Dear Community
I did run a AIO installation on a old laptop in my flat. Unfortunately that laptop did die and im now looking into new solutions. I have currently 5 users which store varius stuff there. The biggest part is probably photos.
Currently im exploring the possibility to install my Nextcloud AIO on a VPS hoster. But I feel a bit uncomfortable that all my data would be unencrypted sit on a cluster.
I had the idea to mount a separate storage to my instance and move the data dir there.
To my understanding the key for the server side encryption is stored in the config.php file.
In a Docker AIO installation, where is the config.php file located? My Idea is, if that file (with the encryption key) is not located in the data that is stored in NEXTCLOUD_DATADIR, i would have a somehow encryptet data, without loosing to much functionality.
Server side encryption stores the keys in the data dir that would be on the same host. It will not protect you in the way you intend.
From the manual:
“If your Nextcloud server is not connected to any remote storage services, then it is better to use some other form of encryption such as file-level or whole disk encryption. Because the keys are kept on your Nextcloud server, it is possible for your Nextcloud admin to snoop in your files, and if the server is compromised the intruder may get access to your files.”
Perhaps a little additional information. Server side encryption only makes sense if you integrate external storage from a third-party provider. That is not the case with you.
If you run your Nextcloud at your VPS hoster you must trust him. For really critical data you can first crypt the data on your local system. You can e.g. crypt with external client tools e.g. ZIP-crypt or use Nextcloud End-to-End ecnryption.
My thinking about encryption comes not from lack of trust into a VPS provider. But things happen, mistakes are made.
Maybe this could be something that could be a way in the future. If we had the key and user data seperated and a diffrent storage is mounted for the user data, we would have a separation between the key and the data that is stored.