Admin without Data/Password Access


I’m thinking about setting up a owncloud-Server on my Raspberrie Pi. The cloud shall be used to store data from an association i’m part of.

Now there is one problem: Is it possible to ensure that the admin (my person) has no access to the stored Data of other users?
eg. Data from the associations board I’m not allowed to see?

I’m not planning to read any data which is not for my eyes but the board needs a solution which ensures a high data-security.

Thanks in advance for any answers.


well it depends on how you use ownCloud.

With masterkey encryption an admin (having access to the key) could access the data since only one key encrypts all the data of all the users.

With user key encryption I guess an admin could manage to have an access but I’m less knowledgeable on this encryption type.

I’d suggest you read this documentation about ownCloud’s encryption. I remember the documentation of ownCloud was pushing more to chose the masterkey encryption back then. To me it’s actually the easiest one, mostly for the customer support (losing password becomes a hell).

Last but no least, if you want to be sure that you can’t read the data of your users, they should use client side encryption (for example PGP). There is an app in ownCloud but it’s not free. You can do it on your own but sharing and stuff like that would be complicated.

Chose wisely before to set encryption, and which encryption suits your needs.



If you want to be absolutely sure that the admin can’t read a users files, the user will have to set up their own encryption on the client side. I’ve set up a cryfs vault for my data on the client and only sync the encrypted data to the server. Please use your own common sense while evaluating this solution (I think cryfs hasn’t been audited yet), and support for your OS might not be available.


Alternatively, you could use ownCloud as a proxy of an external storage. You can setup an external storage SFTP with password saved in session. Proper access to the external storage is ensured by the storage itself, so as long as you use different accounts it should work.

Note that some parts of ownCloud could not work properly because ownCloud might not be able to access to the other user’s account password (sharing won’t work properly in the external storage because of this reason).

That’s the free alternative. For enterprises (paid) you can use the windows network drive app, which comes with more authentication options for the external storages, aiming to solve the problem above.