What the title says. I was looking into paperless-ngx but it seems to offer no built-in security. I’d ideally want some kind of encryption and if i enable remote access have some control over sensitive documents

  • cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This has been exceptionally done to death on Reddit but I’ll say it here since Reddit is dead.

    Authentication -

    If what you’re looking for is a login front end you could check out paper merge - personally I’ve got Keycloak and Nginx running so I can just make my own login page anyway and put paperless behind it.

    Stuff with sensitive documents should probably not be on the internet anyway unless you’re a really advanced user.

    Encryption -

    In app encryption offers no security because the encryption key is stored in RAM and likely a database entry that must be unencrypted.

    So the Devs are 100% correct in stating that it gives people a false sense of security to offer it as a feature.

    Best bet is to have an encrypted filesystem or alternative encrypted storage buuuut, also understand that encryption key is also stored in RAM.

    TLDR: There is no point in Devs offering in app encryption when you should already be encrypting the filesystem.

    • pianoplant@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Thank you, very helpful! And also thanks for putting this info on lemmy :) I figured asking the question here was a good way to get some of that insight here.

  • fear025
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    When you say “no built-in security”, are you talking about not having https ? Paperless-ngx does have login security with users and passwords. I believe they recommend using nginx as a reverse-proxy server to implement https if you need it.

  • lal309@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    When I was looking for a DMS I ran across MayanEDMS. I never got a chance to stand up any DMS but it may be worth checking out their site in case it meets your needs.

    Not exactly DMS but I have a WikiJS instance running with MFA enabled and access control. For example, my wife and I can access a set of documents we deem sensitive but other users can’t. I use WikiJS for all my documentation needs.

  • sloppy_diffuser@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Not sure what your environment is. I can tell you what I do in linux/android.

    I use backblaze b2 for my cloud storage.

    I use rclone to create two encrypted “remotes”: one on my local file system and one for b2. Rclone supports a bunch of cloud providers, so you don’t have to use b2.

    I mount the encrypted local file system and use whatever app (e.g., paperless) to access the files like it was any other directory.

    When I’m done I unmount it and sync it with the b2 encrypted remote.

    I use Round Sync on android which is rclone with a mobile GUI to access the same files. Also works great for backing up my phone.

    For docker access to the mount point, either run the docker daemon as your current user, enable root access to rclone’s fuse mounts, or my preferred is to remount (with root access) a scoped directory for that docker container using something like bindfs.

    Just be aware if using the vfs-cache (needed for seek or append), that cache is stored decrypted in your home folder. I’ve been meaning to look into locking it down with apparmor or something.