Encrypted Storage for Nextcloud

I’m looking for secure storage options for my Nextcloud VPS instance. My ideal scenario would be to find geographically distributed 256-bit encrypted storage where I control the encryption keys.

Nextcloud’s encryption features are completely worthless: The server-side encryption stores the keys on the filesystem and anyone with root access can decrypt the files. No one can access my filesystem without root access anyway. And the end-to-end encryption is too buggy to be reliable.

So far, the best setup I’ve found is to connect encrypted Backblaze B2 Cloud Storage as external storage to my Nextcloud instance. Backblaze holds the encryption keys for that though, so they have the ability to access my files. I can also use Cryptomator for end-to-end encryption, though it’s not as tightly integrated as I would like.

Are there any external storage solutions for Nextcloud that have end-to-end encryption where I control the keys? It seems like there would be a market for end-to-end encrypted s3 compatible object storage.

What about VPS providers that allow full-disk encryption? If I could set up Nextcloud on a VPS with full-disk encryption, I think that would be one of the more secure options.

You could setup a VeraCrypt container on your VPS and use the CLI interface to VeraCrypt to decrypt and mount the volume to a specific mount directory. Then configure NextCloud to use that folder for storage.

That way its encrypted at rest and inaccessible by the VPS provider.

Full-disk encryption protects your data only when the system is turned off. On a working system, which is the case for a server running 24/7, the decryption keys are stored in RAM, ready to be used to access the disk.