Hi Björn,
Your explanation is clear to me.
I have my data and OC on the same webserver as where our website can be located.
My website administrator can access all files and folders.
With no encryption he/she and everyone else who get's access can immediately
download and read all files.
With encryption I have a simple lock on the data. It prevents from easy direct
opening and reading. Some effort and decryption knowledge is needed to do that.
I'll keep the encryption on.
Thanks, best regards,
Henk
---------------------------------------------------
Hi Henk,
On Mon, 4 Aug 2014 16:21:09 +0200 Henk wrote:
> Thanks to Leonardo, this is a very useful report.
> At OC I'm missing a good description of the security model and the
> possible risks. Is there any OC document on this issue?
The user documentation talks about the use case for
server-side-encryption, see
http://doc.owncloud.org/server/7.0/user_manual/files/encryption.html
> a.. How secure is my data?
> b.. Where are the risks?
> c.. How can I improve the security?
> d.. Does the OC encryption solve any security issue at all?
> e.. What are the risks of the user password recovery system?
> Where at OC can I find the answers?
The main point you always have to keep in mind is that we are talking
about server-side-encryption. This means if someone gets control over
your server he can crack your encryption. But that's more or less
obvious for server-side-encryption. As described in the document
mentioned above: The main use case for server-side-encryption is that
you have a setup with two or more servers. One server runs your ownCloud
and a different server provides the storage. In this scenario
we assume that you trust the ownCloud server admin (maybe because it is
you) but you don't trust the storage provider (maybe because it is
Amazon, Google, Apple,...). In this case you can use
server-side-encryption to make sure that the storage provider can't
read your data.
> Could these security issues somehow be put together in a chapter in
> the Administrators Manual, maybe with references to good publications
> elsewhere that cover the ownCloud situation?
I agree that the documentation could provide more details. We will work
on it.
Cheers,
Björn
--
Björn Schießle <[email protected]>
Software Developer
ownCloud GmbH - www.owncloud.com
Your Data, Your Cloud, Your Way!
ownCloud GmbH, GF: Markus Rex, Holger Dyroff, Frank Karlitschek
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
----- Original Message -----
From: "Bjoern Schiessle" <[email protected]>
To: <[email protected]>
Sent: Monday, August 04, 2014 4:47 PM
Subject: Re: [owncloud-user] [Fwd: ownCloud Unencrypted Private Key Exposure]
> _______________________________________________
> User mailing list
> [email protected]
> http://mailman.owncloud.org/mailman/listinfo/user
>
_______________________________________________
User mailing list
[email protected]
http://mailman.owncloud.org/mailman/listinfo/user
