That’s my next project to get things from Google/Apple.

The options I’ve seen so far

Any option I am missing?

  • Blaze@piefed.zipOPEnglish
    21·
    1 day ago

    If you host Immich on a VPS, there are three scenarios

    1. You just install Immich on the VPS normally. In that case, the VPS provider (e.g. Hetzner) can access your photos. Not ideal for me.
    2. You use disk encryption to encrypt the whole disk at the disk level (such as https://www.accruedwisdom.com/articles/hetzner-lvm-full-disk-encryption/). Seems a bit cumbersome to be honest, and even if the link says how to do it, I’m not sure it’s completely allowed by Hetzner.
    3. You encrypt the files at the file level, but then you break most of the Immich features.
    • smiletolerantly@awful.systems
      2·
      1 day ago

      LUKS isn’t cumbersome, you should really enable it on nearly every Linux system.

      Anyways, what do you mean “allowed”?

      I have a Hetzner root server set up this way btw, have to ssh in to decrypt the zfs pool before boot.

      Do note though, this does not protect from an attacker with physical access reading memory.

      • Blaze@piefed.zipOPEnglish
        21·
        1 day ago

        I use LUKS on my personal machines, I’m just not sure if I want to enable it for a VPS. Now if you tell me you’re doing that without any issue, that’s good to know.

        this does not protect from an attacker with physical access reading memory.

        So in this case, the VPS provider can still access your photos when they are being used by the photos management software?

        Seems to be another argument for E2EE embedded photos software.

        • smiletolerantly@awful.systems
          3·
          1 day ago

          I mean… Depends on your threat model. Hetzner is a very reputable German hoster. The only way someone is going to try and read and puzzle together memory dumps is if you’re under investigation for something seriously heinous.

          Shutting the VPS down also solves this.

          But really, this is a general problem with every “someone else’s computer” solution.

          E2EE still nice though, wish Immich had it.

          • Blaze@piefed.zipOPEnglish
            21·
            1 day ago

            I see. Thanks. E2EE would indeed be nice, but the Immich devs have made it clear for a long time that it woudn’t work due to the way Immich has been developed.

    • A_norny_mousse@piefed.zipEnglish
      1·
      16 hours ago

      What? Disk encryption is definitely “allowed”, and yes, that is how you should do it. It’s not “cumbersome” either, most installers have a GUI for that, and if Hetzner offers preconfigured images, full disk encryption is probably one of the offers.

      I am now convinced that you are a little overwhelmed by the thought of managing a VPS. That is totally OK! But don’t go talking out your ass because of it.