David.dev 🎪

about ~ apps

2020-02-14 linux, security

How to host your own secure cloud

As a follow up to my previous post on cloud security there is of course another option for storing your file securely: run your own files ☁️ cloud service.

This is not as hard as it seems. Here is how to do it step by step

Step 1 Have a server

The best option is to have your own physical server but this is not always doable or convenient (and it also adds the extra burden of backing up your files, updating the OS and the hardware etc.)

So if a physical server is not in the cards get a a virtual server (EC2, Rackspace, Digital Ocean, there are just too many providers to mention them all). I recommend running Ubuntu or Debian as these are widely supported and there are a lot of tutorials around.

Step 2 Enable SFTP

I know, I know, a lot of services to host your own encrypted files cloud exist today. But let's go old school where you control every aspect of the process (who is going to read or audit the code used by these tools ? what about vulnerabilities) limiting the moving pieces. So all you need to access your cloud is SFTP that is normally installed by default (if not you can find plenty of tutorial to enable this on Ubuntu).

Step 3 Create Folders for non encrypted files (if you wish)

Since encrypting-decrypting is reserved for more sensitive data you can create multiple folders e.g. if you want to store some files that are not sensitive without encryption (say an article from the web that you just wanted to save for your future readings) you just create a normal folder and download/upload (or sync file with a good SFTP client) without having to decrypt the file.

Of course nothing prevents you to encrypt all your files and in this case you move to step 4. If, however, you do not wish to go too technical (as in Step 4) what you can do is create non-encrypted folders but upload your sensitive documents as 7zip encrypted archives or encrypted PDF files. In this scenario -- whilst your filesystem or folders are not encrypted -- your sensitive data is.

Step 4 Encrypt sensitive folders (a bit more technical)

I will now save you tens of hours of research in finding the best tool to encrypt your files on your shiny, new linux server. Forget all these unmaintained scripts encrypting individual files etc. We are going filesystem here so on linux you have eCryptFS or the recommended and more modern FScrypt. It is easier to use and support your login passphrase (so you won't need a separate password to lock and unlock a directory). The setup info are available Here but here is a super quick guide:

sudo fscrypt setup 
sudo tune2fs -O encrypt /dev/sda2
fscrypt setup / # or your mountpoint
mkdir secret # create a secret directory
fscrypt encrypt secret
Should we create a new protector? [y/N]
"secret" is now encrypted, unlocked, and ready for use.
## you can now cd secret and make a file or drop some files
cd secret
joe secretfile.txt
sudo fscrypt lock secret --user=USERNAME
david@localhost:~$ cd secret/
david@localhost~/secret$ ls
3jdTiA0m0kjYbl+agwy1Pl1Kc,7EmvXnGsTxX1gp,cL

You now have the file encrypted until you unlock them which will make them visible again (and accessible with your SFTP client)

david@localhost:~$ fscrypt unlock  secret 
Enter login passphrase for gurugeek:
"secret" is now unlocked and ready for use.
david@localhost:~$ cd secret
david@localhost:~/secret$ ls
secretfile.txt
david@localhost:~/secret$

With this setup you are in control of your files and their encryption. Not another tech giant with a 50 pages+ privacy policy!