Selectively encrypt files/folders

[totalcaos]

From what I know, the server side encryption encrypts all the data on the NC server. I was wondering if there is a way to only encrypt certain folders/files.

Use Case:
The nc instance acts as a general cloud based file share and collaboration tool for my users. Most of the data is internal company documents, not sensitive enough to justify encrypting or the overheads associated with encrypting everything.
However some of the teams/users deal with customer data and hold private information within the documents. I would like these files/folders encrypted as a precaution.

Note: The files are stored on a NAS (external storage).

Is this possible?

[MorrisJobke]

Selective encryption is currently only possible based on mount points (of external storage). That means that you could separately encrypt all mount points that are created with files_external app.

[MorrisJobke]

cc @schiessle

[totalcaos]

@MorrisJobke @schiessle As a workaround, that is something that could work in the short term if there are only a few folders that need the "special treatment".
In my use-case it will end up quite cumbersome to use in production too many clients/projects to be feasible :(

[rullzer]

Why then not just encrypt everything? To be on the safe side.

Because per directory settings will get messy.

[totalcaos]

Encrypting everything will involve encrypting multiple gigabytes of non-sensitive data, that I must hold for archival purposes and the overheads with dealing with not only the encryption of the data but also managing keys, transferring files once the temp workers leave.

There is also a matter of scale. I would need to encrypt multiple gigabytes of non-sensitive data to protect a couple of hundred megabytes of sensitive data.

[mightyBroccoli]

I am not sure if my issue fits the topic but in my case I would like to encrypt an external source like Google Drive but not everything else, so I can maintain my data security even though using external storage space.

[OdinsAuge]

I 'd also be glad to have that feature. I have several Folders on the root-Level of my Cloud and I'd like to enable encryption, but there is one folder that has to stay unencrypted.
The data is located on a NAS an the files of this folder get read (only read, not written) by an application of the NAS.

[schiessle]

I am not sure if my issue fits the topic but in my case I would like to encrypt an external source like Google Drive but not everything else, so I can maintain my data security even though using external storage space.

That's possible. In the encryption section of your admin settings you can exclude the home storage from encryption. This means that all local files in data/user/files will not be encrypted. Then you can configure in the external storage settings your external storage (e.g. your gdrive) to be encrypted.

We will not provide a general per-folder encryption. Why this sounds convenient at first sight. This creates a lot of problems. E.g. think about moving a large file or a folder with many (large) files from a encrypted folder to a non-encrypted folder, or the other way around. This could take extremely long, because we would need to encrypt/decrypt every file, your server could run into timeouts, etc.

[HLFH]

@schiessle Couldn't we be able to create - in the future - some encrypted (password protected) zip files and then, be able to decrypt them with this kind of stuff https://github.com/defuse/php-encryption and this class?

[mschoenebeck]

I'm also interested in this feature. I want it so bad that I think about trying to implement it on my own based on encfs. Would it make sense to implement this functionality as an app for nextcloud?

[mikaelmantel]

Hello, Any news of this feature ? Because e2ee not ready to production, and i don't want to encrypt all my data, just a subset.

[etnepresli]

Hi. It is not exactly selective but it is possible to have encrypted and unencrypted files on a nextcloud server. @schiessle already stated how in his post from December 2016, but I will elaborate it a bit more since I did also not get it the first time I read it.

1. Activate external storage (in Apps)
2. Create a new local folder in the filesystem (like in this guide: https://docs.nextcloud.com/server/18/admin_manual/configuration_files/external_storage/local.html) which will be the "external storage" (external in this case means not inside the default nextcloud datafolder, but still local on the server).
3. Configure this local folder in the GUI under external storage and check that the type is "local". You can name it "ENC" or "SAFE" or whatever since you will use this folder only for the sensitive stuff which will be encrypted.
4. Activate server-side encryption (see https://docs.nextcloud.com/server/18/admin_manual/configuration_files/encryption_configuration.html#enabling-encryption)
5. Make sure that you UNCHECK the option "Encrypt the home storage" option, so only the "external storage" will be encrypted (you will have to log out and in again before you see the option).
6. Now you can have your normal folders inside Nextcloud (which will NOT be encrypted) and as soon as you have some sensitive data just put it in the ENC/SAFE folder and they will be encrypted right away.