Nextcloud version 19.0.0
I’m using a docker-image on my VPS.
Here is the system report:
Link: http://87.118.120.187:5000/s/EgLcQFqp3ZTSKKk
Password: /QlVOXnOWa8i70xYegj+
I’m an amature sysadmin and quite new to NextCloud.
My issue:
Any rootprivileged user on my VPS can access the personal files of the users of my NextCloud-instance.
I found so far, that I should enable users to use end-to-end encryption.
I’ve looked through the manuals but seem to find only instructions on server-side encryption.
I also found this: https://nextcloud.com/endtoend/ but can’t really make sense of it.
Browsing these forums, I’ve found this: how-to-use-e2e-encryption/25487 (doesn’t help me) and this: Where can I find the clients that do e2e? which is mentioning a pre-release client.
The pre-release client does seem to be the right thing, but I have two questions, and my issue remains:
-
Since the introduction of e2e with NC 13, this feature is still a work in progress? It seems totally unreasonable to me that a sysadmin has easy and unlimited access to user-file content, to me it seems that protecting, or at least hiding data from unknown far-away sysadmins would be a core feature in any cloud storage system. Am I missing something here?
-
Why is it so hard to find sufficient and updated instructions on this? I’m an amature sysadmin, and had to spend several hours to first chew my way through the instructions on server-side encryption until finding that there actually IS an end-to-end feature, and then the search began for instructions on that. I could not find an app for it (at first) The above mentioned page https://nextcloud.com/endtoend/ has a nice graphic on how it works, but not on how it is done. I can’t find information on that page on how old the content is, until I download the whitepaper and realize that it is three years old! The forumthreads mention an app, so I searched for it by text and found it. Why does it not show in the tools or security categories? The appinformation (also on github) does not mention the need to download a special client, nor does it provide a link to one.
However, using the client (on Win 10), I still can do this on the backend:
´´´
root@myVPS:/opt/nextcloud/data/data/myNCuser/files# cat Documents/testing.txt
This should not be readable.
´´´
There doesn’t seem to be a readme anywhere with the link to the client, and it seems to be built in 2018.
My issue remains, I do not want to be able to read my users’ files in an easy way, and I can’t find instructions on how to achieve some kind of barrier (doesn’t need to be unbreakable, but I should not be tempted right away by seeing usernames and cataloguetrees without some extrasteps).
I’d be grateful if anyone could shed any light on this, and sorry if I’ve missed some fundamental sysadmin knowledge (I guess in /home/someUser, a user can easily set up some kind of encryption by themselves, but a nextcloud user can’t access the nextcloud backend, and even if they were also users on my VPS and granted access to their catalogue in the nextcloud backend, they wouldn’t be able to put in encryption there and use it from the frontend).
Thanks!
Update
As suggested in https://www.techrepublic.com/article/how-to-use-end-to-end-encryption-in-the-upcoming-nextcloud-desktop-client/
I’ve installed both the End to end encryption app and the Default encryption module app, I’ve logged out and in, I’ve rightcklicked and enabled encryption in the client on two of my folders, I’ve kicked out the non-e2e-client from my desktop, I’ve tried to fix the “invalid private key for encryption app”-message that bugs me in the webinterface, but I don’t seem to understand how (Profile -> Security asks about my old login and my new login and mousepointer hover-behaviour suggests links that however do nothing, but anyway I tried to change login password to nextcloud (and updated the client) so that I HAVE an old login…), I don’t understand the “add an app password” button in connection with the list of clients. And, I’m sort of out of ideas now. root can still read.