Flaws detected in the Owncloud encryption module

First it is important to understand what this encryption module is actually supposed to do and understand the threat scenario. The encryption provides no security against a malicious server operator, because the encryption happens on the server. The only scenario where this encryption helps is if one has a trusted server that is using an untrusted storage space.

Source: Pwncloud – bad crypto in the Owncloud encryption module – Hanno’s blog

A good read, but also worth noting that encrypting data at rest on a server is rarely bullet proof anyway. If an attacker can get access to the server they can decrypt the data. I wouldn’t even bother encrypting the data store for something like Owncloud anyway since the data is at the end of a long chain where significant security is needed. For example, is the local copy of the data encrypted? Is the web component using HTTPS? Are Owncloud accounts secure with long passwords and 2FA? Is access to the sever running Owncloud properly secure with very limited access? Encrypting data at rest in Owncloud is the least of my worries.