Nextcloud version: 12.0.4.3
Operating system and version: Debian 9 Stretch
Apache or nginx version: Apache 2.4.25
PHP version: 7.0
Hello,
I hope I am using the right topic.
As the title suggests I am the admin for the Nextcloud Server running on my Raspberry Pi 3.
My exact setup is as follows:
Raspberry Pi 3 with local MariaDB database
Nextcloud data directory located on my NAS (WDMCEX4100) mounted in the home directory of the Pi
data directory is owned by www-data:www-data and is ‘chmod 0770’
I have full root access to the Pi running the NC server.
I want my family and friends to use the cloud if they so desire but understandably they will only use it if I can assure them that I have no possibility of accessing their stuff. Is it then possible to lock out the admin for the NC server, RPi and the NAS from the user’s shares? E.g. that something like “sudo mount //NAS/user1dir/” would not be possible on the Pi.
You could do this with the user encryption. But: If people forget the password they will be doomed.
Security has always downsides. You can also test the End-To-End Encryption which was announced but I have not yet seen it working.
There is absolutely no way to configure any storage to not be “readable” by someone who is in control of the hardware. (baring things that are specifically built to protect data, like a smart card). Someone with root access is God basically. This might be a good thing to keep in mind however. Any cloud provider can also read your data. They maybe don’t do it, but they can if they want to. Sure, it might be encrypted on the servers, but the provider still holds the keys
What can be done to work around this is to make the data useless to the server admin, and that is by using encryption and only have the keys accessible to the user (note: the server-side encryption app does not solve your problem). End-to-end encryption is coming in Nextcloud 13, and can be activated on folder level by the user. Data stored within that folder is completely unreadable to the server admin, but if the user forgets the password, it is gone(?). There are also third-party solutions to achieve this. I personally use an application called cryptomator, which encrypts everything before passing it to the server. It is quite user friendly and fast, but it also suffers from the forget-password problem. Works with google drive etc, and also USB sticks. Nice for those “extra secret” thing we all have
Now, you also need to know two additional things:
Stuff in the database is still readable for the admin. That includes things like contact information and a lot of information stored in nextcloud apps.
Using end-to-end encryption will make the files unavailable to apps, and you can’t do anything useful with them in a webbrowser. Cryptomator will also make the files unusable to the mobile app (cryptomator has its own, for 5$) and make sharing useless. With time, this might maybe be improved, it depends on what the developers think is more important when it comes to end-to-end encryption. Security and convenience are always trade-offs of each other
So to summerize: No, you can’t lock yourself out of user folders, they need to encrypt them if they want to keep it secret, but it comes with costs. You also can’t lock away everything. If this will be enough for your friends depends on what they want to keep secret. Is it just certain files, like financial and medical data, then it can be done. If they want to keep everything away from you but still use the gallery app, then no, it can’t be done. I do however suspect they might be interested in knowing that they would be trusting you just as much as they do googles/microsoft/dropbox top IT staff.
This. It never hurts to educate people about the misconception that their data is safe and secure with a third party, just because they are a big name like Dropbox or Google. The bigger the database, the more hands that are in the cookie jar, and the more potential for people reading your data whether or not they admit to doing so.
At least with server side encryption, it’s not as easy for you as the admin to read the data. You would need to go through extra steps to get at it than just browsing the filesystem.
Another option for your friends/family is to run their own server if they don’t trust anyone else.
You can’t just read them but it is not difficult to do so. And you can see the file names, calendar, contact and all other app data. I think with families/friends you have to be frank, you have to say that you could in theory read the files (you have first to trust yourself that you won’t look around their stuff) and if they want to hide it from you, they have to use encrypted containers (VeraCrypt) or use other services.
If you put certain data on public servers, you should systematically store them encrypted. Passwords can be hacked, services are not perfectly secure, …
Hi thank you for your reply.
I am equally eager to see what NC13 brings to the table.
I want to spare my family from having to buy external hard drives for their photos. I just want them to dump their photos on my server. I think they don’t mind if I could possibly read what information they provide to the server that is stored in the database. As long as I can’t see their pictures everything is fine. I mean I wouldn’t do that because I got better things to do but convincing somebody to trust your platform is quite demanding. And with big cloud providers they have the benefit of anonymity.
I think that Nextcloud 13 might not be a suitable option if the idea is to dump them on the server and not having them stored locally. The end-to-end encryption will not be applied on files uploaded with the gui, they will only be encrypted when uploaded with nextcloud’s own clients, and the sync client can’t act as a dead “file drop”. I am sure there are ways around it by utilizing webdav etc, but that is
Complicated
Slow as hell
Impossible to view pictures without jumping through hoops
I also think you should consider the implications of actually storing relatives data completely end-to-end encrypted. You need to make sure that they really, and i mean REALLY understand that it means “password forgotten = data GONE, completely and you can’t anything about it”. I find that people generally don’t have a concept of how hard it actually is to retrive data if keys are lost. you also really need to have your backups straight!
They don’t mind having their contact information etc. exposed. I mean I know them. The only goal I am pursuing is to let them have their peace of mind that I can’t just log in to their account via the web GUI and look at their stuff.
I thought E2E-Encryption is enough security. And I don’t think they mind having to use Nextcloud’s desktop clients.
The best possible scenario is to have them download the client, set up a password for encryption, keep it safe and just dump their stuff onto the server.
With E2E-Encryption, they can even decide which folders they like to protect. I’m not really sure how good it works with sharing and the implications on the webinterface (and before actively using it, I’d test it properly before). If they don’t want to have data exposed at any price, they shouldn’t put it on a public cloud.
