Nextcloud Apps Storing Data As Plaintext

I am running my Nextcloud and Postgres on one of the big cloud providers, and I don’t trust that they won’t peek into my servers. I found out that they have the capability to peek into servers, even if I have full-disk encryption (they can access it when my server is in use). I also found that Postgres data can be accessible as plaintext when it’s in use. Therefore, I am running my apps on untrusted servers and want to use only end-to-end or client encryption instead of server-side encryption.

My Issue:
I was using Nextcloud and enabled some of its apps, such as Contacts, Bookmarks, and Calendar. I realized those apps were storing data in plaintext when I reviewed my database tables. I know I can end-to-end encrypt my files or use encrypted WebDAV servers, but I still want to use some of those apps.

My Questions:

  • Is it possible to make Nextcloud encrypt those app data with my login password or end-to-end encryption so that I can only hold the key?
  • If not, what alternatives would you recommend? Or was Nextcloud never designed to run on an untrusted server and was targeted to run only on the client’s hardware?

Not sure how you want to do it, which clients have such a feature? You then would need specific clients.

Yes, you should run Nextcloud on a trust-worthy server, the server-side encryption was build for the use of external storage backends that you don’t trust.

You could split things a bit, since you can use end-to-end encryption for the data, you could use one setup with all the data, and a second smaller setup where you just manage your calendar, contact and some other apps, and if needed to can interconnect them via federated sharing.