[💡 Guide] How to move Nextcloud to an encrypted volume

3246

Hi folks, I am playing with Nextcloud some more and wanted to move an app to an encrypted volume without the root volume being encrypted. Please see my other post on how to encrypt the entire Cloudron. I'm sharing this with you in case you find it useful and look forward to your comments.

*** This guide comes without warranties and is not supported by Cloudron - Caveat emptor! ***

Step 1: Install cryFS

See https://www.cryfs.org/tutorial for more details on this awesome Open Source project. I have chosen it because of how easy and lightweight it is. Let me know which other ways you have tried or can recommend.

sudo apt update && sudo apt install cryfs

Step 2: Create a folder and mount it

In this example, I am creating the place where the data is actually stored in /root/baseDir and mount it to /mnt/nextcloud

You can choose what ever suits your needs and if the baseDir folder is not already in existence it will prompt you to have it created.

sudo cryfs /root/baseDir /mnt/nextcloud -o allow_other

Step 3: Create a sub-folder to store your data in

The reason for this is because we cannot set permissions the way we need to on the mount's root folder.

sudo mkdir /mnt/nextcloud/data && sudo chown -R yellowtent:yellowtent /mnt/nextcloud/data

Step 4: Add the volume to Cloudron

https://your.cloudron.cloud/#/volumes

Then add your volume using the 'Filesystem' mount type and full path to /mnt/nextcloud/data

Step 5: Move your Nextcloud app's data directory

Go to Settings, then Storage for your app and select the volume we created from the dropdown. Hit move and get yourself a cup of tea

Notes:

• Content will be included in your backups
• You will manually need to mount this volume using the same command as in Step 2 when you restart your Cloudron!
• This will not protect you from anyone who has root access to your server or to your Nextcloud app. It just encrypts data at rest.
• Make sure to stop the Nextcloud app before you reboot and disable automatic reboots

Let me know what you think about this approach and how you keep your Nextcloud secure

robi

@3246 said in [ Guide] How to move Nextcloud to an encrypted volume:

You will manually need to mount this volume using the same command as in Step 2 when you restart your Cloudron!

Perhaps improve Step 2 with fstab automounting

3246

@robi that's an idea, although I think it is somewhat insecure to automatically mount the encrypted volume

robi

@3246 does it ask for a key/passphrase?

3246

@robi yup. I need to paste in a password to decrypt.

robi

@3246 right, then it's more about key management than convenience, and what you're actually preventing.

If the idea is to protect from offline data theft and disk imaging, then it's less relevant if it's (auto)mounted or not.

As long as it's online & mounted, it's readable.

Thanks for the great guide!

3246

@robi you are welcome, glad you found it useful and thanks for your feedback.

I want to prevent unauthorised access to the volume when the server is offline as well as somebody who might take the server out of its rack and boot it. If the volume automatically mounts, they have full access to the data if they can circumnavigate the login cough recovery mode cough

That's covering for physical access to the machine, in what likely would be a read-only, forensic access scenario by a 'bad' actor. In my case, it's a virtualised server, so not as likely to matter, unless they move the VM to a dedicated slice to get busy with it.

Granted, this is somewhat unlikely but being paranoid is better than being sorry

I am in the UK and storing professional data abroad (in nasty Europe no less - just kidding!) means encryption can cover the requirements nicely (as far as I know - I am not an expert in that field, so somebody please correct me if I'm wrong).