Hi !
I’m using nextcloud on an old server at home since several years with no encryption.
I want to migrate it on a new server in a datacenter with encryption.
With encryption, is there a mean to rsync directories and after that encrypt the datas on the new server ? Or have i to synchronise datas with the client ?
Thank you for the answer.
Hi,
I’m not sure I fully understand your question. Are you asking whether you can still run rsync on the encrypted directories to backup them somewhere? Then the answer is yes.
That said - I’m not sure why you would switch on encryption. You want to run your server on the Datacenter’s machines so the encryption key still ahead be present there anyway (otherwise your server wouldn’t work). The server-side encryption in my view only makes sense for externally mounted storage (like Dropbox) where the data and your server run in different machines and you don’t trust the data storage server.
/S
In details :
My actual situation :
I have 2 nextcloud servers : one at home for my personnal datas and one on a server in a datacenter for my work public datas (I am a math teacher, so it contains lessons, exercices…). All critical datas are on my home server.
New situation :
I bought a new server in my datacenter and I want to migrate both the 2 old servers on this new one.
But : i don’t want my personnal and critical datas to be readable on this server so :
My problem :
I could just install 2 nextcloud instances on the new server with encryption enabled and sync my directories using nextcloud client with these new instances but… my connexion is very slow and it could take a mounth or more time… and my work datas are on the same datacenter so it would be so much faster to copy them directly from one server to the other.
I could directly copy datas from old servers to the new one and sync database but : data copied that way won’t be encrypted, only new datas would be.
What i am looking for :
A command line to copy file and encrypt then with Nextcloud users keys and sync database.
That way, i could copy datas directly from old servers to the new one without using the nextcloud client and i would save a lot of time.
Am i more understandable ? (sorry for my english, i’m french)
I think you speak only about server-side-encryption and not client side end-to-end-encryption. I think a server-side-encryption is better than no encryption. But you must trust your provider a little bit. Also there is a difference between hosted nextclouds and hosted VPS. Some nextcloud hosters use server-side encryption. Test ist for free on https://nc.nl.tab.digital .
A client end-to-end-encryption is not really useful. You can it e.g. not use with a web browser.
https://nextcloud.com/blog/encryption-in-nextcloud/
Copy user data / nextcloud data:
Perhaps you can use nextcloud federation and copy the data from one nextcloud (old nextcloud in the internet) to another nextcloud (new nextcloud in the internet). In this case the data is only transferred between the server with WebDAV and there is no up- and download to your home.
Disk encryption protect me from an attempt to read the disk when the server is down but not when it’s running and after i entered the passphrase to decrypt it.
My need is to protect datas against malicious admin on my provider site who could access my server when it’s running. Your second link gave me interesting informations : now i understand that server side encryption, with ou without per user keys, is not strong enougth because malicious admin could get the key during client connexion. And directory structure is readable.
I will use instead end-to-end-encryption for my critical datas (bank accounts, keepass files, personnal documents…). These datas won’t be accessible through the web interface and i won’t be able to share then : not a problem with this kind of data.
I have to read more documentation before beginning and do some tests with some directories on the new server.
And federation will be usefull for transfert. Again i have to read doc.
Thank you for your help.
Really? I do not know. I think not because the user must use keys and they are combined with the login i think.
The problem is that perhaps an admin knows the user password and then access. Perhaps you must also use in addition to server-side-encryption a 2FA authentication.
Can you tell something about your new host? Do you use a VPS, root-server, …?
It’s in the link you gave me : https://nextcloud.com/blog/encryption-in-nextcloud/
Per-user keys only offer additional protection over a server-wide key in the case of physical theft of the Nextcloud server and storage or a security breach of the sever provided the user(s) do NOT log in for the duration of the breach . A full, undetected Nextcloud server breach by skilled attackers or malicious server administrator still risks exposing user data.
My new host is standart private server, not virtual. Why ?
Per-user keys.
Ok. All admins can sniff at the https-requests (end of tls-connection)
eg.:
https://cloud.domain.tld/login
post-parameter:
user: username in cleartext
password: password in cleartext
Perhaps you can use 2fa or otp.
No. My question was more do you have a nextcloud hoster? But i now think you install nextcloud on your own on a private root-server. Thanks.
rclone.org → access nextcloud through webdav. so all uploaded files will be encrypted and get a database entry. (or you mount the webdav folder of the “cloud nextcloud” to your “internal nextcloud” and copy all files with cp.
but it’s not nextcloud ↔ nextcloud. it would be linux-fs ↔ nextcloud. and need all user passwords because it would per user.
second way i could thing about is backup/restore/occ encrypt:all but between the second and third step all file would unencrypted.
For end-to-end-encryption you can also use “Duplicati”. Not tested.
https://operationtulip.com/enable-end-to-end-encryption-in-nextcloud/
https://en.wikipedia.org/wiki/Duplicati