I’d like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn’t save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I’d like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

  • Avid Amoeba@lemmy.caEnglish
    4·
    2 hours ago

    Cryptomator encrypts files individually right?

    E:

    For the curious like me, here’s how Cryptomator makes a directory with multiple encrypted files appear as a single vol when decrypted. From mount:

    fuse-nio-adapter on $HOME/.local/share/Cryptomator/mnt/test type fuse.fuse-nio-adapter (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

    It uses its own fuse module to present it as a volume. The real directory has its own file structure:

    ~/test/test$ find
.
./c
./vault.cryptomator
./vault.cryptomator.12A05032.bkup
./d
./d/LO
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/PmAyroZAF5W7kGoHxr3Fhi-NeQIeO7SZcufE.c9r
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/dirid.c9r
./IMPORTANT.rtf
./masterkey.cryptomator.7DB56291.bkup
./masterkey.cryptomator

    This looks like a good option. Perhaps more flexible than using LUKS/VeraCrypt file, but those should work too if the underlying dir is on NFS/SAMBA.