This is a challenging question to answer without knowing far more about your situation.
Before proceeding though, have you read through the recently rewritten Nextcloud Admin Manual’s Encryption chapter? It attempts to give some context for these decisions.
It would mainly be to protect against external attacks.
At the moment, if an attacker gains unauthorized access to the server, they could browse the data directory and potentially access user files, which does not feel very secure. I already have SSL/TLS enabled with HTTPS, but I would also like to encrypt the stored user data.
However, Nextcloud’s built-in server-side encryption is not ideal for my use case, as it introduces performance overhead and causes compatibility issues with certain apps.
As for physical drive theft, I will need to wait until my operating system supports LUKS encryption.
See, if someone breaks into the server and gains root access you’re screwed even if you use SSE. Because the encryption keys are stored on the server. Even if you had them stored somewhere else, given the fact that your attacker has gained root access, what would it stop him to impersonate the application (i.e. Nextcloud) to gain access to the encryption keys?
The only protection as you want it against an external attack is E2E encryption. But you ruled that option out in a previous post.
Regarding security of your setup in General: You’re running a Chinese Linux distribution (with custom kernel patches) and you’re using a Nextcloud Docker image curated by a Youtuber who spews out a massive amount of preconfigured Docker images. If I were you I’d migrate my setup to a more trustworthy environment.
Okay, no problem. Thanks anyway for taking the time to look.
Yes, I plan to migrate to another operating system quickly; I know it’s not optimal at the moment. Do you think it would be a good idea to migrate to OpenMediaVault?
Just to fill in a bit of a background, the server-side encryption is designed when your server uses a storage backend and you cannot or do not want to trust this operator. Then the data is encrypted on your server and stored encrypted in the storage backend. Since your server is handling all the encryption/decryption, someone with access to it can temper with that.
Debian/Ubuntu-based systems support LUKS and other options. Regarding which flavor of it or which kind of system in detail, that depends a lot on you and your preferences.
OpenMediaVault is based on debian but does much more than just Nextcloud. If you are just interested in running Nextcloud, then this is overkill. If you’d like to have a traditional NAS in your home network with Nextcloud on top, then this might be a good idea. Nextcloud announce a long time ago that they are partnering with TrueNAS:
I have no experience myself to tell you which is better integrated.
Okay, thank you very much for the clarification. I installed OMV earlier; all that’s left is to configure Nextcloud so it runs properly.
I’m going to do this with Docker/Portainer on OMV.
I kept my old data, so I just need to reconfigure the paths and create the folders like redis and db (for the db I have my .sql file ready to be imported).
