Possibly dumb Q about "encrypted local disk" storage - multi-user access?

[ZPrimed]

Noob to sftpgo here, but fairly experienced Linux admin, and 20+ years of Windows admin time before that. I'm working with the Linux edition here (on top of Ubuntu 24.04 LTS).

I think I know the answer already, but wanted to ask people who know more about the system than I do. 😉

If I create a user foo with their storage set to "encrypted local disk," is there any way to have a second user bar that can read the files foo has created? I suspect this is NOT possible, since it seems like each user configured for "encrypted local disk" storage has to have a unique root based on the docs... or would using the same encryption password on both accounts make this work?

What if I wantfoo, baz, and quux , who should not be able to see each others' files, but I need bar to be able to read & delete all of the files from the other 3 users?

To avoid an XY problem, I'll explain the scenario I'm trying to solve here...

1. Non-profit org (hence using the community edition) has external partners
2. Each of those partners needs to be able to place files onto our system via SFTP
3. External partners should not be able to see each others' files at all (this shouldn't be hard given the virtual disk features)
4. We need a "data manager" account on our side that is able to read/download the files for all of the partners, and probably delete or move them as well
5. I would strongly like to have encryption-at-rest applied to all files uploaded by external partners

I think that number 5 may be problematic because of number 4 and 3...

I did try searching for this but it's a bit complex and I wasn't turning up a lot of questions around the "encrypted local disk" storage system... Sorry if this has been asked & answered in the past!

[ZPrimed]

Talking to myself, but I think I found the solution here, using Virtual Folders. Here's what I'd suggest to anybody in a similar situation.

1. On your physical filesystem, make a "root" for your encrypted folders, I called mine "partners". I think sftpgo might do this for you if you feed it a path that doesn't exist yet, but I didn't want to leave it to chance.
2. For each partner you want to give access, create a separate Virtual Folder for them, name it whatever makes sense. Let's assume we've got partners foo and bar, so we create a different VF for each one, set them to "Encrypted Local Folder," and set a different password for each.
3. Add a user account for foo; under the Virtual Folders section, under Location set it to /, and then pick the VF you created for foo. You can do the same thing for bar.
4. Make a "data manager" account for your internal use, let's call it foobar
5. Under Virtual Folders for foobar, do something like /partners/foo, and then choose the VF for foo, and then add another one under /partners/bar pointing to the VF for bar. This should allow the foobar account to access both foo and bar's encrypted folders, but prevent either of them from touching or seeing each other's data.