Iām familiar with the existing encryption features of nextcloud so far, but am looking for a middle ground between users having encrypted files server-side and having a master key that can help users recover their files.
Specifically, Iād like to have a single key that encrypts files at rest. This is because while Iām fine with users trusting the server, I donāt want to trust third party storage.
My use case is that Iām planning on using S3 or off-prem Swift object storage as the primary backend, and while I want data encrypted at rest, I also donāt want to have to assist users who are changing their passwords and so on.
Is this likely to become a feature? (Or, if Iāve missed it, is it already a feature?)
This sounds like you are looking for the master-key setup. This way server-side encryption doesnāt use a key for each user but only one master key for all users. This way people can be easily added to groups and have immediately access to the shared files and also password lose is no longer a problem.
You must enable the master key directly after you have enabled server-side encryption in the admin settings and the ādefault encryption moduleā from the apps menu.
To do so, you have to execute following command:
occ encryption:enable-master-key
Once people started to encrypt files there is no way to disable or enable the master key again otherwise you risk data lose!