Does self-hosting Nextcloud lower your security?

Other cloud storage solutions like iCloud and Proton Drive have entire teams dedicated to the security of your data. But with self-hosting, it’s only you. You are the one responsible for keeping your data secure.

So doesn’t that put you at a disadvantage compared to other cloud storage solutions? Doesn’t that decrease the security of your data?

1 Like

There is a always the argument that as an individual you cannot match the security of large corporations like Microsoft and Google. However, there are a few thing to consider.

First of all services like these have huge targets on their backs because they host not just your own data, but the data of millions of users. As such, the potential time and effort to reward ratio for breaking in one of these is very high. What happened to LastPass is a good example of that.

If you host your own Nextcloud server, make sure you keep everything up to date and you know a thing or two about security. Chances are the amount of time and effort required for someone to break in is way too high just to get into the data of a single person.

Also, another thing that many people tend to forget is that your server doesn’t necessarily have to be exposed on the public internet. Even if you don’t want to self-host at your house you can still use a VPS and setup Tailscale on it and make it accessible to your devices that way by blocking all outside traffic on the firewall level.

Doing this will still give you all the benefits of having an internet accessible server but by dramatically increasing your security since no device outside your Tailnet will be able to even communicate with it.



Does that still count as self-hosting? Aren’t you trusting the VPS provider you are using? Would they have access to your data?

It’s kind of a middle ground between hosting everything at your house and going with a software as a service solution like Google Drive. If you use a VPS you are still solely responsible for maintaining your server and keeping everything secure. So yes, it is self-hosting, you just don’t own the physical hardware.

The difference is that company like DigitalOcean for instance is not in the business of mining their user’s data. Unlike Google that is simply not how they are making their money. Hosting providers rely on the trust of their customers so typically they wouldn’t risk snooping through your data for no good reason.

However, it is still technically possible that they can do it. So, you should still be using E2EE for highly sensitive data before you sync it to your server.

I don’t think there’s an easy answer. In some ways yes, no, and it depends.

Nextcloud is open source, and it’s quite popular. It has lots of contributors, and has been professionally audited (more than once). I’d argue that Nextcloud comes with two huge risks. (i) You, the server admin. (ii) Any Nextcloud modules added, or network services used. You need to make sure things are set up properly, and in a secure manner. Once that’s done, you need to keep ahead of various updates. Updates not just to Nextcloud, but other services on that network. Your network is only as strong as the weakest link.

On the other hand, Cloud services can handle all this for you. Just remember that they could be proprietary, and/or have less people actively maintaining them. Companies like adding new features, to grab headlines, while potentially lacking on their security. Security updates are boring, but needed. Especially considering that they have a larger target on their back. Security just doesn’t spark conversation, and acquire many new customers. These services aren’t bad, or good. Look into their reputation.

If you are a million dollar target,yes, this is probably something you should take in account :joy:

Your hosting provider doesn’t have to be targeting you are an individual specifically. There is for example the possibility that your server gets hacked and starts participating in DDoS attacks, malware distribution or whatever. If something like that happens sooner or later your hosting provider is going to take your entire VPS apart during investigation.

It’s quite unlikely that the vps provider company will look into your self hosted private data legally during an investigation. Time is usually of the essence in these cases, and they don’t need to look into your data( since they will find a self hosted whatever) to continue investigation (unless they find more irrefutable evidence that you are somehow connected to the attacks and storing some data etc)

This is obviously a very interesting and debatable topic. And there are some valid and not so valid responses here - depending on your definition/requirement of 'self-hosting; Lets review:

Self host = Host your own data for internal purposes only - no direct Internet access. Frankly choose whatever you wish and fits your skill set

Self host = Host your own data where data is accessible via non published internet link. Many would view this as lower target profile (and I would agree). But this also 100% falls under the context of ‘Security through Obscurity’ (STO). While you may have a lower risk of being targeted - this absolutely does not make you more secure! Only lower down on the hackers radar.

Self host = Host your own data and data is also accessible via public Internet link. Be prepared of high effort level and having a good level of cyber security expertise.

If my company, who is subject to EU privacy laws, still chooses to use a 3rd party party hosting provider for hosting the company data vs self hosting - there is a reason. To quote a Cyber security team member colleague - we (the company) would need to have at a minimum 10x - 100x more cyber-security team members to have the same security as we now receive from our 3rd party provider protecting our data.

Bottom line - if you don’t have the time & skillset to make it work, chose an external provider that meets your requirements. In my case even as an experienced IT security related professional, I would personally choose a reputable provider (ie mega, Onedrive) to host my own data rather than trying to set up a self host solution.

1 Like

Maybe so but it’s a valid concern nonetheless. Depending on how sensitive your data is you may not be willing to even take that risk. Personally I host my Nextcloud instance on DigitalOcean but highly sensitive files like business contracts I always keep them in a Cryptomator vault.

Also, I may be a Linux sysadmin but that doesn’t mean it’s impossible for my server to be hacked. It may be unlikely, but still within the realm of possibility. Keeping sensitive files that you don’t need to access super often in an encrypted vault shouldn’t be that big of a hassle for most people. But again, you need to decide for yourself what your threat model is.

1 Like

If you are referring to using Tailscale with your second “Self host” definition I have to disagree with that. Security through obscurity would be if you had some kind of secret URL for your server. When you use Tailscale in the manner I described you are supposed to block all incoming traffic on the firewall level. This forces all connections to the server to happen through an encrypted Wireguard tunnel.

Only a machine that is part of your Tailnet has the necessary keys to be able to connect to the server. And on top of that Tailscale also offers you ACLs (Access Control Lists). Which allow you to control which device is allowed to access what. Calling that security through obscurity is misleading at best.

1 Like

I have never advocated against encryption of your files before uploading to the cloud just to be clear.

Good point, I didn’t catch before. The use of Tailscale would certainly reduce the risk.