This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Sunset Client Side Encryption #41
Comments
I’d suggest keeping client side encryption since, if I understand things correctly, this would protect data on a sync server even if said server is compromised. Full disk encryption doesn’t help when a running server is compromised as everything is unencrypted while the system is up. e2e encryption is virtually always better from a security perspective. |
Question around that @genebean, would you rather focus on encryption or features like automatic bank import, stocks import, developer API, multiple users, notifications, etc.? It's always easier to say "security is good", but it's still something that should be prioritized. 😁 |
That’s a fair question @Silvenga. Financial information can tell someone how we live our lives so I’d actually lean towards security being paramount. That said, I wonder if some of the import bits being done client side via a mobile app that has the data decrypted might help allow both to progress. Alternatively, maybe the import processes could be run on a separate box that has no inbound access allows to it and it could have the decryption keys on it. That could make for a reasonable balance that reduces the likelihood of the system with decrypted data being compromised as the system open to the internet to facilitate devices syncing wouldn’t have knowledge of the data contents. Users less concerned with the security implications could even choose to run both processes on the same system while those of us more concerned could use separate systems like I described. The import system could even be a home computer as opposed to a public one since it’d only need outbound access. |
My thinking of not adding encryption support is so that the client side wouldn't need to be coded to support every plugin. Rather, we can use standard developer API's and not require plugin developers to use JavaScript. Encryption might double or tipple development time for features, making them significantly less likely to be worked. I wonder @genebean, If security is most paramount, then wouldn't it be most appropriate for the server to only operate inside a private network with no internet access? Again, the idea being that security concerns are of the hoster. Remember the client data isn't encrypted in either case. Aside, another problem, what if the importer would need ingress access to operate? I know that's how some of the bank scrapers would need to operate e.g. ingress webhooks. This importer would have access to all your finances anyway (and such data would likely need to be cached and stored unencrypted). |
It may be possible to provide encryption capability as a flag on the server that would enable/disable other features like plugins that need a full instance of actual to operate on the data. It would essentially be swapping sync-simple for sync-full here based on a flag passed in when the server starts: https://github.com/actualbudget/actual-server/blob/master/app-sync.js#L126-L133 |
Hmmm... that's a good idea. |
I personally would rather have end to end encryption. I am kind of worried that my self deployed server could be hacked. If we can keep the feature flag in settings and slowly work on it that would be great. |
I would support the removal of client side encryption, considering your well thought out arguments. Users with requirements for higher levels of security can always host locally for example, and the work involved with maintaining two different models here seems fairly high. Especially given the OSS server doesn’t currently support it. |
* first pass at progress bar * db migration / enter goal in db * add getGoal function * stabilize * whoops * TS * reset goal in db if no template found * reconfirm * release note * typo * rename migration * to ms * move priority logic, consistent variable names, * fixup * clear goal if template removed * Visual goals (#40) * 🔥 removing privacyMode feature flag (#1688) * 🎨 fix multiline label in schedules modal (#1687) * Update Visual Regression README File (#1689) * Fix typo in GoCardlessLink.js (#1684) happend -> happened * queried cleared balance for tooltip (#1678) * Dark Theme Reports/Settings (#1512) * 🐛 Mobile account transaction list: Fix sticky date section headers (#1698) * 👷 do not cancel github ci jobs on master branch (#1692) * Sidebar Account Fix (#1703) * Dark Theme Final (#1513) * Category autocomplete should only search selectable categories (#1681) * set colors based on a goal value * extra comment --------- Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> * update release note * lint * use null as cleared state * show goal status via colors (#41) * cleanup * I think its working * lint * fix the error by adding colors to the report side (#42) * [refactor] Migrate Schedules Table to typescript (#1691) * 🔧 removing unnecessary manual module resolution (#1707) * 🐛 (mobile) scrolling in lists with pull-to-refresh (#1706) * 💄 (mobile) updating apple home-screen icon (#1705) * Enhance Y-Axis Scaling on Net Worth Graph (#1709) * fix report budget, by adding in the goal coloring --------- Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> * report budget database updates * Fix schedule searchbar (#1729) --------- Co-authored-by: youngcw <calebyoung94@gmail.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com>
* first pass at progress bar * db migration / enter goal in db * add getGoal function * stabilize * whoops * TS * reset goal in db if no template found * reconfirm * release note * typo * rename migration * to ms * move priority logic, consistent variable names, * fixup * clear goal if template removed * Visual goals (#40) * 🔥 removing privacyMode feature flag (#1688) * 🎨 fix multiline label in schedules modal (#1687) * Update Visual Regression README File (#1689) * Fix typo in GoCardlessLink.js (#1684) happend -> happened * queried cleared balance for tooltip (#1678) * Dark Theme Reports/Settings (#1512) * 🐛 Mobile account transaction list: Fix sticky date section headers (#1698) * 👷 do not cancel github ci jobs on master branch (#1692) * Sidebar Account Fix (#1703) * Dark Theme Final (#1513) * Category autocomplete should only search selectable categories (#1681) * set colors based on a goal value * extra comment --------- Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> * update release note * lint * use null as cleared state * show goal status via colors (#41) * cleanup * I think its working * lint * fix report budget, by adding in the goal coloring * fix the error by adding colors to the report side (#42) * [refactor] Migrate Schedules Table to typescript (#1691) * 🔧 removing unnecessary manual module resolution (#1707) * 🐛 (mobile) scrolling in lists with pull-to-refresh (#1706) * 💄 (mobile) updating apple home-screen icon (#1705) * Enhance Y-Axis Scaling on Net Worth Graph (#1709) * fix report budget, by adding in the goal coloring --------- Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> * report budget database updates * Goal progress bar (#1734) * first pass at progress bar * db migration / enter goal in db * add getGoal function * stabilize * whoops * TS * reset goal in db if no template found * reconfirm * release note * typo * rename migration * to ms * move priority logic, consistent variable names, * fixup * clear goal if template removed * Visual goals (#40) * 🔥 removing privacyMode feature flag (#1688) * 🎨 fix multiline label in schedules modal (#1687) * Update Visual Regression README File (#1689) * Fix typo in GoCardlessLink.js (#1684) happend -> happened * queried cleared balance for tooltip (#1678) * Dark Theme Reports/Settings (#1512) * 🐛 Mobile account transaction list: Fix sticky date section headers (#1698) * 👷 do not cancel github ci jobs on master branch (#1692) * Sidebar Account Fix (#1703) * Dark Theme Final (#1513) * Category autocomplete should only search selectable categories (#1681) * set colors based on a goal value * extra comment --------- Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> * update release note * lint * use null as cleared state * show goal status via colors (#41) * cleanup * I think its working * lint * fix the error by adding colors to the report side (#42) * [refactor] Migrate Schedules Table to typescript (#1691) * 🔧 removing unnecessary manual module resolution (#1707) * 🐛 (mobile) scrolling in lists with pull-to-refresh (#1706) * 💄 (mobile) updating apple home-screen icon (#1705) * Enhance Y-Axis Scaling on Net Worth Graph (#1709) * fix report budget, by adding in the goal coloring --------- Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> * report budget database updates * Fix schedule searchbar (#1729) --------- Co-authored-by: youngcw <calebyoung94@gmail.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> * working dynamic colors. Need to figure out what changes are actually needed * cleanup * more cleanup * lint * reset the goal when applying a single template * make getCategory function * remove some unneeded changes * actually remove the changes, not just comment * cleanup some unneeded code that was causing some bugs. Works for me, but should be vetted more * lint * add json definitions to database * use template feature flag to enable colors * some fixes * don't set goals for remainders, remove unneeded change * lint * release note * lint again * fix mobile crash * undo changes in CellValue.tsx * lint * use getStyle * move status calc to helper * lint * recommendations * suggestion Co-authored-by: Joel Jeremy Marquez <joeljeremy.marquez@gmail.com> --------- Co-authored-by: shall0pass <20625555+shall0pass@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Joel Jeremy Marquez <joeljeremy.marquez@gmail.com>
…albudget#1780) * first pass at progress bar * db migration / enter goal in db * add getGoal function * stabilize * whoops * TS * reset goal in db if no template found * reconfirm * release note * typo * rename migration * to ms * move priority logic, consistent variable names, * fixup * clear goal if template removed * Visual goals (actualbudget#40) * 🔥 removing privacyMode feature flag (actualbudget#1688) * 🎨 fix multiline label in schedules modal (actualbudget#1687) * Update Visual Regression README File (actualbudget#1689) * Fix typo in GoCardlessLink.js (actualbudget#1684) happend -> happened * queried cleared balance for tooltip (actualbudget#1678) * Dark Theme Reports/Settings (actualbudget#1512) * 🐛 Mobile account transaction list: Fix sticky date section headers (actualbudget#1698) * 👷 do not cancel github ci jobs on master branch (actualbudget#1692) * Sidebar Account Fix (actualbudget#1703) * Dark Theme Final (actualbudget#1513) * Category autocomplete should only search selectable categories (actualbudget#1681) * set colors based on a goal value * extra comment --------- Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> * update release note * lint * use null as cleared state * show goal status via colors (actualbudget#41) * cleanup * I think its working * lint * fix report budget, by adding in the goal coloring * fix the error by adding colors to the report side (actualbudget#42) * [refactor] Migrate Schedules Table to typescript (actualbudget#1691) * 🔧 removing unnecessary manual module resolution (actualbudget#1707) * 🐛 (mobile) scrolling in lists with pull-to-refresh (actualbudget#1706) * 💄 (mobile) updating apple home-screen icon (actualbudget#1705) * Enhance Y-Axis Scaling on Net Worth Graph (actualbudget#1709) * fix report budget, by adding in the goal coloring --------- Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> * report budget database updates * Goal progress bar (actualbudget#1734) * first pass at progress bar * db migration / enter goal in db * add getGoal function * stabilize * whoops * TS * reset goal in db if no template found * reconfirm * release note * typo * rename migration * to ms * move priority logic, consistent variable names, * fixup * clear goal if template removed * Visual goals (actualbudget#40) * 🔥 removing privacyMode feature flag (actualbudget#1688) * 🎨 fix multiline label in schedules modal (actualbudget#1687) * Update Visual Regression README File (actualbudget#1689) * Fix typo in GoCardlessLink.js (actualbudget#1684) happend -> happened * queried cleared balance for tooltip (actualbudget#1678) * Dark Theme Reports/Settings (actualbudget#1512) * 🐛 Mobile account transaction list: Fix sticky date section headers (actualbudget#1698) * 👷 do not cancel github ci jobs on master branch (actualbudget#1692) * Sidebar Account Fix (actualbudget#1703) * Dark Theme Final (actualbudget#1513) * Category autocomplete should only search selectable categories (actualbudget#1681) * set colors based on a goal value * extra comment --------- Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> * update release note * lint * use null as cleared state * show goal status via colors (actualbudget#41) * cleanup * I think its working * lint * fix the error by adding colors to the report side (actualbudget#42) * [refactor] Migrate Schedules Table to typescript (actualbudget#1691) * 🔧 removing unnecessary manual module resolution (actualbudget#1707) * 🐛 (mobile) scrolling in lists with pull-to-refresh (actualbudget#1706) * 💄 (mobile) updating apple home-screen icon (actualbudget#1705) * Enhance Y-Axis Scaling on Net Worth Graph (actualbudget#1709) * fix report budget, by adding in the goal coloring --------- Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> * report budget database updates * Fix schedule searchbar (actualbudget#1729) --------- Co-authored-by: youngcw <calebyoung94@gmail.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> * working dynamic colors. Need to figure out what changes are actually needed * cleanup * more cleanup * lint * reset the goal when applying a single template * make getCategory function * remove some unneeded changes * actually remove the changes, not just comment * cleanup some unneeded code that was causing some bugs. Works for me, but should be vetted more * lint * add json definitions to database * use template feature flag to enable colors * some fixes * don't set goals for remainders, remove unneeded change * lint * release note * lint again * fix mobile crash * undo changes in CellValue.tsx * lint * use getStyle * move status calc to helper * lint * recommendations * suggestion Co-authored-by: Joel Jeremy Marquez <joeljeremy.marquez@gmail.com> --------- Co-authored-by: shall0pass <20625555+shall0pass@users.noreply.github.com> Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv> Co-authored-by: Crazypkr1099 <nicholas.lacasse430@gmail.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: Shaan Khosla <35707672+shaankhosla@users.noreply.github.com> Co-authored-by: Neil <55785687+carkom@users.noreply.github.com> Co-authored-by: Trevor Farlow <trevdor@users.noreply.github.com> Co-authored-by: Mohamed Muhsin <62111075+muhsinkamil@users.noreply.github.com> Co-authored-by: Joel Jeremy Marquez <joeljeremy.marquez@gmail.com>
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Introduction
This is a request for comment (RFC) on if client-side encryption should be sunset in Actual OSS.
Actual clients support syncing between many instances using a centralized server (sync server). As clients make modifications, the changes to their internal state are set to the sync server to be received and applied by other individual client instances.
Further, under Actual (in the before times), the client supported encrypting all data locally before the data was sent to the sync server, as documented here (end-to-end-encryption).
Effectively, client side encryption allows for a zero-trust model for the syncing server. The end-user could assume both the data was encrypted on disk in a format that even the operator of the server would not be able to access.
Terminology
When I refer to the sync server, I refer to a hypothetical server that only handles syncing of encrypted data between clients. The OSS server is functionally different from the previous implementation.
When I refer to a client, I refer to the full-fat clients in the model of the before times Actual e.g. the Mobile client and the Electron Desktop client. The OSS server blurs the lines.
Proposal
In Actual OSS, servers are hosted and maintained by the same individuals using the Actual OSS client. These individuals may employ full-disk encryption or other security measures if they believe such protections are warranted. Since there is no longer a third-party operator who may have access to the Actual data, the zero-trust model is less useful.
Client-side encryption should be considered for removal from Actual OSS.
Pro Removal
Against Removal
Commentary
The text was updated successfully, but these errors were encountered: