How to properly enable server-side encryption on existing multi-user install?

Nextcloud version : 24.08 (Will soon be upgraded to 25.03)
Operating system and version : Unknown, likely Debian 11.6
Apache or nginx version : unknown, likely Apache
PHP version : 8.1

The issue you are facing:

This isn’t really an issue, rather a “good practice” question.

I want to increase security on a production NC install with about 25-30 active users, and containing sensitive files. All users have the NC desktop client synced. Additionally, most files are edited in-cloud with Collabora.

Since it has so many active users, what would be the proper way to enable server-side encryption for all user accounts, with the least amount of downtime / disruption and without leaving unencrypted crumbs behind?

As a second step, I want to enable 2FA to all users.
What will users need to do to prepare for this transition? What will happen to disabled user accounts? The documentation page doesn’t specify much, except that 2FA is compatible with existing authenticator apps. Where will users find their unique “seed” to turn on TOTP generation?

The last thing I want to see is users requesting a 2FA or password reset.

Do you use external storage? For that purpose the server-side encryption was designed. If you don’t use it, the benefits are very little and you potentially add a lot of complexity.

There were a few problems with Collabora (most of them resolved): Collabora not working with encryption - #36 by just
Also I’d look into how the master-keys are working in case someone forgets their password, and how to restore data from backups. There are a few topics here on the forum and github.

No, there’s no external storage, however the data on the server is sufficiently sensitive to request server-side encryption. In other words, the hosting company shouldn’t be able to read the data, even if they’re trustworthy.

Of course, Collabora must work even with encrypted data.

Also I’d look into how the master-keys are working in case someone forgets their password, and how to restore data from backups?

How would I do that? the hosting company does hold redundant backups in differents datacenters.

Then you need client-side encryption. Everything server-side, you can’t really protect from the hosting company.

The thing is that the whole backup strategy with server-side encryption gets more complicated, meaning they restore encrypted data and that doesn’t mean that you can use them, e.g. the server-side encryption signs the encrypted file with data from data base. If the backup of database and data are not done at the same time, that restore won’t work (however there are ways around to ignore the signing status, this way you will lose the information if someone tempered your data).

You’ll find a few topics here and on github, just a short random selection: