Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Are host providers able to see my nextcloud files?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Are host providers able to see my nextcloud files?

Yes I enabled the server-side encryption in the Nexcloud settings but don't providers see my encryption keys? Or don't they just find out my login and password? I think they can easily find it out, especially if it's VPS, not dedicated. I do not host anything bad, I'm just turned on privacy things.

If they can decrypt and see my files, maybe it's better to download veracrypt containers on my VPS? They barely can open these containers.

Comments

  • MikeAMikeA Member, Patron Provider

    Enable encryption during OS installation.

    Thanked by 2timelapse webcraft
  • @Broscience said:
    Yes I enabled the server-side encryption in the Nexcloud settings but don't providers see my encryption keys? Or don't they just find out my login and password? I think they can easily find it out, especially if it's VPS, not dedicated. I do not host anything bad, I'm just turned on privacy things.

    If they can decrypt and see my files, maybe it's better to download veracrypt containers on my VPS? They barely can open these containers.

    Get a kvm vps, encrypt disk, enjoy.

    Thanked by 2timelapse o_be_one
  • gol3mgol3m Member

    Server-side encryption in Nextcloud means you probably enabled the use of a master key. That means all files can be decrypted over command line at any moment in time. It is only useful if you don't want any external storage provider (gdrive or whatever) to be able to see your files.

    Nextcloud also has per-user encryption, where the key is protected by the user password. But no one uses it and Nextcloud wants to see it replaced by end-to-end encryption. It's not "safe" because an admin can wait for you to enter the password. But it's a pretty big deterrent for casual snooping and ensures that none of your files ends up unencrypted/easily decryptable in backups.

    Thanked by 1MikeA
  • RedSoxRedSox Member
    edited April 2020

    Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.

  • i agree with redsox any true privacy enthusiast knows that all encryption and key generation/storage and etc should be done on a always offline and trusted machine.

    But.. assess your threat model and make dissension off that.. most people dont need NSA level paranoia

    Thanked by 1RedSox
  • @RedSox said:
    Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.

    Yeah, this is why I stopped using disk encryption on VMs. It's easy enough to defeat so it's not worth the small performance hit IMO. The only time disk encryption makes sense to use is with dedi. Granted, there are ways around that too but it's significantly harder.

    Thanked by 1RedSox
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire
    edited April 2020

    The only thing that can trust is your own device* so end-to-end encryption is a must. You can consider running gocryptfs or Cryptomator over network.

    (* Again, it depends on how hard you secure your device from spywares)

  • GromGrom Member
    edited April 2020

    Yes, your provider can absolutely access your server, but I don't see it as an issue.

    I think it's really important to pick a provider you trust.

    Personally, I picked BuyVM, not because they're the cheapest around, but because they're trustworthy and honest (imo).

    Thanked by 2RedSox allen314
  • Agreed with above, if you don't trust a provider then don't use them, really that simple. Encryption etc like others have mentioned is all good

  • You can host your nextcloud at home.

  • If you don't trust your host with your files( aka to not look to your files), you must change of provider.

  • Assume they could, trust that they don't. Simple as that, really.

  • I agree with redso

    Thanked by 1RedSox
  • Life is so hard

  • @Autizmo said:

    @RedSox said:
    Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.

    Yeah, this is why I stopped using disk encryption on VMs. It's easy enough to defeat so it's not worth the small performance hit IMO. The only time disk encryption makes sense to use is with dedi. Granted, there are ways around that too but it's significantly harder.

    So with kvm there is no real sense of security huh... even LUKS fde is a waste on vms? Is it possible to even make vms secure? (Serious)...
    Thnx

    Thanked by 1RedSox
  • pbxpbx Member

    Encryption works well with a dedi, and even then how can you be sure you trust the hardware? But well, for most cases it's more than enough. It can't hurt on a VPS but you can't count on it if the files matters a lot to you as it will be easy for the provider to watch your files if they want to.

    As other have said: trust is key. Go with a provider you trust and be done with it.

    You also have to keep in mind that as long as your stuff is publicly available on the internet, even if the storage is encrypted it has to be decrypted for you to be able to read it. If there is a vulnerability in some of the software you run on that box, people can access your files.

    An option would be to run a minimal setup with only what's needed to run owncloud, but probably better to keep very private files offline or on the local network, behind a firewall. In this scenario syncthing (https://syncthing.net/) can be a better option than Nextcloud, if what you need is just having files stored & synced on different machines.

    Thanked by 1RedSox
  • The solution is simple. Only store files that have been encrypted elsewhere and never decrypt on the server. Problem solved.

    Thanked by 2RedSox TimRoo
  • jlayjlay Member

    @james50a said:
    The solution is simple. Only store files that have been encrypted elsewhere and never decrypt on the server. Problem solved.

    Or put decryption keys there so that someone else could do it for you :smile: Keep those away from the data generally

  • Hey, I too have plans to start a file sharing website. But the problem is some people upload illegal stuff. How to handle this problem & what are the risks involved & how to play safe?

  • AutizmoAutizmo Member

    @plumberg said:

    @Autizmo said:

    @RedSox said:
    Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.

    Yeah, this is why I stopped using disk encryption on VMs. It's easy enough to defeat so it's not worth the small performance hit IMO. The only time disk encryption makes sense to use is with dedi. Granted, there are ways around that too but it's significantly harder.

    So with kvm there is no real sense of security huh... even LUKS fde is a waste on vms? Is it possible to even make vms secure? (Serious)...
    Thnx

    Eh, kind of. Epyc (I think those are the ones) CPUs can encrypt RAM and the key is stored in the VM. However, researchers were able to get a copy by moving around the encrypted RAM and making requests to a web server running on the encrypted VM so it'd return what it thought was the right thing but different memory had been moved to that location so it returned that, unencrypted, instead. From what I remember, it's pretty much a trial and error attack and you're more likely to crash the machine than get the keys but it is possible with enough time and persistence. Although, since if the machine crashes someone would have to input the decryption key to restart it, it'd be much easier to just crash the VM and then grab the key when the user puts it in over VNC or whatever to restart the machine.

  • @Autizmo said:

    @plumberg said:

    @Autizmo said:

    @RedSox said:
    Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.

    Yeah, this is why I stopped using disk encryption on VMs. It's easy enough to defeat so it's not worth the small performance hit IMO. The only time disk encryption makes sense to use is with dedi. Granted, there are ways around that too but it's significantly harder.

    So with kvm there is no real sense of security huh... even LUKS fde is a waste on vms? Is it possible to even make vms secure? (Serious)...
    Thnx

    Eh, kind of. Epyc (I think those are the ones) CPUs can encrypt RAM and the key is stored in the VM. However, researchers were able to get a copy by moving around the encrypted RAM and making requests to a web server running on the encrypted VM so it'd return what it thought was the right thing but different memory had been moved to that location so it returned that, unencrypted, instead. From what I remember, it's pretty much a trial and error attack and you're more likely to crash the machine than get the keys but it is possible with enough time and persistence. Although, since if the machine crashes someone would have to input the decryption key to restart it, it'd be much easier to just crash the VM and then grab the key when the user puts it in over VNC or whatever to restart the machine.

    If you really comme to the point that your data is important so much, keep them in you basement with a dog in front of the rack.

  • TimRooTimRoo Member

    Sounds like the bottom line is just like any cloud provider, whether on a VPS with NextCloud or not - if you don't want anyone seeing your files, encrypt before uploading.

Sign In or Register to comment.