Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 as primary storage encryption security #17561

Closed
FlorentCoppint opened this issue Oct 16, 2019 · 16 comments
Closed

S3 as primary storage encryption security #17561

FlorentCoppint opened this issue Oct 16, 2019 · 16 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: encryption (server-side) security

Comments

@FlorentCoppint
Copy link
Contributor

Hi,

When we set-up Nextcloud 17 with S3 as primary storage and we enable encryption, the encryption keys are stored on the S3 space.

What is the point of encrypting files on an unsecure place, and storing the encryption key at the same place ?

Will it be fixed ? Is there a workaround about this ?

Thank you.
Flo
@FlorentCoppint
Copy link
Contributor Author

Nobody is concerned about this issue ? "S3 as primary storage" is supposed to be an "enterprise solution" ...

@FlorentCoppint FlorentCoppint mentioned this issue Oct 18, 2019
Closed
@Nils160988
Copy link
Contributor

As pointed out in the documentation, serverside encryption does not prevent users' files from access by nextcloud administrators.
If you do not trust S3 (and its administrators/organisation), you should not place your primary storage there.

So: This is intentional behavior and no bug, I think.
At least, that has been my understanding. So better only use S3 as additional storage then.

@FlorentCoppint
Copy link
Contributor Author

FlorentCoppint commented Oct 18, 2019
edited
Loading

I agree it's not a bug, I didn't tag it.
Maybe we could imagine storing encryption keys on the Nextcloud server itself, and only encrypted data on S3. Or make it an option...
S3 as additional storage is not as easy to use for users, compared to primary storage (configured by Nextcloud admin)

@Miaourt
Copy link

Miaourt commented Oct 18, 2019
edited
Loading

What the...
I must agree I would be worried if using S3 mean giving keys to my file to S3 suppliers.

I trust myself and my server, but I don't trust Amazon or any S3 provider.

Encrypting the file is a way for me to have them securely stored and unreadable by thirds party, while still having their quite useful "unlimited capacity".

We should have a way to define where we want to store the keys imho, either on the database or on a federated configuration server if sharing the key is the point of this config

This make encryption a non feature in this case, what's the point of having a lock if the key is in the keyhole??

@llebout
Copy link

llebout commented Dec 16, 2019

Very poor security design here. I am shocked.

@jmthackett
Copy link

I'm looking at this too and pretty confused for the same reasons as others. I'd like to be able to store the key in either the database, or a specific filesystem location.

@samzehnder
Copy link

samzehnder commented May 13, 2020
edited
Loading

I have not verified it, but have a look here, keys are encrypted with secret found in instance-config...

@skjnldsv skjnldsv added the 0. Needs triage Pending check for reproducibility or if it fits our roadmap label Aug 20, 2020
@szaimen
Copy link
Contributor

szaimen commented Jun 8, 2021

cc @nextcloud/security any feedback on this? Sounds like a bad security design to me. If not, please close this issue.
The rest is tracked in #22077

@J0WI J0WI mentioned this issue Jul 6, 2021
Closed
@ghost ghost added stale Ticket or PR with no recent activity and removed stale Ticket or PR with no recent activity labels Jul 8, 2021
@ghost ghost added stale Ticket or PR with no recent activity and removed stale Ticket or PR with no recent activity labels Aug 7, 2021
@ghost ghost added stale Ticket or PR with no recent activity and removed stale Ticket or PR with no recent activity labels Sep 6, 2021
@Miaourt
Copy link

Miaourt commented Sep 6, 2021

botbump

@ghost ghost added the stale Ticket or PR with no recent activity label Oct 6, 2021
@ghost ghost closed this as completed Oct 20, 2021
@SimplyCorbett
Copy link

Why are legitimate issues being closed by your bots?

If you cant fix it you cant fix it but don't mark these issues as closed.

@sebastiansterk
Copy link
Member

sebastiansterk commented Aug 21, 2022
edited
Loading

cc @nextcloud/security any feedback on this? Sounds like a bad security design to me. If not, please close this issue. The rest is tracked in #22077

@nextcloud/security can you please have a look into this issue and provide any feedback if it is really a bad security design or not? Thanks!

@nextcloud-command nextcloud-command removed stale Ticket or PR with no recent activity needs info labels Aug 22, 2022
@lkthomas
Copy link

As pointed out in the documentation, serverside encryption does not prevent users' files from access by nextcloud administrators. If you do not trust S3 (and its administrators/organisation), you should not place your primary storage there.

So: This is intentional behavior and no bug, I think. At least, that has been my understanding. So better only use S3 as additional storage then.

I am totally disagreed on this, do you leave your key at the door lock and hope no one going to break in? What is the logic behind?

I want to confirm this after near 3 years of this ticket being opened: Does S3 encryption key still store in S3 space?

@sebastiansterk
Copy link
Member

AFAIK yes the encryption keys are still stored in the S3 bucket.

@czqrny
Copy link

czqrny commented Jul 11, 2023

Another year and couple of months later encryption keys are still stored in the S3 bucket, despite a very clear warning in the official documentation.

I checked it on version 26.0.3

image

@Hex4919
Copy link

Hex4919 commented Jul 11, 2023

Another year and couple of months later encryption keys are still stored in the S3 bucket, despite a very clear warning in the official documentation.

I checked it on version 26.0.3

image

tbh I currently don't really understand why there is no option to store the key on the Nextcloud host, so Files are not readable for the external storage provider...
This seems like the main use-case of this feature to me.

@joshtrichards
Copy link
Member

joshtrichards commented Aug 22, 2023
edited
Loading

the encryption keys are stored on the S3 space.\n\nWhat is the point of encrypting files on an unsecure place, and storing the encryption key at the same place ?\n\nWill it be fixed ? Is there a workaround about this ?

Warning

If you have evidence of a legitimate security matter, please report it through the appropriate channel (noted at the end of this message).

This thread seems to be driven by a misunderstanding over terminology. Unless I'm missing something it's creating unnecessary panic.

Please read the encryption details document or at least ask questions to clarify understanding before jumping to conclusions.

Unfortunately some earlier more formal responses might have prevented a vacuum of misunderstanding from continuing - or at least turned this into a more productive conversation. Alas, people get busy and this is an open source project so you either have to be patient or look for yourself (or pay Nextcloud GmbH if you need a personalized and timely response).

The other reason probably for a lack of a response here is because there is already an appropriate channel for bringing up legitimate security vulnerability concerns. That is fairly typical for any large project these days. This is not that channel.

With that out of the way...

I am in no way speaking for anyone or officially or for any organization, but I'll give this a shot...

So: There is a hierarchy of keys and key files.
All of the intermediate key files are encrypted. They themselves can't be decrypted without knowledge of the private keys (think of the private keys as the top of the hierarchy). The private keys are the actual decryption "keys" and they're not stored in the remote object store. The specifics vary a bit depending on whether you're using a master key (the default these days) or per-user keys, but the gist is the same.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_details.html#file-type-private-key-file

You can even see where what most people are thinking of as the actual keys are stored (or derived from) here:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_details.html#derive-the-decryption-key

P.S. Any evidence to the contrary should not be reported here, but through the appropriate channel for security matters:

@nextcloud nextcloud deleted a comment Sep 2, 2023
@nextcloud nextcloud deleted a comment Sep 2, 2023
@nextcloud nextcloud deleted a comment Sep 2, 2023
@nextcloud nextcloud deleted a comment Sep 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: encryption (server-side) security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests