It doesn’t seem to exist. I’d like a solution to upload and sync my photos and my KeePass database, but I’m really hesitant to upload personal photos unencrypted to services exposed to the internet. Unfortunately self-hosting a Nextcloud instance on my LAN isn’t possible at this moment, but maybe a VPS with a strict firewall and a mesh VPN like Tailscale or Netbird? But honestly I’d rather just pay someone for the trouble.
What do you suggest? Clients need to be FOSS and available on Linux and Android, and on Android they need to be available on F-Droid (thus no proprietary blobs or libraries from Google).
Apparently Tutanota is going to launch a cloud storage service at some point soon. They sent out an email about it a few weeks ago.
Photos is actually something that I don’t want to be E2EE when self hosting, so I host immich myself. But since you said it’s not an option, id go with Ente. They are encrypted and they have paid options.
The reason I don’t want it to be encrypted is I want my family to be able to easily retrieve the photos in case I die. I actually have a drive I occasionally backup in my safe that has all our family photos on it unprotected. That way in case I die unexpectedly my kids dont lose them all.
Isn’t it easier to come up with a way to share the passphrase or key file for the encrypted photos in the case of your death? Don’t get me wrong though, there are many pros to unencrypted photos, but the con of having them leaked to the internet in case the server(s) are compromised weighs far heavier than the pros unfortunately. At least when it comes to hosting them on a VPS.
I don’t think a hacker is going to care about my family photos in the event of a breach. They are going to try to mine crypto, add me to a botnet or try to get money out of me.
If you have any sensitive photos then ya those should be encrypted at rest. In that case I’d keep them off a server entirely.
I guess we value privacy and integrity differently. I consider all of my personal data sensitive.
Not sure what integrity has to do with it. As for privacy, it’s on a VLAN with no external ports open to it and is regularly patched. I’m not worried.
These days they might train a chatbot on your photos, texts, and voice recordings to try and scam relatives.
Don’t put your Keepass on a remote server! Jeez. For your photos you could run Nextcloud on a VPS with an encrypted file system. That wouldn’t be super duper secure (the host could get the keys out from the running VPS) and you’d have to deal with reloading keys every time you rebooted the VPS for whatever reason, but it’s a pretty simple thing to do. IDK if that would count as E2EE since the VPS does see the plaintext in transit.
Maybe you could do something with SSHFS and an encrypted disk image but that starts getting slow and flaky.
Tbh I don’t bother with anything like that for my own photos. They’re just on my local machine and not on the network. I have some encrypted Borg backups on a remote server but no Nextcloud or anything like that.
Don’t put your Keepass on a remote server!
Why not? It’s encrypted.
IDK if that would count as E2EE
It doesn’t.
When you say E2EE that usually refers to encryption and decryption at each end. So the endpoints see the plaintext but it’s encrypted in transit.
I think you don’t want E2EE in the above sense. You want all the encryption and decryption to be on the client, i.e. you want encrypted remote storage where the server side ONLY sees ciphertext.
Anyway yeah, maybe just SSHFS or NFS to an encrypted disk image on the loopback FS of your local machine. I think the remote side shouldn’t even have a file system (i.e. that exposes metadata like file sizes) rather than just a raw disk-like image. But, it could still be possible for someone monitoring disk activity on the server side to infer some things about that.
How much data are you talking about? What is your budget? You might be better off with a dedicated server, e.g. Hetzner server auction. That would make various active monitoring at the host less likely. You’d still want to encrypt in about the same way as you would a VPS.
If that were true, TLS/HTTPS would count as E2EE. I don’t think your definition is correct, but I could of course be wrong. But yes, I want client side encryption.
But thanks, I’ll think about it.
There are plenty if you drop the free requirement.
Hosting a server does cost money.I definitely don’t mind paying, in fact I prefer it. The service being free was never a requirement from my side. Can you recommend some alternatives?
I don’t think OP was looking for free hosting. Free software, yes, sure.
Their Android client isn’t on F-Droid and their repository for the Android client is super weird: https://github.com/FilenCloudDienste/filen-ts
There’s not even a file declaring the license, nor any APK releases to download so it seems like you can’t get it outside of the Google Play store.
Perhaps Cryptomator could be an option, where trust in the cloud provider isn’t required
Thanks! I’ll do some research about it.
I use syncthing to sync my KeePass database. I have a small VPS that I can sync to for when wifi is weird/as a backup, and Syncthing can do E2EE sync to a remote device, which is what I’m using. So all the files on the VPS are encrypted, but my phone or my computer can pull and push to the VPS.
Technically, you don’t even need a public endpoint, devices on the same network should be able to find eachother, and even over the internet devices should be able to find eachother through Syncthing’s e2ee public relay servers. However, in my experience syncthing over the internet has been unreliable, so I use a VPS.
I’ve been hesitant to use Syncthing since the whole drama a while ago, and I don’t trust the current maintainer (it screams AI slop in my opinion). There are some alternative frontends for Android on F-Droid but there is not a lot of information about them.
The drama has mostly been cleared up. This is the current Syncthing fork on F droid: https://github.com/researchxxl/syncthing-android . I don’t see any signs of AI slop here.
If you don’t trust that for whatever reason, there is also an alternative android app (on f droid ofc), which runs the Syncthing daemon, and which you can configure through the web ui: https://f-droid.org/en/packages/com.chiller3.basicsync/
Or, you can forgo android apps entirely, and run Syncthing directly in Termux (f droid link), via the Termux package. There is also the option of emulating a Linux distro in Termux and using the version of Syncthing packaged for Alpine/Debian/Arch’s ARM versions. Though, that setup, with distro prooting, is a bit more involved. There also might be issues with Android killing background processes.
What exactly would you like? If you want something like an EC2 instance (or the google/azure equivalent), those have volumes are encrypted at rest, and you can install all your services you need including a VPN and SSL certificates.
At rest disk encryption is super easy to set up, but that’s different from E2EE. Key management and encryption should happen client side.
ente photos and locker is open source and offers a paid hosted option or self hosted. https://ente.com/
Unfortunately Locker doesn’t have a client for Linux, otherwise it would’ve been an alright contender.
Doesn’t NextCloud fall under this? They offer professional cloud services if you don’t want to stand up your own instance — that’s how they make their money.
Sure, but as far as I can tell its E2EE implementation is subpar. There are ton of providers that offer NC hosting, including Hetzner, but my main concern is encryption. Do you have any experience with it?





