Huh? Linux is the gold standard for running pirated games, mainly because of flatpaks and its sandboxing capabilities. The games won’t have access to your filesystem and you can disable network access. Installing the games is as easy on Heroic as it is on Windows.

Yeah, pass has been discussed a bit in the thread already, but there are a few security issues that keep me from using it. Speaking of security, I had no idea the Android app was archived in 2024. That’s quite a long time without updates. Are you using a fork?

Thank you for sharing your workflow either way! Using a git based solution would be amazing.

I like the idea of using git, and there are people using it with their KeePass database (here’s an example), but I don’t think it’s optimal. If you want to use git, pass is probably the better option, but that brings in a whole lot of other problems.

I’ve started using Nextcloud to sync my database and it’s worked out fine so far. Though it would be nice to use something like git that I use all the time regardless, right now the whole bloated Nextcloud stack I have hosted only syncs my small password database haha.

I managed to get it up and running now, thank you! It wasn’t intuitive at all, compared to using nextcloud-client on the desktop. I’ll try this for a while and see if it works for me.

I’m currently using KeePassDX and I’ve set up the Nextcloud server and downloaded the Android app. I’ll give it another shot. Can you explain more how you’ve set this up for yourself? What does CF mean, and what file manager do you recommend?

Thanks!

I’m talking about this issue: https://github.com/nextcloud/android/issues/19

Do you do it manually into e.g. protected json, or to a normal zip (the former doesn’t support attachments as far as I know)? Or have you found a way to do it automatically? One con that I’ve read about this is that backups from one version is not guaranteed to work on another version. Thanks.

I actually used pass many years ago and I quite enjoyed it, except for the fact that the entry names are presented in clear text. You’d also have to manage your GPG secret which I’m not a fan of (in fact, my password manager is how I usually manage GPG and SSH keys in the first place). On the other hand, I guess you should keep a key file on each device on top of a passphrase even if you use a KeePass database, so I guess that point is moot. There are also no good way to include attachments. At that point Vaultwarden feels more convenient, but the more I’m thinking about it, the more I’m warming up to the idea. We’ll see, maybe I’ll give it a shot again.

Thanks for sharing your thoughts!

Edit: I did some quick research and I found this video:

https://www.youtube.com/watch?v=j-qBChKG15Y

It brings up some pretty important security concern that still seem to be relevant.

Yeah, I have a tendency to modify my database quite often. I often make new accounts, add attachments, modify passphrases on older accounts, etc. I modify it several times a week. I might be an outlier, and in that case I understand why people don’t consider this to be a huge problem haha.

This is only supposed to be temporary while you set up the FDE, your IP is unlikely to change in the 30 minutes or so it takes to go through these steps.

In any other scenario I’d close port 22 and use a mesh VPN with SSH capabilities, like Netbird or Tailscale. I’d only open it up again to access Dropbear during reboots, and I’d use IP filtering for that as well.

As for DHCP, I guess it depends on the ISP. I don’t have a static IP but mine doesn’t change as far as I can tell unless my router is disconnected for a longer while.

Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple.

Noted, thank you!

I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console

Pasting generates garbled text, with letters and symbols being replaced or simply missing. I haven’t found a way to upload a file, nor have I found a solution to the issues in general. I found a few threads on Reddit complaining about the same thing, but no one had found a solution. It just seems to be an issue with the way Hetzner has set up their KVM console.

There is a way to upload custom ISO files, but it’s quite annoying as you have to open a ticket with a direct link to the ISO and wait for the staff to upload it for you to the UI.

You may want to look into cloud-init instead of manually installing and configuring your VMs.

Thank you! I’ll check it out.

LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.

That’s true. It’s mostly just to prevent data recovery should the VPS be recycled for services that don’t support E2EE, like Immich. I thought it would be better than nothing.

If I can use E2EE, I will. This VPS will never be exposed to the internet, it will only be accessible through Netbird. The main reason for setting up FDE is for Immich which doesn’t support E2EE, so that the data won’t be (as easily) recoverable should the VPS be recycled. But yeah, it’s not perfect, but like you said it’s better than nothing.

I don’t really take physical access (including Hetzner and law enforcement) into account in my threat model.