[Update] Nextcloud tutorial: Improved encryption architecture with key separation#1347
Conversation
…d files This update introduces a more secure architecture where Nextcloud encryption keys remain on the local LUKS-encrypted disk while encrypted file content is stored on the Storage Box via per-user bind mounts. Changes: - NEXTCLOUD_DATADIR now points to local Docker volume instead of SMB mount - Per-user bind mounts offload only files/, files_trashbin/, files_versions/, and uploads/ to Storage Box - Added systemd mount verification service to prevent startup with unmounted dirs - Fixed systemd mount unit (added DefaultDependencies=no to prevent cycles) - Updated from Debian 12 Bookworm to Debian 13 Trixie - Standardized on ext4 filesystem - Added migration guide for users of previous version Security improvement: Storage Box compromise no longer exposes encryption keys.
svenja11
added
Existing tutorial
|
This is a very important security update you did there, thank you for that @JMoVS! 🚀 |
|
Can you please add the following comment in this pull request: (Please replace
Once that is added, I will merge your changes. |
|
I'm not sure if you saw my comment above because I forgot to mention you in it. @JMoVS Can you please add the following comment in this pull request: (Please replace
Once that is added, I will merge your changes. |
Hi @svenja11 I'm not sure I understand. You linked to the "tutorial-template" - why would you want me to sign the tutorial-template? |
|
Hi @JMoVS Sorry if my wording was a bit confusing. What I meant was not to sign the tutorial template itself, but to add the entire Contributor’s Certificate of Origin block to the description of this pull request (as a comment in the PR description). So basically edit the description of this PR and add the Contributor’s Certificate of Origin block at the top (with your own name and email). Contributor’s Certificate of Origin block: |
Hi @svenja11, I updated the description now. Thanks for the clarification! |
|
Perfect, thank you for the update 🙂 |
|
@svenja11 One other comment: The published date still shows August last year - is that something that should have been updated? |
|
Thank you for pointing this out. That's fine, I'll update it with the next PR on this tutorial🙂 |
2 participants
Summary
This PR updates the Nextcloud tutorial with a significantly improved security architecture that separates encryption keys from encrypted data.
Problem with the previous approach
The original guide stored the entire Nextcloud data directory on the Storage Box, including the
files_encryptionfolder containing encryption keys. This meant anyone with access to the Storage Box had both the encrypted files AND the keys to decrypt them.New architecture
Changes in this PR
Security improvements
NEXTCLOUD_DATADIRnow points to local Docker volumefiles/,files_trashbin/,files_versions/,uploads/files_encryption/andcache/folders remain localBug fixes
DefaultDependencies=noto prevent ordering cyclesUpdates
New sections
Migration path
Existing users can follow the new "Migration from Previous Guide" section to move their encryption keys to the local disk while keeping their files on the Storage Box.
Testing
This architecture has been running in production with 120,000+ files across multiple users, surviving multiple reboots. But it should be tested again whether new setup and whether migration fully works. I have migrated mine and am happily running it like this for now
I have read and understood the Contributor's Certificate of Origin available at the end of
https://raw.githubusercontent.com/hetzneronline/community-content/master/tutorial-template.md
and I hereby certify that I meet the contribution criteria described in it.
Signed-off-by: Justin Scholz git@justinscholz.de