Few questions about encryption app

doc_answered
encryption
help

#1

Hi. we are thinking of turning on the encryption app to encrypt the date. I have a few questions I cant work out by reading the docs or googeling. .

Firstly does it use a lot of CPU, twice as mutch, four times?...

Secondly if we turn on the encryption app on does it encrypt new date only or everything existing. If it only encrypts new data is there a way to encrypt existing date.

Thirdly am I correct if thinking the forgot password feature/reminder does not work as I read if the user looses there password they cant access there date?

Lastly reeding between the lines it seems the encription app needs enabeling on a per user basis, is this correct. Is it set to disables by default.

Regards,
Ben


#2

Hi Ben,

you may consult the documents about encryption at https://doc.owncloud.org/server/9.1/admin_manual/configuration_files/encryption_configuration.html.

I'm not using ownClouds encryption at the moment. To get started with it you should set up a test system to try out your use case.

Regards
Timm


#3

It is not possible to answer this. You need to set up a test system as advised by @timm2k which is matching your live system and test the difference.

This is answered in the linked encryption documentation (Hint: occ encryption:encrypt-all)

This is answered in the linked encryption documentation (Hint: Enabling Users File Recovery Keys)

This is wrong. Encryption is enabled globally for all users but can be enabled only for specific external storages.


#4

Some general thoughts:
When you consider encryption I recommend that you start with thinking why you want it. From which attack vector do you want to protect yourself? There is the user based encryption with password as key, there is the global encryption key and if you want you could also use an already existing encryption key mechanism which you have in your organization.
Alternatives are file system level encryption - or various end-to-end encryption tools which can be used for selected data and come with their own challenges.
In any case the disadvantage of handling forgotten passwords (with enabled master key, otherwise only with an additional retention backup) needs to be balanced with the risk of the attack vector for your data.

Always like to learn about the attack vectors people see and like to use encryption for, so if you post that - I would welcome it.


#5

We are a small voluntary organisation. We are trying to work out if we need to by a new server. We just trying to get a general idea as too how mutch extra CPU encryption would take, just a very rough idea. If we were a large company we would get a second machine and spend time doing exhaustive performance tests but we are not. Buying a second computer just to get a rough answer to the question is not really an option. I had to fight to get thew budget for the one we have.


#6

Hi,

sorry its just not even possible to give "rough" numbers. That depends on so many factors where where answering the question is just not possible.


#7

Btw. before enabling encryption or planning to enable encryption please read AND understand the following:

Encryption keys are stored only on the ownCloud server, eliminating exposure of your data to third-party storage providers. The encryption app does not protect your data if your ownCloud server is compromised, and it
does not prevent ownCloud administrators from reading user’s files. This would require client-side encryption, which this app does not provide. If your ownCloud server is not connected to any external storage services then
it is better to use other encryption tools, such as file-level or whole-disk encryption.
https://doc.owncloud.org/server/9.1/admin_manual/configuration_files/encryption_configuration.html

If you don't use external storages like Dropbox or Google Drive you even don't need to think about enabling encyrption.


#8

Interesting, so how does it help security?


#9

Hi,

this is again explained at the linked documentation:

The primary purpose of the ownCloud server-side encryption is to protect users’ files on remote storage, such as Dropbox and Google Drive, and to do it easily and seamlessly from within ownCloud.

To sum-up:

The encryption app is protecting your files if you're using external storages from the external storage provider but won't protect it from a local administrator.


#10

Thanks, mutch apreciated.


#11

See also this shiny new FAQ concerning the encryption topic:


#12

Hi,

i'm actually runinng OC 8.2.5 on ubuntu server needs to deny administrator to look into user data (/var/www/html/owncloud/data) from server.So any suggestions??

Thanks in advance,
Walter


#13

Use client-side encryption as explained in https://doc.owncloud.org/server/9.1/admin_manual/configuration_files/encryption_configuration.html


#14

Hi,

Sorry i didn't find much data on client side encryption in the provided link.. Any other info plzz

Thanks,
Walter


#15

I'm closing here as the questions of the OP are answered.


#16