SSD Encryption?

With the new addition of privacy-focused apps like Vaultwarden and Nextcloud, without full disc encryption anyone able to physically access the SSD attached to the Umbrel setup would have access to those app’s sensitive files.

  • Is all SSD data encrypted at rest? The installation process doesn’t seem to imply that is the case.
  • Is this handled separately by each app? If so how?

This seems incredibly important.


That is also my concern… I am not starting w/o full encryption. Not Bitwarden nor Nextcloud

Maybe @ mayank can give here some infprmation

1 Like

Looking closer at the documentation for both apps, it appears to be done via the app themselves.

Nextcloud includes a server side Encryption app, and when it is enabled by your Nextcloud administrator all of your Nextcloud data files are automatically encrypted on the server.

Vaultwarden does so by default. Only the client device, meaning the browser extension or Bitwarden client program, has access to your decrypted data. All data on the server is encrypted using an encryption key generated from that master password.


Nextcloud docs:

it would be nice to have fully encrypted drive. With long key. It adds plausible deniability on running node, having any bitcoin at all, having list of transactions, etc. US government can’t legally compel you to give up password. breaking encryption for the whole filesystem is unfeasible (unless you get full power of NSA, and even them, you are probably too small fish to fry, and disclosing such capability for nosy IRS who want to get their 50k or 150k is not worth it)

So it is totally encrypted on Umbrel Node HardDrive ?
Please guys tell me is there Browser extension for Brave or does it only work with Tor ? IOS app ?
I thought that Vaultwarden is not Bitwarden…

Unless it’s on the version that came out today (which i doubt) the disk is not encrypted att rest.

I would like to have a complete make over of the disk management, with btrfs filesystem, where each app folder gets it’s own subvolume, and the filesystem is located on a LUKS encrypted volume.

One problem with this is that the encryption key need to be accessible or typed in at boot somehow.
Perhaps this could be a tiny TOR service outside docker that decrypt and mount the fs, then starts the container service, so it can be managed remotely.

Thinking of it, the umbrel web GUI could probably do this. Just use the user password to encrypt when installing. It cannot run in docker thought.