Seperate Encryption keys and Data

I am attempting to find the best way of doing this. I am currently transferring my nextcloud server to new hardware. I have all my folders on primary storage encrypted. The problem I am having is to make my server more flexible I have split my storage into encrypted and non-encrypted with most of the OS being behind encrypted. What I would like todo is easily seperate the encryption keys from my current folders and symlink or otherwise move my files to the non-encrypted space and keep just the keys on the encrypted section. I saw the local external storage but that would have me move all my files 1 by 1 to a “external” folder and resetup all of my shared links.

Is there an easier way of doing this?

Honestly I would start with decrypting the whole system, then move things around and encrypt the pieces again you want to encrypt. Encrypted data must be handled with great care!

1 Like

Encrypted data must be handled with great care!

Exactly. If you mess up with the keys for example you are pretty much screwed and you better have a backup of the (unencrypted) files. Better to use occ encryption:decrypt-all before moving anything.

I mean, I am not sure that solves my problem. I have a functioning backup and can do anything to this test version before finishing the transfer. But I cannot think of a good way of splitting the encryption keys and the data itself. I cannot just move the data folder as the encryption keys would stay with it and even if I setup an external local folder I cannot easily move all the files to.

You can do a few tests. I am not sure that it will work because it’s not only the file and the key, there is also a signing process using data from the database. I can’t tell you what fields are actually used but it could get quite complicated to move stuff around.
It could work with a couple of tricks (copying files + keys + database) but there is no guarantee and potential problems could show up much later.

With the OS behind encrypted, there is no good reason to use server-side encryption. NC 13 was announced with a new client-side encryption.