Hi,
if I use serevrside encryption but the main nextcloud datadir is fully on the external storage does it help anything? I guess not because the keys are then also on the external storage right?
There is the primary external storage where it might be different. the works with object storage, other storage types probably as well but there is not a lot of documentation. I think there were some examples shared here in the forum for older versions.
If you just mount external storage on your local machine and use this as data-folder, everything (with the keys) will be saved there. If you use the normal main storage, and put only some project data on some external storage, then you can use server-side encryption and the encrypted files will be on the external storage while the key files remain on your server.
2 Likes
My understanding is that the stored keys are encrypted (generally by the user password).
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_details.html
As an aside, another approach, if using S3 Object Storage as Primary Storage is SSE-C:
Yes, keeping the data and the keys might be not ideal because the passwords might not be very good and if users recycle passwords, you might get the information from elsewhere. So it’s probably better to keep the encryption keys on your server (and the encrypted data on the external server).
It is also the reason using the server-side encryption on the main server storage is less secure since for someone having access to the server might be able to intercept the passwords as well.