Hey lemmings, I was wondering not just what you are using foe documents, but how you go about securing them.
Right now I am simply running paperless-ngx on a LUKS encrypted drive with all of my other data, permissions so only docker can access it, and running it through my reverse proxy with authelia in front of the paperless authentication for 2 factor.
I have sensitive documents like house sale documents and pay slips on there. I want to keep it publically exposed for my work documents (we have to submit documentation of different tickets and invoices for personal things to get repaid), but I am worried about the security aspect of it.
I figure data-at-rest encryption is useless because if a bad actor gets in to my server, they could get it all from memory anyway, but I wonder if specifically I should make that 1 docker image only accessible by VPN or something like that? Any recommendations on how to secure documents like that while still having them accessible?
I used LUKS but the HDD was slow and almost dead so I switched to Proton drive, i don’t have much storage but I like it
I have almost this exact setup (paperless-ngx on a LUKS encrypted drive, but mine is running on a VM in Proxmox) and I feel pretty good about the security. That being said, I only have it running on my home network and use a WireGuard VPN if I need to access it remotely. I can’t say I would feel as comfortable if I just had it open to the internet. Like, it’s probably ok, but then you’re relying on Paperless being your first and last line of defense.
Well I also have Authellia 2 factor in front of all of my services that face the internet besides Jellyfin and nextcloud to preserve app compatibility, but yeah that’s why I was a bit uneasy about it. Maybe I should just make that container only available over wireguard.
Once I have any sensitive documents I need to store, I’m putting them in a safe with a self-destruct. Much more limited access.
My Paperless-ngx is behind my VPN. My phone connects to my VPN automatically when I disconnect from my home WiFi, so I have continuous access with no actions on my part. I’m hoping that’s secure enough for my use. I’m in the same boat as far as personal documents and couldn’t bring myself to make it open to the world.