I’d like to give my users some private network storage (private from me, ie. something encrypted at rest with keys that root cannot obtain).

Do you have any recommendations?

Ideally, it should be something where files are only decrypted on the client, but server-side decryption would be acceptable too as long as the server doesn’t save the decryption keys to disk.

Before someone suggests that, I know I could just put lucks-encrypted disk images on the NAS, but I’d like the whole thing to have decent performance (the idea is to allow people to store their photos/videos, so some may have several GB of files).

  • Avid Amoeba@lemmy.caEnglish
    21·
    3 hours ago

    Not sure I’m getting you and probably didn’t explain myself well. Here’s what I mean:

    • Host exposes a network share (1-time setup)
    • Client mounts the network share (N-time setup, could be automated)
    • Client creates a LUKS or VeraCrypt (or something else) file in that network share, secured with their key. The key is generated on the client and it doesn’t leave the client or enter the host. (1-time setup)
    • Client decrypts the image with their key and mounts it on the client (N-time setup, can be automated)
    • Client modifies data in the decrypted vol
    • Client unmounts the volume (N-time, not required)
    • Client unmounts the network share (N-time, not required)

    At no point does the client’s key leave their computer and the host only ever sees encrypted data.

    Subsequent uses without automation:

    • Client mounts network share
    • Client decrypts volume

    That’s at least how I understood OP’s suggestion for putting LUKS images on the NAS and that is secure indeed. They’re worried about performance.

    • just_another_person@lemmy.worldEnglish
      1·
      1 hour ago

      OP said they DON’T want LUKS. I’m also missing how the admin of the server (OP) wouldn’t have or store the keys unless and have these mounts available at all times?

      You seem to be suggesting there is some way for a remote user to mount a LUKS image on its host, which is not a thing unless you’re first SSH’ing to said host and mounting it and making it available for export mount elsewhere, which is clearly not what OP is asking for here when they just want space for people to store media. Maybe I’m misunderstanding.

      There Hook, Filen, Yeetfile, BatchIT…tons of these self-hosted stacks that do this with auth and user management built in. That’s what OP is asking about.

      • Avid Amoeba@lemmy.caEnglish
        1·
        10 minutes ago

        The host mounts no LUKS. The host just exports a network share via NFS. The client mounts that NFS share to a local mount pount. Then the client has a dir which actually resides on the host. So far completely standard NAS stuff. Then the client creates a file in that dir. E.g. secretcontainer.img. This file is then encrypted on the client using cryptsetup (LUKS). Then it’s mounted on the client using LUKS. All the LUKS stuff happens on the client. The only interaction with the host is throgh NFS. The host just sees a file appear called secretcontainer.img on its storage. The same idea would work with VeraCrypt instead of LUKS. Or Cryptomator. Or anything else that can store encrypted data in file(s) in a directory.

        LUKS can be used on a single file where the file acts as a disk device.

        Also what I’m describing here is bog-standard Linux functionality that’s existed at least for 2 decades. Nothing fancy. It’s stuff that’s good to know so I’d be happy to answer questions.

        E:

        The procedure on the client is roughly:

        cd /network/share/mountpoint
fallocate -l 1G test.img
cryptsetup luksFormat test.img
cryptsetup open test.img test_decrypted
mkfs.ext4 /dev/mapper/test_decrypted
mount /dev/mapper/test_decrypted /mnt

        Once that’s done, subsequent uses are:

        cryptsetup open test.img test_decrypted
mount /dev/mapper/test_decrypted /mnt

        Of course that can be automated further.

        Just tested it in a local dir and it works fine. The only difference between that and the real scenario is whether test.img resides on a network mount or local disk. Since the network mounts behave like normal disks, everything else works the same. The only concern is what the performance would be, which depends on how the underlying network fs handles reads/writes to test.img. E.g. if you change 0.5MB, does it send that 0.5MB or does it rewrite the whole 1GB file. When reading, does it have to read the whole 1GB file or just parts of it as needed. Etc.

        • just_another_person@lemmy.worldEnglish
          1·
          13 minutes ago

          Bud…been doing this for 20 years. Don’t need your explainer.

          The fact you didn’t mention the barest of minimums in your comment if where the issue lies. You’re just adding stacks on stacks of things by using any other network mount and having the user manage an encrypted image inside that mount. Also absent from what you were trying to explain. I’d work on that.

          Point being, for a multi-user/tenant utility like OP is asking for, there are better tools for the job, of which I just named a couple standalone options. If they are running TrueNAS, Synology, or QNAP, or even NextCloud, there are already built-ins for this purpose, and apps to match.

          If not, any of the other solutions I mentioned are much better suited for the use-case, especially, and if not only because, OP specifically said they DID NOT want exactly what you’re describing.