I am attempting to find the best way of doing this. I am currently transferring my nextcloud server to new hardware. I have all my folders on primary storage encrypted. The problem I am having is to make my server more flexible I have split my storage into encrypted and non-encrypted with most of the OS being behind encrypted. What I would like todo is easily seperate the encryption keys from my current folders and symlink or otherwise move my files to the non-encrypted space and keep just the keys on the encrypted section. I saw the local external storage but that would have me move all my files 1 by 1 to a “external” folder and resetup all of my shared links.
Is there an easier way of doing this?
Honestly I would start with decrypting the whole system, then move things around and encrypt the pieces again you want to encrypt. Encrypted data must be handled with great care!
Encrypted data must be handled with great care!
Exactly. If you mess up with the keys for example you are pretty much screwed and you better have a backup of the (unencrypted) files. Better to use
occ encryption:decrypt-all before moving anything.
I mean, I am not sure that solves my problem. I have a functioning backup and can do anything to this test version before finishing the transfer. But I cannot think of a good way of splitting the encryption keys and the data itself. I cannot just move the data folder as the encryption keys would stay with it and even if I setup an external local folder I cannot easily move all the files to.
You can do a few tests. I am not sure that it will work because it’s not only the file and the key, there is also a signing process using data from the database. I can’t tell you what fields are actually used but it could get quite complicated to move stuff around.
It could work with a couple of tricks (copying files + keys + database) but there is no guarantee and potential problems could show up much later.
With the OS behind encrypted, there is no good reason to use server-side encryption. NC 13 was announced with a new client-side encryption.