this post was submitted on 14 Jun 2023
14 points (100.0% liked)

Selfhosted

38789 readers
366 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey lemmings, I was wondering not just what you are using foe documents, but how you go about securing them.

Right now I am simply running paperless-ngx on a LUKS encrypted drive with all of my other data, permissions so only docker can access it, and running it through my reverse proxy with authelia in front of the paperless authentication for 2 factor.

I have sensitive documents like house sale documents and pay slips on there. I want to keep it publically exposed for my work documents (we have to submit documentation of different tickets and invoices for personal things to get repaid), but I am worried about the security aspect of it.

I figure data-at-rest encryption is useless because if a bad actor gets in to my server, they could get it all from memory anyway, but I wonder if specifically I should make that 1 docker image only accessible by VPN or something like that? Any recommendations on how to secure documents like that while still having them accessible?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (1 children)

I have almost this exact setup (paperless-ngx on a LUKS encrypted drive, but mine is running on a VM in Proxmox) and I feel pretty good about the security. That being said, I only have it running on my home network and use a WireGuard VPN if I need to access it remotely. I can’t say I would feel as comfortable if I just had it open to the internet. Like, it’s probably ok, but then you’re relying on Paperless being your first and last line of defense.

[–] [email protected] 2 points 1 year ago

Well I also have Authellia 2 factor in front of all of my services that face the internet besides Jellyfin and nextcloud to preserve app compatibility, but yeah that's why I was a bit uneasy about it. Maybe I should just make that container only available over wireguard.