ownCloud
Integrating ownCloud with Securosys Primus HSM strengthens the protection of encrypted data stored within the ownCloud platform while giving organizations full control over their encryption keys. By storing the ownCloud master encryption key inside a dedicated Hardware Security Module (HSM) under customer control, organizations can enforce stronger data sovereignty requirements and reduce dependency on external infrastructure operators.
ownCloud supports encryption at rest through its HSM daemon and PKCS#11 integration layer. Each file is encrypted using an individual file key, while the master key used to protect these file keys remains securely stored inside the HSM. Cryptographic operations are performed by the HSM and the master key never leaves the HSM.
Because the HSM remains under the control of the customer, the ownCloud server does not have direct access to the master encryption key. This allows organizations to retain independent control over access to encrypted data. In particular, this is useful for external storage deployments, where the ownCloud server uses a remote storage to persist data. By disabling connectivity between ownCloud and the HSM, decryption operations can no longer be performed, effectively preventing access to encrypted data at rest.
The integration provides hardware-backed protection of encryption keys while reducing exposure of sensitive key material to the storage layers. Using a Securosys HSM for ownCloud server-side encryption enables centralized key management, strong separation of duties, compliance support, high availability deployments, and enterprise-scale cryptographic performance.
Typical deployment scenarios include enterprise private cloud storage, healthcare and financial environments, government collaboration platforms, and multi-tenant infrastructures where controlled ownership of encryption keys and strict access separation are required.
Architecture Overview
The integration consists of:
- ownCloud Enterprise with server-side encryption enabled
- ownCloud
hsmdaemon - Primus PKCS#11 provider
- On-premise Securosys Primus HSM or CloudHSM
ownCloud locally encrypts/decrypts every file with an individual file key. Each file key is encrypted/decrypted with the master key. The master key is securely stored inside the HSM and never leaves it. ownCloud communicates with the HSM through the daemon and the PKCS#11 provider. The HSM encrypts/decrypts the file key and returns the result to ownCloud.
Next Steps
- Follow the installation guide to integrate your ownCloud server with a Securosys HSM.
- Read the ownCloud documentation to learn more about encryption in general and the HSM daemon specifically.