Full disk encryption via Gui

This would be a huge security gain in my opinion.

The problem: When using Syncloud (with Nextcloud/Syncthings for example) a lot of important data is stored on the syncloud server device. Anyone with physical access to said device can access this data.
Full disk encryption seems to be available for Debian, but appears way too complicated for inexperienced users to setup via command line.

Suggestion for solution: Toggle to enable Full-Disk-Encryption in Syncloud Device Settings.

Would this be doable? Even for installations which are already running? It seems to be such a basic feature nowadays for most OSes.
Thanks!

Hey, it is a great idea to encrypt the disk but as far as iI know you will have to enter the passphrase on every boot, for server that is not very convenient as if it has to reboot while you are away from home you will lose it untill you come back.

Also many devices do not even have a screen to see that you need to type something.

Thanks for taking the time to consider this!
Does the server have to reboot this often? And if so, couldn’t we use a VPN and ssh for this (thereby also eliminating the need for a screen)?

How do other OSs achieve this? On windows you don’t need to enter the bitlocker key every time upon boot. I mean, I might understand the concept wrong but don’t we authenticate our clients with a password every time we access the server? Couldn’t this be enough to decrypt the files at rest?

In the end, it’s not about password-protecting everything, just about making the files on the drive only accessible via the web-gui/nextcloud/other apps or ssh/ftp, all of which require some sort of proper authentication anyway.

I do not have experience at encrypting the disk either so we need someone who knows exactly what to do.

As to encrypting individual app files (what bitwarden app does) it comes with the cost of not able to use single sign on thechnology as ldap. This is why you cannot use the same credentials in bitwarden like in any other app on Syncloud as changing password in Syncloud Users app (ldap) does not reincrypt your data in bitwarden.
I personnaly would like ldap password and unencrypted bitwarden as I do not expect burglers at my home stealing my passwords.

But ideally of cause I would like to have protection against unattended physical access do my device if it is more or less convenient or at least as an option.

But could you tell me what is your situation, just want to know the real issue.

  1. Do you use Syncloud already?
  2. Is it at home/office/campus?
1 Like

Hi!

  1. I have been using Syncloud for 4 years now (big thank you by the way, you’re doing great!)
  2. I host it at home.

My wishes for encryption come from:

  • I know lots of people living in shared flats for whom stuff like this is important (especially with intimate things like camera upload in nextcloud etc)
  • With modern technology it is always better to have your files encrypted at rest. Whether your storage gets stolen, you sell it, or someone gives it away by accident or anything else, it’s always better not having files in clear text on there. At least that’s something I learned at multiple points when I got more into privacy and Cybersecurity.

I personally wouldn’t mind giving up the ldap feature for FDE (optional, of course). Usually it’s better anyways to set up a non-admin-account in these apps anyway for everyday use, right?

Usually it’s better anyways to set up a non-admin-account in these apps anyway for everyday use, right?

I do not create app-specifc users, only Syncloud Users (both admin/non-admin)

In general if you live with people you do not trust do not let them near your Syncloud server at the moment, not sure if google allows people they do not trust in their datacentrrs.

Sure, makes sense not to let untrusted people near one’s hardware :wink:
Sometimes the lines are blurry though.

Well I mean I certainly hope Google doesn’t store stuff in plain text on their servers.

About LDAP: Does this work for all users? Because I created a non-admin account which can’t be used to login to Jellyfin, for example. Doesn’t bother me much, I just created one in Jellyfin, but I’m curious.

It should work for all users, please report this bug at Issues · syncloud/platform · GitHub