[Pkg-owncloud-commits] [owncloud-doc] 23/40: update encryption page for master/8.2
David Prévot
taffit at moszumanska.debian.org
Thu Dec 17 19:22:16 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to annotated tag v8.2.2RC1
in repository owncloud-doc.
commit 8ba2a6bbb6bb0cc4734092f984d9ede895c45b7a
Author: Carla Schroder <carla at owncloud.com>
Date: Thu Dec 3 16:53:36 2015 -0800
update encryption page for master/8.2
Conflicts:
admin_manual/configuration_files/encryption_configuration.rst
admin_manual/images/encryption1.png
admin_manual/images/encryption3.png
---
.../encryption_configuration.rst | 196 +++++++--------------
admin_manual/images/encryption1.png | Bin 12827 -> 12135 bytes
admin_manual/images/encryption10.png | Bin 22921 -> 21821 bytes
admin_manual/images/encryption3.png | Bin 20160 -> 46034 bytes
4 files changed, 59 insertions(+), 137 deletions(-)
diff --git a/admin_manual/configuration_files/encryption_configuration.rst b/admin_manual/configuration_files/encryption_configuration.rst
index 2865dc2..474ccd4 100644
--- a/admin_manual/configuration_files/encryption_configuration.rst
+++ b/admin_manual/configuration_files/encryption_configuration.rst
@@ -2,31 +2,25 @@
Encryption Configuration
========================
-If you are upgrading from ownCloud 8.0, and have encryption enabled, please see
-:ref:`upgrading_encryption_label` (below) for the correct steps to upgrade your encryption.
+The primary purpose of the ownCloud server-side encryption is to protect users'
+files on remote storage, such as Dropbox and Google Drive, and to do it easily
+and seamlessly from within ownCloud.
-In ownCloud 8.1 and up the server-side encryption has a number of changes and
+In ownCloud 8.2 the server-side encryption has a number of changes and
improvements, including:
-* When encryption is enabled, all files are no longer encrypted at user's first
- logins because this causes timeouts on large installations. Instead, only
- files that are created or updated after encryption has been enabled are
- encrypted.
-
-* The "decrypt all" option in the Personal settings has been removed, also for
- performance reasons.
-
-* A new option for users to enable/disable encryption on a per mount-point
- basis.
-
-* The option to choose from multiple encryption modules.
+* An option to create a master encryption key, which replaces all individual
+ user keys. This is especially useful for single-sign on.
+* Encrypt all data files at once when enabling encryption.
+* Decrypt all data files, or per user.
+* Users may decrypt their own files.
+* Move your keys to a different folder.
ownCloud server-side encryption encrypts files stored on the ownCloud server,
and files on remote storage that is connected to your ownCloud server.
Encryption and decryption are performed on the ownCloud server. All files sent
-to remote storage (for example Dropbox and Google Drive) will be encrypted by
-the ownCloud server, and upon retrieval, decrypted before serving them to you
-and anyone you have shared them with.
+to remote storage will be encrypted by the ownCloud server, and upon retrieval,
+decrypted before serving them to you and anyone you have shared them with.
.. note:: Encrypting files increases their size by roughly 35%, so you must
take this into account when you are provisioning storage and setting
@@ -37,10 +31,6 @@ When files on external storage are encrypted in ownCloud, you cannot share them
directly from the external storage services, but only through ownCloud sharing
because the key to decrypt the data never leaves the ownCloud server.
-The main purpose of the ownCloud server-side encryption is to protect users'
-files on remote storage, and to do it easily and seamlessly from within
-ownCloud.
-
ownCloud's server-side encryption generates a strong encryption key, which is
unlocked by user's passwords. Your users don't need to track an extra
password, but simply log in as they normally do. It encrypts only the contents
@@ -81,14 +71,19 @@ storage.
Before Enabling Encryption
--------------------------
-Plan very carefully before enabling encryption because if you lose your encryption keys your files are not recoverable. Always have backups of your encryption keys stored in a safe location, and consider enabling all recovery options.
+Plan very carefully before enabling encryption because it is not reversible via
+the ownCloud Web interface. If you lose your encryption keys your files are not
+recoverable. Always have backups of your encryption keys stored in a safe
+location, and consider enabling all recovery options.
+
+You have more options via the ``occ`` command (see :ref:`occ_encryption_label`)
.. _enable_encryption_label:
Enabling Encryption
-------------------
-ownCloud encryption now consists of two parts. The base encryption system is
+ownCloud encryption consists of two parts. The base encryption system is
enabled and disabled on your Admin page. First you must enable this, and then
select an encryption module to load. Currently the only available encryption
module is the ownCloud Default Encryption Module.
@@ -137,8 +132,8 @@ Encryption settings can be configured in the mount options for an external
storage mount, see :ref:`external_storage_mount_options_label`
(:doc:`external_storage_configuration_gui`)
-Enabling Users' File Recovery Key
----------------------------------
+Enabling Users File Recovery Keys
+----------------------------------
If you lose your ownCloud password, then you lose access to your encrypted
files. If one of your users loses their ownCloud password their files are
@@ -166,10 +161,14 @@ You may change your Recovery Key password.
.. figure:: ../images/encryption12.png
+.. _occ_encryption_label:
+
occ Encryption Commands
-----------------------
-You may also use the ``occ`` command to perform encryption operations.
+If you have shell access you may use the ``occ`` command to perform encryption
+operations, and you have additional options such as decryption and creating a
+single master encryption key.
Get the current status of encryption and the loaded encryption module::
@@ -188,17 +187,46 @@ Select a different default Encryption module::
occ encryption:set-default-module [Module ID].
-The [module ID] is taken from the ``encryption:list-modules`` command.
+The [module ID] is taken from the ``encryption:list-modules`` command.
+
+Encrypt all data files for all users. For performance reasons, when you enable
+encryption on an ownCloud server only new and changed files are encrypted. This
+command gives you the option to encrypt all files. You must first put your
+ownCloud server into single-user mode to prevent any user activity until
+encryption is completed::
+
+ occ encryption:encrypt-all
+
+Decrypt all user data files, or optionally a single user::
+
+ occ encryption:decrypt-all [username]
+
+Move keys to a different folder, either locally or on a different server::
+
+ occ encryption:change-key-storage-root
+
+View current location of keys::
+
+ occ encryption:show-key-storage-root
+
+Create a new master key. Use this when you have a single-sign on
+infrastructure. Use this only on fresh installations with no existing data, or
+on systems where encryption has not already been enabled. It is not possible to
+disable it::
+
+ occ encryption:enable-master-key
See :ref:`encryption_label` for detailed instructions on using ``occ``.
Files Not Encrypted
-------------------
-Only the data in your files is encrypted, and not the filenames or folder
-structures. These files are never encrypted:
+Only the data in the files in ``data/user/files`` is encrypted, and not the
+filenames or folder structures. These files are never encrypted:
-- Old files in the trash bin
+- Existing files in the trash bin & Versions. Only new and changed files after
+ encryption is enabled are encrypted.
+- Existing files in Versions
- Image thumbnails from the Gallery app
- Previews from the Files app
- The search index from the full text search app
@@ -219,109 +247,3 @@ their back-end password, and then, of course, notify the user and give them
their new password.
.. _upgrading_encryption_label:
-
-Upgrading From ownCloud 8.0
----------------------------
-
-The encryption backend has changed in ownCloud 8.1, so you must take some
-additional steps to migrate encryption correctly. If you do not follow these
-steps you may not be able to access your files.
-
-Before you start your upgrade, put your ownCloud server into
-``maintenance:singleuser`` mode (See :doc:`../maintenance/enable_maintenance`.)
-You must do this to prevent users and sync clients from accessing files before
-you have completed your encryption migration.
-
-After your upgrade is complete, follow the steps in :ref:`enable_encryption_label` to
-enable the new encryption system. Then click the **Start Migration** button on
-your Admin page to migrate your encryption keys, or use the ``occ`` command. We
-strongly recommend using the ``occ`` command; the **Start Migration** button is
-for admins who do not have access to the console, for example installations on
-shared hosting. This example is for Debian/Ubuntu Linux::
-
- $ sudo -u www-data php occ encryption:migrate
-
-This example is for Red Hat/CentOS/Fedora Linux::
-
- $ sudo -u apache php occ encryption:migrate
-
-You must run ``occ`` as your HTTP user; see
-:doc:`../configuration_server/occ_command`.
-
-When you are finished, take your ownCloud server out of
-``maintenance:singleuser`` mode.
-
-Where Keys are Stored
----------------------
-
-All of your encryption keys are stored in your ownCloud :file:`data/`
-directory. When you run the migration command your old keys are backed up in
-your data directory:
-
-Backup for system-wide keys:
- :file:`data/encryption_migration_backup_<timestamp>`
-
-Backup for user-specific keys:
- :file:`data/<user>/encryption_migration_backup_<timestamp>`
-
-Both backup directories contain the keys in the old file structure. This is the
-old file structure for ownCloud 8.0:
-
-Private public share key:
- :file:`data/files_encryption/pubShare_<public-share-key-id>.privateKey`
-
-Private recovery key:
- :file:`data/files_encryption/recovery_<recovery-key-id>.privateKey`
-
-Public keys of all users:
- :file:`data/files_encryption/public_keys`
-
-File keys for system-wide mount points:
- :file:`data/files_encryption/keys/<file_path>/<filename>/fileKey`
-
-Share keys for files on a system-wide mount point (one key for the owner and one key for each user with access to the file):
- :file:`data/files_encryption/keys/<file_path>/<filename>/<user>.shareKey`
-
-Users' private keys:
- :file:`data/<user>/files_encryption/<user>.privateKey`
-
-File keys for files owned by the user:
- :file:`data/<user>/files_encryption/keys/<file_path>/<filename>/fileKey`
-
-Share keys for files owned by the user (one key for the owner and one key for each user with access to the file):
- :file:`data/<user>/files_encryption/keys/<file_path>/<filename>/<user>.shareKey`
-
-This is the new file structure for ownCloud 8.1:
-
-Private public share key:
- :file:`data/files_encryption/OC_DEFAULT_MODULE/pubShare_<public-share-key-id>.privateKey`
-
-Private recovery key:
- :file:`data/files_encryption/OC_DEFAULT_MODULE/recovery_<recovery-key-id>.privateKey`
-
-Public public share key:
- :file:`data/files_encryption/OC_DEFAULT_MODULE/pubShare_<public-share-key-id>.publicKey`
-
-Public recovery key:
- :file:`data/files_encryption/OC_DEFAULT_MODULE/recovery_<recovery-key-id>.publicKey`
-
-File keys for system-wide mount points:
- :file:`data/files_encryption/keys/<file_path>/<filename>/OC_DEFAULT_MODULE/fileKey`
-
-Share keys for files on a system-wide mount point (one key for the owner and one key for each user with access to the file):
- :file:`data/files_encryption/keys/<file_path>/<filename>/OC_DEFAULT_MODULE/<user>.shareKey`
-
-Users' private keys:
- :file:`data/<user>/files_encryption/OC_DEFAULT_MODULE/<user>.privateKey`
-
-Users' public keys:
- :file:`data/<user>/files_encryption/OC_DEFAULT_MODULE/<user>.publicKey`
-
-File keys for files owned by the user:
- :file:`data/<user>/files_encryption/keys/<file_path>/<filename>/OC_DEFAULT_MODULE/fileKey`
-
-Share keys for files owned by the user (one key for the owner and one key for each user with access to the file):
- :file:`data/<user>/files_encryption/keys/<file_path>/<filename>/OC_DEFAULT_MODULE/<user>.shareKey`
-
-.. references -- https://github.com/owncloud/QA/issues/16
-..
\ No newline at end of file
diff --git a/admin_manual/images/encryption1.png b/admin_manual/images/encryption1.png
index 4af2e51..b4f0cfd 100644
Binary files a/admin_manual/images/encryption1.png and b/admin_manual/images/encryption1.png differ
diff --git a/admin_manual/images/encryption10.png b/admin_manual/images/encryption10.png
index 6fa8785..ba02a0a 100644
Binary files a/admin_manual/images/encryption10.png and b/admin_manual/images/encryption10.png differ
diff --git a/admin_manual/images/encryption3.png b/admin_manual/images/encryption3.png
index 7401ac9..58e4cf7 100644
Binary files a/admin_manual/images/encryption3.png and b/admin_manual/images/encryption3.png differ
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud-doc.git
More information about the Pkg-owncloud-commits
mailing list