Nextcloud + Constellation
Nextcloud is a popular self-hosted collaboration tool that offers an alternative to Microsoft 365 for organizations. As an all-in-one solution, you can host Nextcloud yourself.
This is especially useful for public sector organizations that often require on-prem setups to preserve data privacy and maintain high levels of security.
While hosting on-prem gives users a massive amount of control over the installation, it limits opportunities for scaling beyond the initial hardware outlay.
On-prem installations can quickly become more expensive when an organization's infrastructure needs change. Additionally, easy backups as well as geographic redundancy aren't an option for many such setups.
Confidential computing provides a cost-effective alternative to on-prem deployments. It is a groundbreaking technology that ensures that data is always encrypted, even during processing. If applied correctly, confidential computing can shield even complex applications from the cloud infrastructure. Not even system administrators, cloud provider employees or privileged attackers can access workloads protected this way. And this property can even be verified remotely. Basic confidential-computing features are readily available on major clouds like Azure, AWS, and GCP. However, these basic features cannot protect complex and scalable applications like Nextcloud.
For this, you need a solution like Constellation. Constellation is an open-source software that protects entire Kubernetes deployments end-to-end with confidential computing on public clouds. In essence, Constellation can shield and runtime-encrypt any application that can run on Kubernetes. Thus, with Constellation, you can run a complex collaborative software like Nextcloud on the public cloud, while having the assurance that the code is always encrypted and cannot be accessed by the cloud provider or attackers coming through the infrastructure.
With assurance of data security, Nextcloud installations can thus take advantage of the additional features offered by hyperscaler cloud providers: easy deployment, high availability, low-cost backups, and simpler approaches to scaling.
Constellation ensures that all components of the K8s cluster run in runtime-encrypted and isolated CVMs. This ensures that data written to cloud storage by databases is automatically encrypted, and the cryptographic keys for this data are generated and managed within the CVMs, all this without any additional coding from your developers. Constellation also verifies the integrity and authenticity of all CVMs and ensures that they are running the same "trusted" Constellation node image. This means that all data leaving the CVMs remains encrypted.
Using Nextcloud in combination with confidential computing allows administrators to run Nextcloud on popular cloud platforms as if they were on-prem deployments. The use of major cloud providers offers more flexibility in terms of location, scaling, and infrastructure choices, while keeping the cost well below on-prem costs.
For public sector organizations, specifically, access to these additional resources can facilitate digitalization, make the IT infrastructure more resistant against downtime, and facilitate additional security in the form of runtime encryption.
Nextcloud is a collaboration software whose testing version can be set up very quickly. It can be made confidential by using it in combination with Constellation on confidential computing enabled hardware, which is available in Azure, GCP, and AWS.
You can quickly access the confidential Nextcloud demo.
In order to run Nextcloud on Constellation, you will need:
The process is composed of three key steps:
For the sake of clarity, we have written the instructions below as someone using Azure with a GoDaddy registrar, however, this tutorial can be completed with any of the major cloud providers and a registrar of your choice.
After connecting to your cloud provider, download and install the Constellation CLI.
Once this is installed, create the constellation cluster:
This process is described in detail in the Constellation docs.
constellation config generate azure constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config constellation create -y constellation init export KUBECONFIG="$PWD/constellation-admin.conf"
You can now connect to the cluster with kubectl or other tools using the auto-generated constellation-admin.conf. The config ensures that the connection "confidential" and terminates inside the correct cluster. This ensures that no man-in-middle attack is possible.
In the case of our example set up (Azure with GoDaddy) we've provided a slightly modified Helm Chart that installs and configures external-dns and ingress-nginx in the freshly created cluster.
To use the helmchart, you need to make a couple basic edits after cloning the repo:
With your credentials in place, you can go ahead and run the necessary helm commands.
source .env helm dependency update ./nextcloud helm upgrade nextcloud ./nextcloud --install --namespace default --set apiKey=$GODADDY_API_KEY --set secretKey=$GODADDY_SECRET_KEY --set external-dns.txtOwnerID=$OWNER_ID --set nextcloud.nextcloud.password="somesecretadminpw" --set tlsCertEmail="<YOUR EMAIL HERE>"
You've now set up your own confidential Nextcloud! After helm install is finished, Nextcloud will take around 5 minutes to install. Subsequently you can navigate to https://nextcloud.edgeless.systems/ and start with your confidential Nextcloud.
Dive deeper into the Constellation documentation or read about how Constellation is being used to protect journalists.
Reach out to us for an in-depth presentation of Constellation, or to discover the solutions offered by Edgeless System's products.
