this post was submitted on 23 Jan 2026
47 points (98.0% liked)

Selfhosted

55090 readers
396 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
47
Private network storage for my users? (lemmy.world)
submitted 4 days ago* (last edited 3 days ago) by talkingpumpkin@lemmy.world to c/selfhosted@lemmy.world
27 comments fedilink hide all child comments
 

I'd like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn't save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I'd like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

edit:

Thanks everyone for your comments!

TLDR: cryfs

Turns out I was looking at the problem from the wrong point of view: I was looking at sftpgo and wondering what I could do on the server side, but you made me realise this is really a client issue (and a solved one at that).

Here's a few notes after investigating the matter:

  • The use case is exactly the same as using client-side encryption with cloud storage (dropbox and those other things we self-hoster never use).
  • As an admin I don't have to do anything to support this use case, except maybe guiding my users in choosing what solution to adopt.
  • Most of the solutions (possibly all except cryfs?) encrypt file names and contents, leaking the directory structure and file size (meaning I could pretty much guess if they are storing their photos or... unsavory movies).
  • F-droid has an Android app (called DroidFS) that support gocryptfs and cryfs

I'll recommend my users try cryfs before any other solution. Others that may be worth it looking at (in order): gocryptfs, cryptomator, securefs.

I'll recommend my users to avoid cryptomator if possible, despite its popularity: it's one of those commecrial open source projects with arbitrary limitations (5 seats, whatever that means) and may have nag screens or require people to migrate to some fork in the future.

ecryptfs is to be avoid at all costs, as it seems unamaintaned.

you are viewing a single comment's thread
view the rest of the comments
[–] avidamoeba@lemmy.ca 3 points 4 days ago* (last edited 4 days ago) (1 children)

The host mounts no LUKS. The host just exports a network share via NFS. The client mounts that NFS share to a local mount pount. Then the client has a dir which actually resides on the host. So far completely standard NAS stuff. Then the client creates a file in that dir. E.g. secretcontainer.img. This file is then encrypted on the client using cryptsetup (LUKS). Then it's mounted on the client using LUKS. All the LUKS stuff happens on the client. The only interaction with the host is throgh NFS. The host just sees a file appear called secretcontainer.img on its storage. The same idea would work with VeraCrypt instead of LUKS. Or Cryptomator. Or anything else that can store encrypted data in file(s) in a directory.

LUKS can be used on a single file where the file acts as a disk device.

Also what I'm describing here is bog-standard Linux functionality that's existed at least for 2 decades. Nothing fancy. It's stuff that's good to know so I'd be happy to answer questions.

E:

The procedure on the client is roughly:

cd /network/share/mountpoint
fallocate -l 1G test.img
cryptsetup luksFormat test.img
cryptsetup open test.img test_decrypted
mkfs.ext4 /dev/mapper/test_decrypted
mount /dev/mapper/test_decrypted /mnt

Once that's done, subsequent uses are:

cryptsetup open test.img test_decrypted
mount /dev/mapper/test_decrypted /mnt

Of course that can be automated further.

Just tested it in a local dir and it works fine. The only difference between that and the real scenario is whether test.img resides on a network mount or local disk. Since the network mounts behave like normal disks, everything else works the same. The only concern is what the performance would be, which depends on how the underlying network fs handles reads/writes to test.img. E.g. if you change 0.5MB, does it send that 0.5MB or does it rewrite the whole 1GB file. When reading, does it have to read the whole 1GB file or just parts of it as needed. Etc.

[–] just_another_person@lemmy.world 0 points 4 days ago (1 children)

Bud...been doing this for 20 years. Don't need your explainer.

The fact you didn't mention the barest of minimums in your comment if where the issue lies. You're just adding stacks on stacks of things by using any other network mount and having the user manage an encrypted image inside that mount. Also absent from what you were trying to explain. I'd work on that.

Point being, for a multi-user/tenant utility like OP is asking for, there are better tools for the job, of which I just named a couple standalone options. If they are running TrueNAS, Synology, or QNAP, or even NextCloud, there are already built-ins for this purpose, and apps to match.

If not, any of the other solutions I mentioned are much better suited for the use-case, especially, and if not only because, OP specifically said they DID NOT want exactly what you're describing.

[–] avidamoeba@lemmy.ca 4 points 4 days ago

The fact you didn’t mention the barest of minimums in your comment if where the issue lies.

I described the procedure step-by-step mentioning each layer. That's the best I could do.

OP specifically said they DID NOT want exactly what you’re describing.

OP said they're worried about performance with this solution. Hence why my first response addressed the performance issue. The rest was responding to you (and anyone else who is reading) since you thought that is not an E2E solution. I tried explaining why it's client-side encryption and no keys are stored on the host.