you will then be able to get the password for the database and to sudo as the account that runs the php code. It is inevetable.

Isn’t that a slight contradiction? :wink:

I mean, they want to open up sensitive data that not even you as a family member should be able to see on a foreign computer, in a foreign network infrastructure like a company network, where there is often SSL inspection in place, i.e. a MITM proxy that breaks the SSL connection, and thus the company’s network admins could theoretically read everything in clear text.

And even if the company doesn’t do SSL inspection, there could still be monitoring tools installed on the company client devices, in which case not even E2EE would help because the data has to be decrypted on the client to be used, so theoretically it could still be read by company admins.

Btw. E2EE can be used selectively. Users can encrypt individual folders containing very sensitive data and leave folders with less sensitive data unencrypted, which then would still be accessible via a browser, of course with the previously mentioned risks if done on a foreign device on a foreign network infrastructure.