Document in which cases only master key encryption will work (or is suggested)

[mmattel]

Refs:

#3464 (Draft OAuth2 Documentation)... when using OAuth2 andShibboleth

#4169 (Create encryption_configuration_quick_guide.rst)

The Shibboleth Doc?

Other places?

[settermjd]

@mmattel, is this still required?

[mmattel]

We have to check if the text in the main encryption document contains notes about restrictions or better to say impacts on the decision to other apps.

[settermjd]

Would you or @voroyam mind sorting that out?

[voroyam]

I have rewritten the current document for the encryption. Many things were dropped as result.

@mmattel can you tell me exactly what you are looking for?

I am unaware of limitations that would only work with master key.

Also this might be a unnecessary pursuit because user key will become deprecated in the future.

Or am I wrong in this issue?

[voroyam]

@mmattel ^

[mmattel]

because user key will become deprecated in the future.

@voroyam @PVince81
can you clarify this please before we continue on that issue?
no / yes / when ect...

[PVince81]

so far we only changed the priority as shown in the UI: master key appears first, user-key next.
from what I see we already swapped the sections in the docs https://doc.owncloud.org/server/10.0/admin_manual/configuration/files/encryption_configuration.html?

we might deprecate it in the future but there are no concrete plans for that @pmaier1

@voroyam regarding limitations, it seems not all are documented in the page above.
Some other known limitations:

• user added to group cannot decrypt files on existing shares: Fix user-key encryption with Groups  owncloud/core#16332

@cdamken do you remember the other ones ?

[voroyam]

from what I see we already swapped the sections in the docs

Ye, I swapped them after writing the quick guide.

regarding limitations, it seems not all are documented in the page above.

What I don't know I can't write :)

If @cdamken or someone else points me in the right direction, I could write up the limitations.

[PVince81]

I went through the current tickets in core and only found owncloud/core#16332 as limitation.

There's another one I remember, it's that if you use user-key encryption with external storages, if the admin adds new users to an existing system-wide external storage (aka admin defined external storage) they also cannot decrypt the files. This is very similar to the group sharing one.

[pmaier1]

we might deprecate it in the future but there are no concrete plans for that @pmaier1

We are still discussing. As user-based storage encryption does not provide a real-world benefit (except obscurity maybe) but creates a lot of problems and might even let unexperienced people think they're secure while they aren't (!) we will deprecate and remove it sooner or later, yes.

Some more input that came up to my mind:

• OnlyOffice can only deal with master-key encryption
• When having data shared with a group and group membership changes after the share is established, subsequently added users will not be able to open the shared data unless the owner will share it again
• Impersonate can only deal with master-key encryption

[PVince81]

• oauth2 currently doesn't work with user-key encryption: Does not work with user-key encryption owncloud/oauth2#105

[pmaier1]

• search_elastic won't work with user-key encryption.

[voroyam]

@PVince81 where do you think should this warnings be added?

I suppose somewhere on this page, right? But where?

https://doc.owncloud.org/server/10.0/admin_manual/configuration/files/encryption_configuration.html

[mmattel]

one thing is popping up:
https://doc.owncloud.org/server/10.0/
why is this not latest?
https://doc.owncloud.org/server/latest/
I thougt we have fixed all 10.0 -> latest links

[PVince81]

@voroyam sounds good, because this is also where an admin would make a choice what encryption type to use, so it's good to mention the limitations there as well.

@mmattel separate ticket please. Both pages look the same to me.

[PVince81]

• user getting access to external storage already containing existing encrypted files cannot get access to said files for similar reasons like the group case above. new user cannot access file on external storage owncloud/encryption#43

[settermjd]

@mmattel, is this still actively in progress?

[mmattel]

There is still no content created which is imho a must to give admins advice and limitations. I am not an encryption expert, I just highlighted the case as I see the issues/discussions/notes

[voroyam]

If @PVince81 or/and @pmaier1 estimate that the cases are enough to document I can document them in the encryption document.

[PVince81]

@voroyam I think the current list is enough for now, thanks

[voroyam]

Okay, what's left to figure out is the place and wording.

I have a draft here, please review @PVince81 @pmaier1 @mmattel @settermjd

owncloud/docs#70

[settermjd]

Closing as the implementing PR has been merged.