New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Are host providers able to see my nextcloud files?
Broscience
Member
in General
Yes I enabled the server-side encryption in the Nexcloud settings but don't providers see my encryption keys? Or don't they just find out my login and password? I think they can easily find it out, especially if it's VPS, not dedicated. I do not host anything bad, I'm just turned on privacy things.
If they can decrypt and see my files, maybe it's better to download veracrypt containers on my VPS? They barely can open these containers.
Comments
Enable encryption during OS installation.
Get a kvm vps, encrypt disk, enjoy.
Server-side encryption in Nextcloud means you probably enabled the use of a master key. That means all files can be decrypted over command line at any moment in time. It is only useful if you don't want any external storage provider (gdrive or whatever) to be able to see your files.
Nextcloud also has per-user encryption, where the key is protected by the user password. But no one uses it and Nextcloud wants to see it replaced by end-to-end encryption. It's not "safe" because an admin can wait for you to enter the password. But it's a pretty big deterrent for casual snooping and ensures that none of your files ends up unencrypted/easily decryptable in backups.
Your hoster suspends your VPS, dumps the RAM memory (in which all the keys and passwords are located) and makes a copy of the disk, then restores work, it will take 10 seconds, there will be no reboot, you won’t even notice. In some systems such as Amazon, everything is automated there, they can deploy your working VPS on another hardware directly to the hot one, so don’t console yourself, the hoster sees everything. There is no anonymity in 2020, you leave a digital footprint everywhere. Сorrect me if I'm wrong in any judgment.
i agree with redsox any true privacy enthusiast knows that all encryption and key generation/storage and etc should be done on a always offline and trusted machine.
But.. assess your threat model and make dissension off that.. most people dont need NSA level paranoia
Yeah, this is why I stopped using disk encryption on VMs. It's easy enough to defeat so it's not worth the small performance hit IMO. The only time disk encryption makes sense to use is with dedi. Granted, there are ways around that too but it's significantly harder.
The only thing that can trust is your own device* so end-to-end encryption is a must. You can consider running gocryptfs or Cryptomator over network.
(* Again, it depends on how hard you secure your device from spywares)
Yes, your provider can absolutely access your server, but I don't see it as an issue.
I think it's really important to pick a provider you trust.
Personally, I picked BuyVM, not because they're the cheapest around, but because they're trustworthy and honest (imo).
Agreed with above, if you don't trust a provider then don't use them, really that simple. Encryption etc like others have mentioned is all good
You can host your nextcloud at home.
If you don't trust your host with your files( aka to not look to your files), you must change of provider.
Assume they could, trust that they don't. Simple as that, really.
I agree with redso
Life is so hard
So with kvm there is no real sense of security huh... even LUKS fde is a waste on vms? Is it possible to even make vms secure? (Serious)...
Thnx
Encryption works well with a dedi, and even then how can you be sure you trust the hardware? But well, for most cases it's more than enough. It can't hurt on a VPS but you can't count on it if the files matters a lot to you as it will be easy for the provider to watch your files if they want to.
As other have said: trust is key. Go with a provider you trust and be done with it.
You also have to keep in mind that as long as your stuff is publicly available on the internet, even if the storage is encrypted it has to be decrypted for you to be able to read it. If there is a vulnerability in some of the software you run on that box, people can access your files.
An option would be to run a minimal setup with only what's needed to run owncloud, but probably better to keep very private files offline or on the local network, behind a firewall. In this scenario syncthing (https://syncthing.net/) can be a better option than Nextcloud, if what you need is just having files stored & synced on different machines.
The solution is simple. Only store files that have been encrypted elsewhere and never decrypt on the server. Problem solved.
Or put decryption keys there so that someone else could do it for you Keep those away from the data generally
Hey, I too have plans to start a file sharing website. But the problem is some people upload illegal stuff. How to handle this problem & what are the risks involved & how to play safe?
Eh, kind of. Epyc (I think those are the ones) CPUs can encrypt RAM and the key is stored in the VM. However, researchers were able to get a copy by moving around the encrypted RAM and making requests to a web server running on the encrypted VM so it'd return what it thought was the right thing but different memory had been moved to that location so it returned that, unencrypted, instead. From what I remember, it's pretty much a trial and error attack and you're more likely to crash the machine than get the keys but it is possible with enough time and persistence. Although, since if the machine crashes someone would have to input the decryption key to restart it, it'd be much easier to just crash the VM and then grab the key when the user puts it in over VNC or whatever to restart the machine.
If you really comme to the point that your data is important so much, keep them in you basement with a dog in front of the rack.
Sounds like the bottom line is just like any cloud provider, whether on a VPS with NextCloud or not - if you don't want anyone seeing your files, encrypt before uploading.