Nextcloud x constellation

Nextcloud + Constellation

How to set up confidential Nextcloud


Nextcloud is a popular self-hosted collaboration tool that offers an alternative to Microsoft 365 for organizations. As an all-in-one solution, you can host Nextcloud yourself.

This is especially useful for public sector organizations that often require on-prem setups to preserve data privacy and maintain high levels of security.

While hosting on-prem gives users a massive amount of control over the installation, it limits opportunities for scaling beyond the initial hardware outlay.

On-prem installations can quickly become more expensive when an organization's infrastructure needs change. Additionally, easy backups as well as geographic redundancy aren't an option for many such setups.

Threat model, using nextcloud without constellation


Confidential computing provides a cost-effective alternative to on-prem deployments. It is a groundbreaking technology that ensures that data is always encrypted, even during processing. If applied correctly, confidential computing can shield even complex applications from the cloud infrastructure. Not even system administrators, cloud provider employees or privileged attackers can access workloads protected this way. And this property can even be verified remotely. Basic confidential-computing features are readily available on major clouds like Azure, AWS, and GCP. However, these basic features cannot protect complex and scalable applications like Nextcloud.

For this, you need a solution like Constellation. Constellation is an open-source software that protects entire Kubernetes deployments end-to-end with confidential computing on public clouds. In essence, Constellation can shield and runtime-encrypt any application that can run on Kubernetes. Thus, with Constellation, you can run a complex collaborative software like Nextcloud on the public cloud, while having the assurance that the code is always encrypted and cannot be accessed by the cloud provider or attackers coming through the infrastructure.

With assurance of data security, Nextcloud installations can thus take advantage of the additional features offered by hyperscaler cloud providers: easy deployment, high availability, low-cost backups, and simpler approaches to scaling.

nexcloud is protected

Technical details

Constellation ensures that all components of the K8s cluster run in runtime-encrypted and isolated CVMs. This ensures that data written to cloud storage by databases is automatically encrypted, and the cryptographic keys for this data are generated and managed within the CVMs, all this without any additional coding from your developers. Constellation also verifies the integrity and authenticity of all CVMs and ensures that they are running the same "trusted" Constellation node image. This means that all data leaving the CVMs remains encrypted.


Using Nextcloud in combination with confidential computing allows administrators to run Nextcloud on popular cloud platforms as if they were on-prem deployments. The use of major cloud providers offers more flexibility in terms of location, scaling, and infrastructure choices, while keeping the cost well below on-prem costs. 

For public sector organizations, specifically, access to these additional resources can facilitate digitalization, make the IT infrastructure more resistant against downtime, and facilitate additional security in the form of runtime encryption.

Tutorial: How to install Nextcloud on Constellation

Nextcloud is a collaboration software whose testing version can be set up very quickly. It can be made confidential by using it in combination with Constellation on confidential computing enabled hardware, which is available in Azure, GCP, and AWS.

Live demo

You can quickly access the confidential Nextcloud demo.

Prerequisites and overview

In order to run Nextcloud on Constellation, you will need:

  • A cloud provider with confidential computing capabilities (e.g. AWS, Azure, GCP)

  • A domain registrar to set up a domain name for your cluster

  • kubectl and helm installed on your machine

The process is composed of three key steps:

  1. Setting up Constellation

  2. Setting up the domain

  3. Installing Nextcloud via Helmchart

For the sake of clarity, we have written the instructions below as someone using Azure with a GoDaddy registrar, however, this tutorial can be completed with any of the major cloud providers and a registrar of your choice.

Set up Constellation

After connecting to your cloud provider, download and install the Constellation CLI.

Once this is installed, create the constellation cluster:

This process is described in detail in the Constellation docs.

constellation config generate azure
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
constellation create -y
constellation init
export KUBECONFIG="$PWD/constellation-admin.conf"

You can now connect to the cluster with kubectl or other tools using the auto-generated constellation-admin.conf. The config ensures that the connection "confidential" and terminates inside the correct cluster. This ensures that no man-in-middle attack is possible.

Set up Nextcloud

In the case of our example set up (Azure with GoDaddy) we've provided a slightly modified Helm Chart that installs and configures external-dns and ingress-nginx in the freshly created cluster.

To use the helmchart, you need to make a couple basic edits after cloning the repo:

  • Replace the values in .env with your GoDaddy API credentials and a fitting owner ID. The owner ID is used by external-dns to differentiate the DNS entries from different clusters at your DNS provider (GoDaddy). So you should use a different value for every cluster you use.

  • Replace your.domain of nextcloud.testing.your.domain in values.yaml with a domain you own. You can also change the subdomain if you want.

With your credentials in place, you can go ahead and run the necessary helm commands.

source .env
helm dependency update ./nextcloud
helm upgrade nextcloud ./nextcloud --install --namespace default --set apiKey=$GODADDY_API_KEY --set secretKey=$GODADDY_SECRET_KEY --set external-dns.txtOwnerID=$OWNER_ID --set nextcloud.nextcloud.password="somesecretadminpw" --set tlsCertEmail="<YOUR EMAIL HERE>"

Installation complete

You've now set up your own confidential Nextcloud! After helm install is finished, Nextcloud will take around 5 minutes to install. Subsequently you can navigate to and start with your confidential Nextcloud.

Learn more

Dive deeper into the Constellation documentation or read about how Constellation is being used to protect journalists.

Get in touch

Reach out to us for an in-depth presentation of Constellation, or to discover the solutions offered by Edgeless System's products.