this post was submitted on 14 Jun 2023
15 points (100.0% liked)

Selfhosted

573 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Resources:

> Any issues on the community? Report it using the report flag.

> Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
15
How do you guys do sensitive document storage? (feddit.nl)
submitted 1 year ago by JustEnoughDucks@feddit.nl to c/selfhosted@lemmy.world
4 comments fedilink hide all child comments
 

Hey lemmings, I was wondering not just what you are using foe documents, but how you go about securing them.

Right now I am simply running paperless-ngx on a LUKS encrypted drive with all of my other data, permissions so only docker can access it, and running it through my reverse proxy with authelia in front of the paperless authentication for 2 factor.

I have sensitive documents like house sale documents and pay slips on there. I want to keep it publically exposed for my work documents (we have to submit documentation of different tickets and invoices for personal things to get repaid), but I am worried about the security aspect of it.

I figure data-at-rest encryption is useless because if a bad actor gets in to my server, they could get it all from memory anyway, but I wonder if specifically I should make that 1 docker image only accessible by VPN or something like that? Any recommendations on how to secure documents like that while still having them accessible?

you are viewing a single comment's thread
view the rest of the comments
[–] jason@sh.itjust.works 3 points 1 year ago (1 children)

I have almost this exact setup (paperless-ngx on a LUKS encrypted drive, but mine is running on a VM in Proxmox) and I feel pretty good about the security. That being said, I only have it running on my home network and use a WireGuard VPN if I need to access it remotely. I can’t say I would feel as comfortable if I just had it open to the internet. Like, it’s probably ok, but then you’re relying on Paperless being your first and last line of defense.

[–] JustEnoughDucks@feddit.nl 3 points 1 year ago

Well I also have Authellia 2 factor in front of all of my services that face the internet besides Jellyfin and nextcloud to preserve app compatibility, but yeah that's why I was a bit uneasy about it. Maybe I should just make that container only available over wireguard.