Store your own shit on your own Linux server. Don't trust other companies. Use industry standard libraries like OpenSSH, LUKS.
this post was submitted on 05 Feb 2025
19 points (95.2% liked)
Ask Lemmy
28166 readers
1621 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected].
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
But do realise that HeartBleed was in a industry standard library so don't trust it 100% but do keep it patched as much as possible.
True. That was a CVE 10 vulnerability. But unless you are going to airgap your system, I think using these ubiquitous libraries is as good as we can get to being safe.
That is true, which is why you should keep it up to date
This is only really secure if your server is in a trusted location imo
I think that's covered by "Don't trust other companies". You just need a business internet line with a static IP to host your own stuff in your house.
If you assume everything is compromised, there is no safety. You have to trust something at some point.
Usually, speaking from a professional IT perspective, people trust encryption. Once you do that, it does not matter how safe or unsafe the place where you store your data is.
AES, the encryption standard used by pretty much everything, is safe. It has not been weakened in any meaningful way since its inception and is also quantum - safe.
You could use for example openssl or Veracrypt or even just 7zip to encrypt it. If you don't trust these tools, encrypt it twice with two different ones, just put a txt file next to it with the exact steps to decrypt, because you will forget in which order you have done things.
Personally I have a homeserver that is encrypted at rest and then it uses restic to store encrypted backups in the cloud.
I have tried to post my thank you message but "hanging" after clicking the reply button has continued for 3 days or so.
I sincerely thank you for your incredibly thoughtful and detailed response. Not only did you take the time to explain everything so clearly, but the way you included your personal experience really made a difference.
It’s rare to come across someone who is willing to share such in-depth insight, and I truly appreciate how much effort you put into helping me understand things from a practical standpoint. Your advice has been extremely helpful,
Thank you again for being so generous with your time and knowledge!
I agree that I have to to rely on the encryption for what I have for the films online/cloud, and that seems acceptable.
However, when it comes to personal family photos and videos, I’m facing a dilemma.
-
If they’re stored online, they’re vulnerable to potential compromises (PRIVACY CONCERN) -maybe not now, but in the future, especially with the risks posed by AI training.
-
On the other hand, if they’re kept offline, I’m still at risk of losing them due to physical factors, especially since I live in an earthquake-prone area
I would get a backup tool that offers encryption, which is most of them. Popular choices are: tarsnap, restic and Borg.
That's the funny thing about data storage: you don't.
Encryption mitigates the likelihood of somebody gaining access. But anyone with physical access to the media can potentially gain access to the data - it just may be incredibly difficult to decrypt (or to find a bug that permits decryption).
Just stop putting important stuff on the cloud...
Like. You're asking the best way to safely secure the $100 bill you taped to the sidewalk outside your house.
There's measures you can take, but at the end of the day why are you so set on taping a Benjamin to the sidewalk?
gocryptfs is what I'd use for this. It's designed with cloud storage in mind
Using strong encryption should be enough for your use case, unless you're a high profile target. Even then, it's more likely whoever is after you will try to get access to your unencrypted files instead because cracking strong encryption isn't worth it most of the time
Iirc your cloud service provider could still figure out your unencrypted directory layout and filenames. You should really do some research on this if you wanna make sure you know all the risks
I appreciate your suggestion very much.
I wonder what the difference between gocryptfs and others like Trucrypt would be.
Need to search and compare the pros and cons of both,
the advantages and disadvantages of each,
particularly in terms of security, ease of use, and performance
Cryptomator is the most frictionless one
Software is too complicated to trust. Instead, like other posters have stated, try to work out the least risky storage mechanism.
I'd make that offline backups.
- Download some encryption software,
- disconnect the computer from any networks,
- copy the video onto the computer,
- destroy the device that previously hosted the video,
- encrypt the video,
- copy the decryption key onto other media,
- copy the encrypted file onto a number of SD cards
- destroy the encrypting computer.
- Send a few copies of the encrypted file on SD cards to people unlikely to decrypt it.
- Retire to my log cabin in the woods.
I'm going to deviate a bit from your question, since you asked a bunch of questions, and aim at the implied question underneath: "is there any hope for a non-expert?"
A Synology network attached storage device (NAS) provides reasonably good answers to the question "how can I have privacy and have some backups" without being a Linux expert.
It ships with apps that replace common cloud services with local backup equivalents.
It can also be configured to do local encryption before backing up to a cloud service, for data where disaster resilience is more critical than privacy (i.e. a library of family photos).
Edit: And as others have explained - we must always remember that the cloud is just someone else's computer.
Thank you everyone so much for your responses. You’ve truly opened my eyes to so many aspects I hadn’t even considered before.
Your insights were not only thoughtful but also incredibly helpful. It’s rare to come across such comprehensive answers that cover so many angles, and I really appreciate the time and effort you took to share them.
Each of you has given me a lot to think about, and
I’m grateful for the depth of understanding you provided. Thanks again!
As a first step, I'd like to pick one of the programs to start with:
Cryptomator
gocryptfs (not so Windows-friendly)
GnuPG
VeraCrypt (slower than TrueCrypt, and since it’s offered as a replacement, it makes me suspicious, especially since TrueCrypt mysteriously vanished without providing any explanation. Some people believe VeraCrypt might have backdoors, whereas TrueCrypt’s abandonment perhaps didn’t provide any backdoors.)
TrueCrypt (I have used it occasionally on my Windows PC, although it is no longer updated)