Very useful. Thanks for sharing, and for the write ups. On Wednesday, October 20, 2021 at 7:08:11 AM UTC-7 Phractured Blue wrote:
> I am aware that beancount has builtin support for GPG-encrypted files, and > that Fava supports using those files. > > However for me there are a few issues with this implementation: > 1) I would need to store all of my beancount files GPG encrypted, which > makes my automated ingest workflow more complicated > 2) Fava does not support modifying encrypted beancount files > 3) I also have statements (pdf) that are accessible through Fava that I'd > also like encrypted > 4) Fava requires that the GPG key be configured such that it can access > files on startup > > My workflow is that I am running fava in an always-on unattended Docker > container on a secure machine. Because it is unattended, I don't have the > ability to enter the passphrase whenever the container is restarted, and > even through the machine is secure, I don't want to have the decryption key > lying around. > > My goal is to have Beancount data (and my financial statements) stored in > an encrypted state when I'm not using them, and to not have any decryption > keys stored on the server while addressing points 1-4 above. > > My solution to this is to instead use an encrypted volume (in this case > SecureFS because it is cross-platform, and I sometimes access the volume > from Windows) to store my beancount files as well as my financial > statements. I host Fava behind a Nginx reverse-proxy with the auth-plugin, > and use an authorization server to decrypt the SecureFS volume on demand > (using a key derived from the user's entered password), and then stop > SecureFS when Fava is done reading from it. I had to monkey-patch Fava's > 'watcher' module to ignore 'changed()' queries when the volume is encrypted > (otherwise the volume would never unmount). > > I realize this leaves my data in an unencrypted state (inside the Docker > container) at times, which would not be advisable on an insecure host, but > it keeps the data secure at-rest (i.e. when I'm not interacting with Fava) > which was my primary goal. I believe this solution could be adapted to > also grant Fava access to the GPG key in an as-needed basis as well, but > that doesn't help address issues 1-3 above. > > Mine is probably not a common use-model, but I thought I'd share the > project in case anyone wants to make use of it, as it includes a full > Docker solution integrating Nginx, an authorization-server, and Fava. > > https://github.com/PhracturedBlue/fava-encrypt > -- You received this message because you are subscribed to the Google Groups "Beancount" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/beancount/083f0b7a-12dc-4efb-aa27-a92740d9bf9fn%40googlegroups.com.
