Storage backend encryption confusion

I’ve setup Seafile Pro to use an S3 storage backend, following the instructions in the manual to generate an encryption key, and updated my seafile.conf to point to it.

When I try to create a new library, the dialog is the same as when using disk storage, with a checkbox for Encrypt and password fields to enter an encryption password.

My question is, if I have storage backend encryption configured, do I still need to enable encryption when creating a new library?

Not really, it would be just another security feature if you think storage backend or https aren’t save.

That is server side encryption before that data is being transferred to the backend and decryption after it has been fetched from the backend.

This is client side encryption.

This topic has called my attention since I didn’t even know that there is some kind of encryption besides the encrypted libraries.

Can somebody elaborate how this works, please?

  1. What if I decide to use this feature… where is the password going to be saved and how?
  2. To my understanding this feature means: The actual server is running at home (e.g. raspberry pi) and points to the password, i.e. contains the password that you point to in the config file. But the Data (Backend) is stored on an off-side cloud storage like Amazon Storage?
  3. If it is not the way I understood it, then how is the relation between server and storage?

You see I do not unterstand how the system would be structured/built if you’d use backend encryption. And I do not know how exactly the password is saved then.

What I would like to know eventually: Would I be able to host my own x86 Seafile Pro Server at home and encrypt the locally to SATA or USB attached seafile-data folder with this feature so that History/Metadata/Filenames etc. would be encrypted even if encrypted libraries are not used? Hence I’d be able to overcome the huge security issue 350 by design in seafie. But then again… what sense would it make to have password and encrypted data at the same location. Or how is the encryption-password of the backend secured?