encryption on drives and server side encryption

Dear Experts

When we enable encryption in windows 10 systems it encrypts when we store documents, what exactly happens here as we take the stored files from the encrypted  and transfer it via email or copy to USB or share it in network drive all those other side people who have access can open and read or modify based on permissions does it mean it is not file level encryption I mean whoever know the system password files are accessible if someone wants to crack the harddisk then the file formats stored is not as per the document extension like .docs, or .exls please help me to understand this.

2. what does it mean server side encryption like next cloud deployment says we can enable server side encryption how is it different from ssl enablement that is user accessing through https,
please help me understand above two , thank you very much in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
2) Server side encryption means not a lot, because the server still has the keys for encrypt / decrypt there actualy is no gain wrt. control
NextCloud employs serverside encryption for the nextcloud service, so you can store your data encrypted on Another (storage) server...,
that means that the Other server (3rd pty)  cannot access the data.

1)  Encryption only works for "stored or passive" data (aka Data at rest),  so when it sits on disk and the system is off, no one can pull the data from the disk (without having the keys).   So stealing a machine or disk from a machine will not yield any usable data. When a system is running  the CPU will decrypt data from the disk etc.  mail is not protected (unless you have PGP/GPG, and use plaintekst e-mail) or use S/MIME with plain text mail.    A live system is not protected with disk encryption, passive systems are.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
1. BitLocker which I assume encryption in Windows is not file folder encryption. It only encrypts HDD and once it pass the preboot authentication and login into your desktop, it is on the fly decryption. Meaning files dragged to email as attachment, network drive and thumbdrive are all in plain. There is BitLocker to Go to encrypt the thumbdrive and that is the equivalent to full disk encryption on the whole thumbdrive. Technically full disk encryption is sector and not file level base protection. So for file level encryption you either opt for application level specific scheme like email has SMIME, and even simple password protected 7z  will help. There are other Ffe solutions like Securedata.

2. Cloud based server encryption is to say that data at rest in the cloud storage will remain encrypted. SSL is just the encrypted channel for the client to cloud server. So technically speaking the encryption key is generated and stored at the cloud as well. So that is why cloud provider has gone into option (E.g. APIs call) for customers to use their own key which they can encrypt their files or the cloud treat it as object. One example is AWS S3 https://aws.amazon.com/blogs/aws/s3-encryption-with-your-keys/

That again data uploaded is not end to end meaning from client side before uploading to the server is not encrypted first. That is why there are agents or application which allows such client side encryption that act as another layer as it get stored onto cloud store encrypted again at the server end. The importance of the scheme is customers will have full control of the encryption keys supposedly to store in client end or at the cloud HSM. This is another separate discussion on the key management scheme. For client side encryption, you can check out cryptomator
nociSoftware EngineerCommented:
@btan:  NextCloud is cloud service you can run on premisses if you like. Where there can be storage backends.  There serverside encryption should be read as "On the NextCloud server" ..., the backend services only will see "blobs with seamingly random bits"  aka encrypted files.

If ANY key is sent to the cloud, the cloud service is CAPABLE of decrypting (also outside of your control) as that key CAN be stored.
Any form of server side encryption where the server is NOT under private control  means (w.r.t. cryptography) that the key should be considered compromised. (You have no control on that key and you have no way of knowing how it is used).
btanExec ConsultantCommented:
Agree noci. There is private cloud which also term as on premise cloud by some. Indeed we can only control what we own and see and know. Client side encryption will see end to end if the key retained with the user - better still using a 2factor like smartcard with private key staying intact.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.