Fediverse

29440 readers

1079 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago

MODERATORS

Are private Pixelfed photos encrypted? (lemmy.zip)

submitted 1 day ago by [email protected] to c/fediverse

14 comments fedilink hide all child comments

I just closed my Instagram account and was about to start uploading my photos to a private account on Pixelfed.

I was just wandering if the images I upload are stored encrypted or if everything is stored as is on the server.

I couldn't see any mention of it, so I assume an instance owner could just go through everyone's photos on the server even if they're marked as private.

I tried looking through the source code to see if I could answer the question myself, but nothing is jumping out at me.

So hopefully someone with more knowledge than me can answer this question for me, thanks!

you are viewing a single comment's thread
view the rest of the comments

[–] drmoose 38 points 1 day ago (4 children)

No, the server owner will absolutely see your photos if they want to.

The only way to do encryption you're talking about is to defer the decryption function and keys to the front end so the backend never knows it. Meaning, you'd know it because every time you want to view the encrypted file you'd be prompted for that key (password) to continue.

[–] [email protected] 17 points 1 day ago (1 children)

That can be done transparently, just by using a key with no password (or using your account password for the key, so that when you log in it decrypts, and keeps the session open on your device).

The bigger problem is key management. You can't allow the server to know your private key else the admin could steal it. So it has to stay on your device, and if you lose your device or accidentally delete the key, your account is gone.

load more comments (2 replies)