Posting this here while it applies to everything on your Cloudron, not just Nextcloud.
I love Nextcloud and struggled to find a solution that keeps my data at rest and secure specifically for the app. The easy option is to just encrypt the whole installation medium of your Cloudron, not just Nextcloud.
On bare metal or virtual machines in your home server, this is easy as pie while you install a fresh machine. In the cloud that can often prove a challenge.
I found a super easy way I wanted to share with you using Hetzners Install Image tool:
- Create a fresh cloud server
- Reboot it into the rescue system (be sure to note or reset a root password)
- Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)
https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption
- When you log in, you login into a temporary SSH session to allow you to decrypt the medium. That can be done via your terminal app of choice and the Hetzner KVM virtual console. Enter
cryptroot-unlock
and your password.
You will need to do this every time your box restarts! If it automatically reboots after updates or due to an error, you should set up a remote alert (e.g. uptime monitor, etc).
- Once you unlocked the drive, your box will automatically carry on and close your SSH session. So remember to not be surprised to have to log in again
I hope you found this nugget of info useful and I'd love to hear how you roll your own Cloudron.
PS You will not need to install any encryption-related apps in Nextcloud. Your data is already safe at rest now.