Server only encryption


I’m familiar with the existing encryption features of nextcloud so far, but am looking for a middle ground between users having encrypted files server-side and having a master key that can help users recover their files.

Specifically, I’d like to have a single key that encrypts files at rest. This is because while I’m fine with users trusting the server, I don’t want to trust third party storage.

My use case is that I’m planning on using S3 or off-prem Swift object storage as the primary backend, and while I want data encrypted at rest, I also don’t want to have to assist users who are changing their passwords and so on.

Is this likely to become a feature? (Or, if I’ve missed it, is it already a feature?)


This sounds like you are looking for the master-key setup. This way server-side encryption doesn’t use a key for each user but only one master key for all users. This way people can be easily added to groups and have immediately access to the shared files and also password lose is no longer a problem.

You must enable the master key directly after you have enabled server-side encryption in the admin settings and the “default encryption module” from the apps menu.

To do so, you have to execute following command:

occ encryption:enable-master-key

Once people started to encrypt files there is no way to disable or enable the master key again otherwise you risk data lose!

I hope this is what you are looking for.

That sounds like exactly what I need, thanks! I’ll give it a go.