Nextcloud on hosted server: does server side encryption exclude even host company from reading?

I’d like to install nextcloud on a hosted server, just for sharing some calendars and small files with friends & family. But that makes no sense if the hoster can read the files, even if I use server side encryption. If this were the case, I’d simply use the icloud.

As far as I understand the docs, see here: https://docs.nextcloud.com/server/15/admin_manual/configuration_files/encryption_configuration.html the encryption keys are stored in data/<user>/files_encryption.

Aren’t the keys then on the hosted server and the hoster could use them to decrypt my files, the calendars and whatever?

Hey, I guess what you are looking for is end-to-end encryption since server-side encryption is not able to protect your files if you don’t trust the server, as you already discovered yourself :+1:

Ok, thank you. But what’s the use of server side encryption then? If the server is stolen, it doesn’t help much. If the server is compromised, neither. So why have it at all?

Because it makes sense to use if you want to store some files on a not-trusted 3rd party service like e.g. Google drive. (Of course you still need to trust your own server for that)

You would then mount google drive storage in Nextcloud and encrypt all files via Nextcloud that get uploaded to google drive

1 Like

If you don’t trust any server-hoster and don’t want to use end-to-end encryption, than I’d recommend to spin up your own server at your home.

I’ve no reservation against e-2-e encryption.

I installed a »nextcloudpi« at home and like it very much. Cheap, fast enough. But I hesitate to give any access from the internet. I don’t have the knowledge to provide a sufficient level of security.

I can understand your security concerns but I am confident that the Nextcloudpi project has made sure that the standard config for accessing your Nextcloudpi from outside your home is already as secure as possible (so no further knowledge is needed)