this post was submitted on 22 Sep 2023
17 points (90.5% liked)

Selfhosted

40152 readers
435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

What the title says. I was looking into paperless-ngx but it seems to offer no built-in security. I'd ideally want some kind of encryption and if i enable remote access have some control over sensitive documents

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago* (last edited 1 year ago) (1 children)

This has been exceptionally done to death on Reddit but I'll say it here since Reddit is dead.

Authentication -

If what you're looking for is a login front end you could check out paper merge - personally I've got Keycloak and Nginx running so I can just make my own login page anyway and put paperless behind it.

Stuff with sensitive documents should probably not be on the internet anyway unless you're a really advanced user.

Encryption -

In app encryption offers no security because the encryption key is stored in RAM and likely a database entry that must be unencrypted.

So the Devs are 100% correct in stating that it gives people a false sense of security to offer it as a feature.

Best bet is to have an encrypted filesystem or alternative encrypted storage buuuut, also understand that encryption key is also stored in RAM.

TLDR: There is no point in Devs offering in app encryption when you should already be encrypting the filesystem.

[–] [email protected] 3 points 1 year ago

Thank you, very helpful! And also thanks for putting this info on lemmy :) I figured asking the question here was a good way to get some of that insight here.

[–] [email protected] 6 points 1 year ago (1 children)

When you say "no built-in security", are you talking about not having https ? Paperless-ngx does have login security with users and passwords. I believe they recommend using nginx as a reverse-proxy server to implement https if you need it.

[–] [email protected] 1 points 1 year ago

Oh I didn't realize that, thanks!

[–] [email protected] 4 points 1 year ago (1 children)

When I was looking for a DMS I ran across MayanEDMS. I never got a chance to stand up any DMS but it may be worth checking out their site in case it meets your needs.

Not exactly DMS but I have a WikiJS instance running with MFA enabled and access control. For example, my wife and I can access a set of documents we deem sensitive but other users can’t. I use WikiJS for all my documentation needs.

[–] [email protected] 1 points 1 year ago

Ooh I'll look into Mayan. Seems very feature rich. Thanks!

[–] [email protected] 2 points 1 year ago (1 children)

Not sure what your environment is. I can tell you what I do in linux/android.

I use backblaze b2 for my cloud storage.

I use rclone to create two encrypted "remotes": one on my local file system and one for b2. Rclone supports a bunch of cloud providers, so you don't have to use b2.

I mount the encrypted local file system and use whatever app (e.g., paperless) to access the files like it was any other directory.

When I'm done I unmount it and sync it with the b2 encrypted remote.

I use Round Sync on android which is rclone with a mobile GUI to access the same files. Also works great for backing up my phone.

For docker access to the mount point, either run the docker daemon as your current user, enable root access to rclone's fuse mounts, or my preferred is to remount (with root access) a scoped directory for that docker container using something like bindfs.

Just be aware if using the vfs-cache (needed for seek or append), that cache is stored decrypted in your home folder. I've been meaning to look into locking it down with apparmor or something.

[–] [email protected] 1 points 1 year ago

Thank you! This really helps