diff --git a/admin_manual/configuration_files/encryption_details.rst b/admin_manual/configuration_files/encryption_details.rst index 6103074d9..7a87a2f94 100644 --- a/admin_manual/configuration_files/encryption_details.rst +++ b/admin_manual/configuration_files/encryption_details.rst @@ -38,6 +38,8 @@ Key type: user key While the user key encryption has been enabled by default in older versions of Nextcloud it now has to be enabled explicitly in newer versions including Nextcloud 16 by calling ``./occ encryption:disable-master-key``. With user key encryption enabled all users have their own user keys that are used to secure the files handled by Nextcloud. The user keys are protected by the user passwords. The advantage is that the server administrator is not able to decrypt user files without knowing any user password - unless the file is publicly shared or a recovery key is defined - but has the disadvantage that files are permanently lost if the users forget their user passwords - unless the files are (publicly) shared or a recovery key is defined. +.. note:: This method cannot be used with SAML authentication, because Nextcloud does not get a hold of any credentials whatsoever and therefore cannot use any users' passwords for encryption. + .. _file_type_public_key_file_label: File type: public key file diff --git a/admin_manual/configuration_files/external_storage/auth_mechanisms.rst b/admin_manual/configuration_files/external_storage/auth_mechanisms.rst index d8af26e4d..8eee7ba0e 100644 --- a/admin_manual/configuration_files/external_storage/auth_mechanisms.rst +++ b/admin_manual/configuration_files/external_storage/auth_mechanisms.rst @@ -32,13 +32,15 @@ setup of the mount point. The **Log-in credentials, save in session** mechanism uses the Nextcloud login credentials of the user to connect to the storage. These are not stored anywhere -on the server, but rather in the user session, giving increased security. The -drawbacks are that sharing is disabled when this mechanism is in use, as -Nextcloud has no access to the storage credentials, and background file scanning -does not work. Desktop and mobile clients that use tokens to authenticate can -not access those shares. Other services that might request the file through -a different request like Collabora Online or OnlyOffice will also not be able to -open files in that case. +on the server, but rather in the user session, giving increased security. +This method has some important drawbacks, since Nextcloud has no access to the storage +credentials and therefore cannot perform any background tasks on the storage: + +* Sharing is disabled +* Background file scanning does not work +* Desktop and mobile clients that use tokens to authenticate can not access those shares +* Other services that might request the file through a different request like Collabora Online or OnlyOffice will not be able to open files from that storage +* The method cannot be used with SAML authentication, because Nextcloud does not get a hold of any credentials whatsoever The **Log-in credentials, save in database** mechanism uses the Nextcloud login credentials of the user to connect to the storage. These are stored in the