48
Private network storage for my users? (lemmy.world)
submitted 1 month ago* (last edited 1 month ago) by talkingpumpkin@lemmy.world to c/selfhosted@lemmy.world
20 comments fedilink hide all child comments

I'd like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn't save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I'd like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

edit:

Thanks everyone for your comments!

TLDR: cryfs

Turns out I was looking at the problem from the wrong point of view: I was looking at sftpgo and wondering what I could do on the server side, but you made me realise this is really a client issue (and a solved one at that).

Here's a few notes after investigating the matter:

  • The use case is exactly the same as using client-side encryption with cloud storage (dropbox and those other things we self-hoster never use).
  • As an admin I don't have to do anything to support this use case, except maybe guiding my users in choosing what solution to adopt.
  • Most of the solutions (possibly all except cryfs?) encrypt file names and contents, leaking the directory structure and file size (meaning I could pretty much guess if they are storing their photos or... unsavory movies).
  • F-droid has an Android app (called DroidFS) that support gocryptfs and cryfs

I'll recommend my users try cryfs before any other solution. Others that may be worth it looking at (in order): gocryptfs, cryptomator, securefs.

I'll recommend my users to avoid cryptomator if possible, despite its popularity: it's one of those commecrial open source projects with arbitrary limitations (5 seats, whatever that means) and may have nag screens or require people to migrate to some fork in the future.

ecryptfs is to be avoid at all costs, as it seems unamaintaned.

top 20 comments
sorted by: hot top controversial new old
[-] Decronym@lemmy.decronym.xyz 11 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
NAS Network-Attached Storage
NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency
SMB Server Message Block protocol for file and printer sharing; Windows-native
SSH Secure Shell for remote terminal access

4 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.

[Thread #1015 for this comm, first seen 23rd Jan 2026, 17:25] [FAQ] [Full list] [Contact] [Source code]

[-] asbestos@lemmy.world 10 points 1 month ago

Share a drive with each user via SMB and tell them to use Cryptomator

[-] avidamoeba@lemmy.ca 6 points 1 month ago* (last edited 1 month ago)

Cryptomator encrypts files individually right?

E:

For the curious like me, here's how Cryptomator makes a directory with multiple encrypted files appear as a single vol when decrypted. From mount:

fuse-nio-adapter on $HOME/.local/share/Cryptomator/mnt/test type fuse.fuse-nio-adapter (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

It uses its own fuse module to present it as a volume. The real directory has its own file structure:

~/test/test$ find
.
./c
./vault.cryptomator
./vault.cryptomator.12A05032.bkup
./d
./d/LO
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/PmAyroZAF5W7kGoHxr3Fhi-NeQIeO7SZcufE.c9r
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/dirid.c9r
./IMPORTANT.rtf
./masterkey.cryptomator.7DB56291.bkup
./masterkey.cryptomator

This looks like a good option. Perhaps more flexible than using LUKS/VeraCrypt file, but those should work too if the underlying dir is on NFS/SAMBA.

[-] irmadlad@lemmy.world 3 points 1 month ago

Plus, the cryptomater 'containers' are portable.

[-] avidamoeba@lemmy.ca 2 points 1 month ago* (last edited 1 month ago)

Yup. VeraCrypt is also portable but it would play badly with web-backed storage that uploads/downlaods whole files. Would only be usable on local NAS storage. That said, I'm curious to see how Cryptomator performs on local NAS for high-perf applications compared to VC or LUKS. E.g. if you want to have a large photo collection with Immich on top of it. 😀 Sadly I don't have NAS anymore to test it out.

[-] WhyJiffie@sh.itjust.works 1 points 1 month ago

I think copyparty can handle partial transfers both ways

[-] irmadlad@lemmy.world 7 points 1 month ago

The first thing that pops into my paranoid brain is: How well do you trust these 'users'? Personally, I would have to implicitly trust someone to be able to allow them even a few kb on my server.

[-] talkingpumpkin@lemmy.world 4 points 1 month ago

IDK how much I'd trust them with tech stuff (not much, definitely). However I don't see how encrypted storage may become an attack vector?

I mean, they could clog up the HDDs with crap, but they can already do that via non-encrypted network storage (and in several other ways).

[-] irmadlad@lemmy.world 7 points 1 month ago

However I don’t see how encrypted storage may become an attack vector?

Not an attack vector. I'm speaking more towards the content of what they will be storing on your server.

[-] francois@jlai.lu 6 points 1 month ago

Can the hoster be liable for illegal content stored on their server if they have no way to decrypt the files?

[-] irmadlad@lemmy.world 9 points 1 month ago

There are Safe Harbor laws, however, these vary by jurisdiction, country, etc. It would be a litigation I wouldn't want to get involved in. I'm not crapping on your deployment idea. I'm just very cautious...perhaps overly cautious.

[-] Wolf314159@startrek.website 2 points 1 month ago

Yes. I'm assuming your just some dude and not a telecom with teams of lawyers.

[-] avidamoeba@lemmy.ca 6 points 1 month ago

Thanks for reporting the results! TIL about cryfs.

[-] avidamoeba@lemmy.ca 5 points 1 month ago* (last edited 1 month ago)

LUKS-encrypted images won't have bad performance. Could also use VeraCrypt or something like that for better portability if you need cross-platform function. Expose the folders where the images are stored via NFS/SAMBA. Flexible and portable solution.

You could expose volumes with iSCSI and format/mount them on the clients. Probably don't want to do that.

E:

LUKS-encrypted images won't have bad performance.

Actually it depends whether the underlying network fs can do partial writes. I imagine both NFS and SAMBA can. If the file has to be fully rewritten with every change, then perf would be dead.

[-] kokomo@lemmy.kokomo.cloud 3 points 1 month ago* (last edited 1 month ago)

Nextcloud has server-side encryption where there are user keys? https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/encryption_configuration.html

[-] Atemu@lemmy.ml 2 points 1 month ago

That's for encrypting your data to protect against an untrusted storage back-end.

They also have e2ee for users though where the server cannot see the plaintext either.

https://nextcloud.com/encryption/

[-] bowroat@infosec.pub 3 points 1 month ago

Resilio sync, using encrypted shares

[-] avidamoeba@lemmy.ca 2 points 1 month ago* (last edited 1 month ago)

OP, test the performance of LUKS image, VeraCrypt (if entertaining that) and Cryptomator and tell us how they perform! 😁

You could run a small set of fio runs to test sequential, random and parallel perf.

[-] skyline2@lemmy.dbzer0.com 1 points 1 month ago

https://docs.cryptpad.org/en/admin_guide/index.html

[-] KaninchenSpeed 1 points 1 month ago

You can basically do it like luks does, but encrypting the files separately with gocryptfs, but like with all file encryption, you're leaking directory structure.

this post was submitted on 23 Jan 2026
48 points (100.0% liked)

Selfhosted

57232 readers
603 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz