I’d like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn’t save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I’d like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

  • Avid Amoeba@lemmy.caEnglish
    2·
    1 hour ago

    LUKS-encrypted images won’t have bad performance. Could also use VeraCrypt or something like that for better portability if you need cross-platform function. Expose the folders where the images are stored via NFS/SAMBA. Flexible and portable solution.

    You could expose volumes with iSCSI and format/mount them on the clients. Probably don’t want to do that.

    E:

    LUKS-encrypted images won’t have bad performance.

    Actually it depends whether the underlying network fs can do partial writes. I imagine both NFS and SAMBA can. If the file has to be fully rewritten with every change, then perf would be dead.

    • just_another_person@lemmy.worldEnglish
      22·
      2 hours ago

      Those aren’t end-to-end encrypted from the user, and would need to be mounted on the local system with a key that is unique to each user. Not exactly user-friendly if supporting multiple users.

      There are plenty of other solutions meant for the purpose OP is asking about.

      • Avid Amoeba@lemmy.caEnglish
        21·
        2 hours ago

        Not sure I’m getting you and probably didn’t explain myself well. Here’s what I mean:

        • Host exposes a network share (1-time setup)
        • Client mounts the network share (N-time setup, could be automated)
        • Client creates a LUKS or VeraCrypt (or something else) file in that network share, secured with their key. The key is generated on the client and it doesn’t leave the client or enter the host. (1-time setup)
        • Client decrypts the image with their key and mounts it on the client (N-time setup, can be automated)
        • Client modifies data in the decrypted vol
        • Client unmounts the volume (N-time, not required)
        • Client unmounts the network share (N-time, not required)

        At no point does the client’s key leave their computer and the host only ever sees encrypted data.

        Subsequent uses without automation:

        • Client mounts network share
        • Client decrypts volume

        That’s at least how I understood OP’s suggestion for putting LUKS images on the NAS and that is secure indeed. They’re worried about performance.