I am considering using a managed Nextcloud solution (whole instance, not single user). However I am concerned that they will have access to my data as they control the physical device. I am planning on using server-side encryption but also understand that this key is stored on the server. My question is: without my Nextcloud admin password, can someone with physical access to my machine, view my data unencrypted?
It is not really useful to use server-side-encryption on a server if the software and data is on the same server. Normally server-side-encryption is useful if you use a Nextcloud server and the data is hosted with external storage e.g. as object storage at Amazon, Google, Microsoft, … Then Amazon, Google, Microsoft, … has no access because the data is on the Nextcloud server encrypted and the key is never transported to the external hoster.
But a Managed Nextcloud is no problem.
You must only trust your Nextcloud hoster for normal data.
And for really secure data you can use https://nextcloud.com/endtoend (video)
But the provider must support it and you can only use it on Nextcloud clients and not with the web client.
Perhaps not directly. But this is no really security feature. The admin can perhaps copy the encrypted data and key to a local system and encrypt it there.
Thanks for your reply. So it seems that a managed dedicated Nextcloud instance is insecure by default and vulnerable to scanning. Too bad, I don’t have time to manage my own…
I know about e2e but choose not to use it for the majority of my files because it significantly reduces functionality.
This is not the case. Security as I understand is always a multilayer topic.
But having your harddrive encrypted during the server setup with something like luks is pretty secure. Its security will depend on the password you choose for the encryption. So no, the decryption key is not necessarily saved on the harddrive.
I do it like this with my vservers/root-servers.
On the other hand, one server I host has only an unencrypted vnc-console where I type my strong password… - so: how safe is that?
But you should be good with most hosters also for the connection over which you type your password.
My view, best
Luks or hdd encryption is very nice. But on running services the hdd must be decrypted. This is not a good feature for a hdd at a hosting provider. It is a good feature for movable laptops.
@devnull How do you think LUKS works?
There sure might be some sideattacks, RAM issues?, CPU issues? etc. But the disk isn’t fully decrypted aka rewriten on boot - as far as I understood the concept. And so the keys are not easily accessable.
And it sure protects - as your stolen laptop - from exploits through “physical access”.
But for a remote attacker who uses Nextcloud or SSH it is no extra security feature. Maybe useful if someone breaks into the data center and steals the hard drive.
You are totally right! But that was not the question as I understood it.
And you are also right by implying that the most probable attack - for most users - is still a remote one.
@lebernd I think we are both right.
But i think a bad admin of a Managed Nextcloud also would copy the data and not steal the physical device out of the data center. That is much too conspicuous. Someone could find out during an inventory. Or if the software does not work anymore.
I think too
That is interesting though! Because I would consider LUKS save in this regard. Maybe it depends alot on the underlying vm-tech too. Because: how would a copy-process be made by a bad data center admin? You can of course copy the virtual disk in the data center - but can you decrypt it?
No. Perhaps “hdd admins” can not access. But “nextcloud admins” have or need access.
Use of luks:
(s)cp /path/to/the/nextcloud/data /path/to/destination
Use of server-side-encryption:
copy data and database and use this video for disable server-side-encryption on “personal” copy (not tested).