Local home storage with encrypted remote storage

I am currently planning to rebuild my Nextcloud instance.
My idea is to have a NAS at home with a Nextcloud installation and in a datacenter Root-Server with an encrypted storage. This is not to store the keys on the remote storage.

The goal is to have a copy of all my data on my local NAS and only a few specific ones on the remote server. This should allow me to be able to distribute large files across the datacenter server.
What is the best way for me to proceed now? On my root server is currently Proxmox with a CT container from Nextcloud AIO and I use Nextcloud’s own encryption technology.

The keys for the encryption are currently on the root server as well. The likelihood of someone breaking into my root server is significantly higher than breaking into my home.

I have thought about setting up an encrypted ZFS volume. However, my current server has too little memory for this (only 64GB). But an upgrade to a bigger server with 256GB is not excluded.
Furthermore, I use the Hetzner storage box as data storage, which is mounted via cifs and encrypted via LUKS2 with Argon2.

My Nextcloud instance will primarily store pictures and videos as well as documents.
Which implementation can you recommend to me?

My hardware looks like this:

  • Hetzner Root-Server (Proxmox) with 64GB Ram, 2x SSD, 2xHDD with Hardware RAID
  • Hetzner Storage-Box 10TB attached with cifs via LUKS2 with Argon2)
  • TerraMaster T12 (Encrypted via LUKS2 with Argon2 and Yubikey Challenge Resonse)

Thank you and I kiss your eyes

Translated with DeepL Translate: The world's most accurate translator (free version)

Hi @Avedena

I’d say don’t overcomplicate things, and use Hetzner only for encrypted backups, because local compute power and storage is always cheaper than cloud compute and storage, and you don’t need compute for storing backups, which makes it even cheaper.

Not sure what you actual goal is, but if you need to be able to share files with high bandwith needs, you could install another Nextcloud instance on a Hetzner VPS and then upload those file to that. Maybe you could make use of Nextcloud’s Federation feature to simplify this process…

Or you could of course do it the other way around, but keeping two separate Nextcloud instances in sync sounds like a lot of headache to me, and is probably not needed. Just make sure you have local backups of all your data on the respective site where it is served from, in addition to the off-site backups, because this shortens downtime in case a server goes down completely and has to be rebuilt and also has the side-effect that you are automatically going to comply with the 3>2>1 backup rule.

Thank you very much for your quick reply.
You have captured it correctly. I want to distribute large files at high speed through my (already existing root server).
With Nextcloud’s Federation technology, where exactly are the encryption keys stored? And is Luks2 encryption the right choice in my setup?
Thanks a lot and I kiss your eyes

Translated with DeepL Translate: The world’s most accurate translator (free version)

LUKS is preferable to Nextcloud’s own Server Side Encryption, imho. However I’m not sure how to unlock the disk in a secure and automated way on a remote server to which you don’t have physical access to. But that’s a bit beyond the scope of this forum anyways… :wink:

Honestly I don’t know if Fedaration even works with Nextcloud’s own encryption enabled. I’d guess it should work with Server-Side-Encryption enabled, because that is somewhat transparent to the application itself, but I’m pretty sure that it won’t work with End-to-End Encryption. However you won’t be able to use the latter anyways, or at least not for files you’re planing to share publicly…

Thank you very much for your quick reply.

the current approach is that after starting Proxmox I mount the encrypted container via a secure shell, which acts as local filesystem storage for the VM.

After the LUKS container is mounted I start the CT virtual computers.
Thanks a lot and I kiss your eyes

Translated with DeepL Translate: The world’s most accurate translator (free version)