Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for encrypted USB drives (LUKS) #1372

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support for encrypted USB drives (LUKS) #1372

wants to merge 2 commits into from

Conversation

thomasheller
Copy link
Contributor

@thomasheller thomasheller commented Oct 31, 2021
edited
Loading

This feature allows to format an external USB drive using cryptsetup for LUKS encryption, to store Nextcloud data directory and Nextcloud database securely.

Workflow:

  • Format attached USB drive using nc-luks-format (if it's not already a LUKS-encrypted drive)
  • Open the encrypted container using nc-luks-open (password not stored for security reasons)
  • Enable nc-automount to mount the LUKS partition
  • Move Nextcloud data directory to USB drive using nc-datadir
  • Move Nextcloud database to USB drive using nc-database (optional)
  • Optionally, if you need to detach the USB drive without shutting down the system, use nc-luks-close

Limitations:

  • nc-luks-close cannot unmount the LUKS partition automatically if the Nextcloud database is stored there (You need to move the database back to the original unencrypted location or stop the database server manually)
  • nc-luks-format is not included in the setup wizard

Notes:

  • After rebooting, you need to run nc-luks-open again, because the password is not stored for security reasons. (Until then, you will see the following error message in the Nextcloud frontend: "Error Your data directory is invalid Ensure there is a file called .ocdata in the root of the data directory." or "Internal Server Error" if you also moved the database to the encrypted drive)

If you have any suggestions for improving this PR, feel free to comment. 🙂

@nachoparker
Copy link
Member

nachoparker commented Nov 1, 2021
edited
Loading

Awesome, I really appreciate this, as this is something I have long time wanted to implement.

I also considered LUKS, but then decided for folder only encryption. See the first implementation here 550ade9. I am adding more complete support now (for nc-datadir, and btrfs snapshot support, and eventually also database).

I decided that I don't think it's necessary to encrypt the whole disk, since it brings some complications. When you reboot an nc-encrypt'ed instance, you will be prompted with a password to unlock.

image
image

Given all that, I am not sure if there's still a case for LUKS or if there will be too much overlap and it won't be worth maintaining both approaches.

It is much easier to use the directory encryption approach (vs full disk encryption) for instances like VMs or docker or anything where the data is in the same logical disk as the OS, since unlocking a root partition with LUKS is awkward and doesn't lend itself to be used in containers.

@kojid0
Copy link

kojid0 commented Dec 6, 2021

Using Docker, I prefer the approach of @nachoparker because I see more hurdles having full disk encryption

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thomasheller @nachoparker @kojid0