2
Private network storage for my users? (lemmy.world)
submitted 3 weeks ago* (last edited 3 weeks ago) by talkingpumpkin@lemmy.world to c/selfhosted@lemmy.world
5 comments fedilink hide all child comments

I'd like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn't save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I'd like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

edit:

Thanks everyone for your comments!

TLDR: cryfs

Turns out I was looking at the problem from the wrong point of view: I was looking at sftpgo and wondering what I could do on the server side, but you made me realise this is really a client issue (and a solved one at that).

Here's a few notes after investigating the matter:

  • The use case is exactly the same as using client-side encryption with cloud storage (dropbox and those other things we self-hoster never use).
  • As an admin I don't have to do anything to support this use case, except maybe guiding my users in choosing what solution to adopt.
  • Most of the solutions (possibly all except cryfs?) encrypt file names and contents, leaking the directory structure and file size (meaning I could pretty much guess if they are storing their photos or... unsavory movies).
  • F-droid has an Android app (called DroidFS) that support gocryptfs and cryfs

I'll recommend my users try cryfs before any other solution. Others that may be worth it looking at (in order): gocryptfs, cryptomator, securefs.

I'll recommend my users to avoid cryptomator if possible, despite its popularity: it's one of those commecrial open source projects with arbitrary limitations (5 seats, whatever that means) and may have nag screens or require people to migrate to some fork in the future.

ecryptfs is to be avoid at all costs, as it seems unamaintaned.

top 5 comments
sorted by: hot top controversial new old
[-] Decronym@lemmy.decronym.xyz 2 points 3 weeks ago* (last edited 3 weeks ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
NAS Network-Attached Storage
NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency
SMB Server Message Block protocol for file and printer sharing; Windows-native
SSH Secure Shell for remote terminal access

4 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

[Thread #1015 for this comm, first seen 23rd Jan 2026, 17:25] [FAQ] [Full list] [Contact] [Source code]

[-] avidamoeba@lemmy.ca 1 points 3 weeks ago* (last edited 3 weeks ago)

OP, test the performance of LUKS image, VeraCrypt (if entertaining that) and Cryptomator and tell us how they perform! 😁

You could run a small set of fio runs to test sequential, random and parallel perf.

[-] avidamoeba@lemmy.ca 1 points 3 weeks ago* (last edited 3 weeks ago)

LUKS-encrypted images won't have bad performance. Could also use VeraCrypt or something like that for better portability if you need cross-platform function. Expose the folders where the images are stored via NFS/SAMBA. Flexible and portable solution.

You could expose volumes with iSCSI and format/mount them on the clients. Probably don't want to do that.

E:

LUKS-encrypted images won't have bad performance.

Actually it depends whether the underlying network fs can do partial writes. I imagine both NFS and SAMBA can. If the file has to be fully rewritten with every change, then perf would be dead.

[-] KaninchenSpeed@lemmy.blahaj.zone 1 points 3 weeks ago

You can basically do it like luks does, but encrypting the files separately with gocryptfs, but like with all file encryption, you're leaking directory structure.

[-] asbestos@lemmy.world 1 points 3 weeks ago

Share a drive with each user via SMB and tell them to use Cryptomator

this post was submitted on 23 Jan 2026
2 points (100.0% liked)

Selfhosted

56624 readers
124 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz