NextBox: Encryption!

NexBox comes with transport encryption by default. The files itself, though, are not encrypted.

  1. Nextcloud’s built-in server-side encryption seems to only encrypt the files itself, not the meta data (e.g., folder names/structure etc), is this correct? Also, on the kickstarter page, it is stated that enabling this could impact performance; is this only meant as in it takes longer to access your files since there is additional en-/decrypting involved, or are there other performance caveates?

  2. If one would opt for using the DynDNS method to access the NextBox via internet, full E2E encryption is available. Is this any different than Nextcloud’s built-in server-side encryption?

  3. In any case, I was wondering where the key to decrypt the data is stored; is it stored alongside the encrypted data on the server (which would kind of defeat the purpose, I think)? Does every client get its own key pair?

  4. Also, can one use client software or the web interface to access (and decrypt) one’s data, or do any of these options not work anymore if using any kind of encryption?

After writing up this post I think these questions are probably not so much about the NexBox than about Nexcloud, but maybe someone does know some answers or has some pointers for me! :slight_smile:

Thanks!

Hi @Tencel !

I am sorry for the delay. I will ask my colleague to reply (this and your other questions; should happen until Tuesday).

cc @daringer

Dear @szszszsz,

no worries, I did not expect immediate answers. :slight_smile:
I really hope that none of my posts’ wording is out of place. Some contain more or less critical questions, but I don’t mean them to come across offensive - I am just interested (and technically not deeply educated).

Generally, please consider my answers as possibly wrong/incomplete, because we cannot do full NextCloud support. Means, we do our best, but please consider the best source for these (very NextCloud specific) questions to be Nextcloud.

From what I know meta-data is kept inside the database (mysql/mariadb in our case) thus not encrypted. We generally do not test with full encryption activated as the Raspberry PI does not provide any hardware-enc/decryption. Means any de/encryption operation will be software bound. The impact will differ from use-case to use case but clearly be not comparable with recent x86 CPUs.

Yes it is. E2E encryption will take care that nobody can read your data during the transport. Whilst the Nextcloud encryption will mainly encrypt the data in rest (on your hard-drive) but might based on the implementation also imply the former (see other thread).

Please check: https://nextcloud.com/blog/encryption-in-nextcloud/ this addresses your questions in great details, the tl:dr; is: both is possible in general.

As far as I know there are no restrictions in usage for Nextcloud for encryption, but keep the performance impact in mind.

Tried our best, but I would really recommend the link above and also the official Nextcloud documentation: https://docs.nextcloud.com/

cheers

1 Like