31
submitted 1 year ago* (last edited 1 year ago) by Runis@lemmy.world to c/privacyguides@lemmy.one

Hello,

Like many people, I have many files (text, pictures, ...) on my Android smartphone; Files I don't want to lose. I could use Google Drive or similar software to have a copy of files in the cloud in case my smartphone is destroyed/lost/stolen, but files would be stored unencrypted server-side, so we don't want that. I'm looking for an E2EE solution to have a copy of the files in my phone on some cloud.

A common situation : you are on holidays, you only have your phone with you (no computer…). Near the end of the holidays, you break/lose your phone (or your backpack with your computer and phone is stolen). If your files are not synced/backed up in some cloud, you lose all your more recent files (including holidays pictures).

I searched for solutions, but found nothing good so far.

  • I considered Cryptomator for Android, but after 5,5 years the Document Provider API is still not implemented, despite the promises of the developers (they didn't bother with a roadmap for 2023 for Cryptomator, it's half abandoned with only cosmetic/bug fixes updates). There is no support for automation tools neither. So it does not seem appropriate.
  • Maybe a local encryption app, combined with a standard cloud sync app, could do the trick, but I have not found an efficient solution yet.

I'd like to know how you solved this problem for yourselves, or if you have any advice. It seems to be a common use case, I think it can be useful to many people.

note: I use Syncthing on a day-to-day basis to sync my files between my devices, but it won't help in these situations.

(I hope my English is not too bad, it's not my mother tongue, sorry)

top 25 comments
sorted by: hot top controversial new old
[-] MarioBarisa@vlemmy.net 8 points 1 year ago

I had the same problem, I have switched over to ProtonDrive and Iike it so much. If you want give ProtonDrive a try.

[-] Notamoosen@kbin.social 3 points 1 year ago

Also going to add that Proton makes my favorites VPN. They offer a completely free version with no data cap (but limited locations) if you wish to try it before buying the full product.

[-] albert180@feddit.de 7 points 1 year ago* (last edited 1 year ago)

Nextcloud? https://nextcloud.com/de/encryption/ It is not yet end to end, but the transport is encrypted and the files stored on the server too

[-] Runis@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

I don't really trust the server side encryption, admins can probably access files. I would sleep better with E2EE :-) But it can be right for some people, thanks for mentioning it.

[-] albert180@feddit.de 4 points 1 year ago

Well if you Selfhost you are your own admin. It's open source and easy to deploy

[-] DeltaTangoLima@reddrefuge.com 6 points 1 year ago

I use SyncThing to get the backups I want over to my main computer, then rclone to encrypt them onto remote cloud storage. In my case, I use S3, but rclone supports heaps of cloud remotes.

[-] maxmalrichtig@discuss.tchncs.de 5 points 1 year ago

+1 for SyncThing. The most cloud-less cloud one could wish to have.

OP could setup remotes in a way that they can be synced via VPN which could probably fit the "holiday" usecase. It wouldn't be a "everything is up in the cloud in realtime" kind of situation, but syncing up in the evening when you are out of home for a couple of days should be painless enough.

[-] DeltaTangoLima@reddrefuge.com 4 points 1 year ago

Yeah, absolutely. I forgot to mention that I use Wireguard and Tasker so that, when I'm travelling, only the backups I want to sync over 5G/remotely are sync'd over. The rest can usually wait until I get back home.

  • Syncthing syncs a parent backups folder on my phone
  • Wireguard keeps me permanently tethered to the home network (for Pi-hole and searxng private search engine, which goes out via Mullvad VPN @ home)
  • Tasker keeps the large and/or unnecessary backup files out of Syncthing's view when I'm not on the home network
[-] Runis@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Thank you, it seems a good setup.
Can you explain how you did this securely ? Is the box with Pi-Hole / searxng / syncthing insiste a DMZ ?
I'm woried of a potential breach of my home network. If ports are open to the internet, and I miss an update (or if there is a 0 day) on the serveur box at home, it could be hacked, data stolen, and be used as a jump box to attack the rest if the network; so I want to be sure to do it right, it scares me a little !

[-] DeltaTangoLima@reddrefuge.com 4 points 1 year ago* (last edited 1 year ago)

Excellent question, and good that you're asking.

Just about everything is virtualised on Proxmox, but that's only something I started doing this year. Before that, just about everything was running in Docker containers on Raspberry Pis. But, the security remained the same - just the back-end services changed. That said, only a handful my services are available via the internet. For everything else, I use the permanently on Wireguard VPN connection from my phone, to access private services (including Pi-hole DNS resolution and SearxNG) when not at home.

Nginx Proxy Manager

To start with, everything (even internal-only services) is hosted behind a reverse proxy server - Nginx Proxy Manager (NPM). NPM ensures the all communications to my services is over SSL, using a free, automatically renewable SSL certificate with Lets Encrypt. Crucially, I have NPM configured to steer all traffic for any publicly available services through an authentication service called Authelia (next section).

NPM also means I have name portability for my services. For instance, I used to use Whoogle for my private search engine, but recently changed over to SearxNG. As all my browsers reached the search engine using the host search.mydomain.tld, I didn't have to reconfigure all of them. I simply changed where NPM steered the traffic.

Authelia

Authelia has its own username/password database, or it can be configured to use an LDAP server. Authelia is one of a few single sign-on (SSO) services out there. Many others use one called Authentik. Either way, you need an SSO.

Crucially, SSO provides two factor authentication (2FA). 2FA is where a service will ask you for an additional something, after username and password, to prove who you are. This is often a timed one-time password (TOTP) - frequently a 6 digit time-limited password generated by an app on your phone. In my case, Authelia is configured to use Duo Mobile, which does a push notification to my phone, but also has the option of using a TOTP from the Duo Mobile app if push fails.

Network Segmentation

I don't really use a DMZ as such any more. With the advent of better, virtualised firewalls (see below), I don't really need to. Instead, all my Proxmox guests use a dedicated VLAN, making it very easy to identify and treat their traffic on my firewall. I have six VLANs setup:

  1. Myself/my wife
  2. Our kids
  3. Physical infrastructure (switches, Proxmox server, storage devices, etc)
  4. Proxmox guests
  5. Guest users
  6. IoT (usually untrusted IoT - Roomba vaccuums, etc)

These mean I can setup some good, broad firewall rules for each segment of my network to catch all traffic, then focus on specifics higher up the firewall rule-chain. Which leads me to...

Firewall

As always, how you firewall your traffic is key to success. I've virtualised my firewalling/routing on Proxmox, with an OPNsense VM. My Proxmox server has two physical network interfaces, with one of them being plugged in directly to my fibre internet, and presented only to the OPNsense VM. Unless someone figures out how to break out of virtual jail on that link, their only way in is via OPNsense.

Given the network segmentation above, the rest is just about how you craft your firewall rules. Generally speaking, firewalls use "first match" for evaluating firewall rules, meaning the first rule it hits that matches the traffic it's evaluating is the rule it applies to that traffic.

For example, I block all IoT from internet access as my last rule for the IoT segment. I then add a few rules up top that allow traffic out for the IoT devices that can't/don't operate without internet - Roomba vacuums, for example.

Being specific about the known use cases on your network is difficult at first - it's surprising how much "just works" without you specifically knowing about it. I spent a fair bit of time using the live logging feature on my firewall, analysing blocked traffic, to determine what else I needed to open to make sure things were working as expected.

As painful as it can be to do this, it's critical to being able to sleep at night, knowing you've only created the tiniest pinholes required. That's what firewall rules are - pinholes in an otherwise impenetrable brick wall protecting your network. But also a requirement for certain things to operate properly. The cool thing is, firewall rules are directional (eg. something coming in to the network, or something leaving the network), so these pinholes aren't a two-way street, if you don't need them to be.

Additional thoughts

Ultimately, what helped a lot was mapping this out on paper first. Nothing beats having a plan to refer back to, when you're in the middle of building/changing a bunch of network stuff. It centres your thoughts and reminds you of the prize, when all you want to do is unpick it all and go back to that shitty wireless internet router your ISP gave you.

Not sure about your circumstances, but I did a lot of my work in stages, often late at night, when the kids were in bed. Trying doing open heart surgery on your internet access with teenagers in the house!

[-] Runis@lemmy.world 2 points 1 year ago

Thank you very much for the very detailed answer !
It seems well thought. It may require some work (through time) but the result seems very good, with nice security and usability.
I'll work on the first steps in the next months.
I don't have kids yet so I can break it all !!

[-] landordragen@lemmy.ml 4 points 1 year ago

Ente for photos, Skiff Drive for files.

Both E2EE.

If price isn’t a issue, Tresorit would be my recommendation. Automatic photo upload, integration with native file explorer, pretty good speed, E2EE, audited and fantastic reputation.

[-] ashtrix@lemmy.ca 3 points 1 year ago

I use Filen. It's end to end encrypted and works pretty well: https://filen.io/

[-] Pretzel@infosec.pub 3 points 1 year ago

I use ente.io for my photos and videos, then I use Proton Drive to manually back up what I need for my files and documents

[-] mintycactus@lemmy.world 2 points 1 year ago

I use FolderSync to automate everything about files or backup. Even moving files locally on phone. Most rarely used files and simple backups are synced with Mega, its E2EE for all accounts. For frequently used files I sync them with nextcloud webdav, so I have easy and quick access on my PC too.

[-] fermuch@lemmy.ml 2 points 1 year ago

What about cryptomator for encryption and syncthing for syncing files to another place? Not exactly a backup per se but it works reliably.

[-] Runis@lemmy.world 2 points 1 year ago

I'd like to use Cryptomator (I have it on my phone), however it does not support the DocumentProvider API.
Because of this, using files inside a Cryptomator vault is very problematic with some apps. It is only possible to select a file in Cryptomator, and open it in an app. It is not possible to open a folder (unless I missed something).
For example, as far as I know it is impossible to open an Obsidian vault (a folder with markdown files linked between them) in Obsidian, if files are in a Cryptomator vault (and Android). It's only possible to select one file in Cryptomator, and open it in some app. Same problem with some other apps.
Instead of using files inside the Cryptomator vault, an alternative could be to send a copy of local files in the Cryptomator vault. But because of the lack of the DocumentProvider or automation app support, it does not seems possible to automate this copy..

[-] Kodachrome@kbin.social 2 points 1 year ago

skiff.com might be worth a look. Its services are E2EE. Its a lot like Proton in spirit but with better pricing and less nickle-and-diming. 10G of storage on the free plan. It's not a Swiss company though, if that should happen to be important to you.

[-] pabloscloud@lemmy.world 1 points 1 year ago

Cryptomator

[-] kittyrunningnoise@lemm.ee 1 points 1 year ago* (last edited 1 year ago)

With syncthing, you can share securely your pictures (etc.) folder on your phone with your computer, and cut cloud storage out of the picture entirely.

load more comments
view more: next ›
this post was submitted on 02 Jul 2023
31 points (100.0% liked)

Privacy Guides

16263 readers
1 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...


Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don't ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don't repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 1 year ago
MODERATORS