mirror of
https://github.com/immich-app/immich.git
synced 2026-07-16 05:34:30 +03:00
[Feature]: Encryption for data at rest #194
Closed
opened 2026-02-04 18:37:14 +03:00 by OVERLORD
·
14 comments
No Branch/Tag Specified
main
chore/translations
renovate/typescript-projects
fix/29853-thumbnail-decode-size
custom-app-logo
fix/server-heif-security-limit
fix/live-photo-library-task-joining
renovate/machine-learning
chore/security-txt-ghsa
renovate/mobile
refactor/auto-trash-sync
fix/failed-sync-blocks-resume
renovate/pigeon-27.x
fix/slideshow-motion
renovate/typescript-7.x
renovate/eslint-plugin-unicorn-71.x
fix/ws-reconnect-battery
renovate/node
chore/pump-flutter
feat/ml-hwaccel-testing
chore/face-cluster-abstraction
feat/workflow-logs
fix/moved-files-not-backed-up
renovate/java-25.x
renovate/@immichui
renovate/node-24.x
renovate/terragrunt-1.x
renovate/opentofu-1.x
renovate/cloudflare-4.x
renovate/java-21.x
renovate/prom-prometheus
fix/ios-extension
feat/server-chunked-uploads
feat/native-core
feat/upload-action
fix-29727
feat/download-tag-action
feat/share-action
refactor/action-secondary-handler
feat/edit-button-action
feat/delete-action
feat/album-actions
chore/deprecate-ios-14
fix/android-cr3-save
fix/library-map-live-bounds-updates
fix/mobile-add-to-album-error
feat/browser-profile-action
feat/cast-slideshow-action
chore/update-maplibre-0.26.2
feat/locked-folder-action
fix/unauthorized-memory-creation
feat/workflow-exif-filter
renovate/eslint-plugin-unicorn-70.x
fix/android-locked-folder-delete
fix/library-map-loading-flash
feat/context-actions
renovate/grafana-monorepo
fix/mobile-scroll-velocity-placeholders
renovate/sharp
refactor/action-class
feat/memories-view
refactor/asset-action-filter
feat/undo-archive
feat/archive-action
feat/stack-action
feat/more-favorite-action
feat/restore-action
refactor/feedback-repository
refactor/asset-service-update
refactor/owned-iterator
fix/birthday-picker-locale-order
fix/viewer-double-close-anim
feat/mobile-hls-player
refactor/stack-actions
renovate/permission_handler-12.x
fix/kebab-action-color
feat/workflow-asset-tags
fix/viewer-long-image-aspect
fix/ios-memory-widget-local-date
fix/timeline-drag-select-stops
fix/ios-ethernet-unmetered
fix/featured-photo-thumbnail-cache
feat/yucca-integration
fix/album-timeline-date-ordering
chore/cancel-native-op-on-lifecycle
chore/album-remove-assets
feat/partner-table-permissions
fix/ocr-after-edit
fix/re-enable-pruning
refactor/delete-restore-actions
apk-build-deployment
renovate/pypi-pydantic-settings-vulnerability
edit-photo-stacking
fix/mise-lockfile
fix/android-local-album-date
feat/web-hls-hover
chore/pump-drift
refactor/android-background-worker
refactor/store-cleanup
fix/hash-mismatch
debug/throttle-timeline
refactor/app-metadata
refactor/advanced-settings
refactor/current-user
fix/dedupe-integrity-missing-paths
chore/albums-select
feat/album-assets-event
fix/fdroid-meta
refactor/per-asset-backup-flag
fix/av1-threads
fix/pass-secrets
fix/download-progress-stuck
fix/negative-backup-remainder
feat/map-asset-number
feat/custom-date-range
renovate/pep621-lock-file-maintenance-machine-learning
refactor/session-repository
test-bump-prerelease
fix/handle-unlinking-motion-photos
refactor/cached-key-value-repo
fix/date-range-formatting
fix/map-unresponsive
fix/mobile-album-action-msg
refactor/search-v3/pr-1
chore/v7.23.0-openapi-generator
asset-add-to-album-trigger
refactor/face-editor-decoupling
feat/zoom-aware-face-editing
refactor/adaptive-image-dimensions
fix-face-editor-video-preview
fix-stack-face-tag-selection
fix/face-boxes-edit-panel
workflow-webhook-step
feat/hero_view_transitions
fix/map-sidepanel-queries
feat/dart-openapi-generator
claude/share-quality-5d7Gn
drag-drop-ghost-target
refactor/workflow-page
refactor/mobile-upload
fix-scroll-flicker-2
test/2.7.5-new-sign
update-mise-lock-file
feat/kysely-0.29
feature/load-previews
release-candidate-flow-1
fix/mobile-22522-sqlite-2067
fix/job-lock
release-candidate-flow-3
release-candidate-flow-2
show-in-timeline-toggle
fix/mise-windows
fix/mobile-album-sync-stale-cache
plan-local-image-display
fix/remote-thumbnail-fallback
bugfix/live-photo-stuck
chore/riverpod-update
album-order-per-user
fix/web-timeline-dom-node-retention
chore/svelte-enable-state-referenced-locally
feat/favorite-albums
feat/patch-release-from-branch
fix/oauth-linking
feat/timeline_scroll_buffer
panorama-face-overlay
push-txxyuusptoru
push-zpwsovysllvn
chore/queue-endpoint-migration
fix/remove-from-album
chore/thumbnail-histogram
fix/video-thumbnail-bindthis-regression
fix/scrubber-drag-edge-cases
fix/timeline_layout_row_height
refactor-cancellable-task
uhthomas/fix-mobile-use-timer
uhthomas/fix-mobile-video-controls-key
uhthomas/chore-mobile-search-declarative
owner-role-album-user
feat/livephoto-editing
favorite-albums
uhthomas/fix-mobile-isolate-auth
fix/library-watcher-excludes
chore/library-e2e-to-medium
push-ynllunsvrpxy
fix/dont-delete-offline-library-files
push-zvwwxmvkrspv
push-kywsnvvkwzts
push-xxnxokokzrou
push-voozlrlkxsnu
view-in-timeline-transition
push-uymvmlknxpmx
push-qslzsplnusoz
fix/mobile-video-stall
uhthomas/draft-mobile-image-cache-cancel
push-yquostpqnkxp
feat/vitest-4
claude/offload-icloud-hashing-bI3GZ
midzelis/wip
uhthomas/fix-server-fsync-all
feat/mobile-widget-shared-client
push-lnyuzsutzkqq
push-vqqqxxvkunru
push-wvnmqoswptww
push-nwxlpmyzkyrl
fix/map-webgl-error
fix/mobile-player-fit
feat/panorama-tiles
csp-policy
push-rsywxvptwxuv
refactor/restores-file-interceptor
postgres-socketio
claude/auto-screenshot-web-changes-Y7efI
visual-review/pr-26535
push-lvyturrtwkrq
feat/library-offline-count
fix/mobile-video-aspect-ratio
uhthomas/fix-mobile-search-results
uhthomas/feat-sort-smart-search
uhthomas/chore-mobile-maplibre
uhthomas/mobile-fix-asset-details-album-pop
feat/crawl-wrapper
push-skvzqoozqkpl
feat/edit-filters
feat/pg-queue
refactor/asset-upload
better-project-structure
uhthomas/mobile-feat-asset-viewer-details
fix/ml-rocm-build
feat/asset-file-apis
feature/bottom-buttons-order
sqlite_thumbs
fix-keep-correct-ios-shared-album-asset
push-vpxwmwwxwnvw
fix-migration-width-height
shared-deep-link-handler
feat/thumbnail-native-clients
feat/platform-clients
fix/foreground-cloud-sync
filter-by-person
refactor/sidebar
fix/merged-edited-assets
feat/create-job-with-dto
feat/ios-fastlane-match
match-signing
fix-update-time-update-timeline
feat/modal-routes
feature/mobile-view-asset-owner
feat/system-settings
feature/show-activity-count
feat/location-favorites
feature/rearrange-buttons-2
fix/download-storage-template
chore/originals-in-asset-files
ben/tree-a11y
new-search-filter-ui
refactor/expectSelectedReadonly
refactor/mobile-grdb
feat/mobile-native-local-sync
refactor/timeline_ops
fix/scrubber_end
refactor/virtualsegment
refactor/rename_daymonth_groups
fix-remote-sync-clean-up
debug/cf-chunked-uploads
feat/search-filter-album/web
feat/session-permissions
feat/mobile-dynamic-thumbnails
refactor/extract_photostream
refactor/rename_load_api
refactor/timeline2
refactor/timeline3
feat-no-thumbhash-cache
feat/mobile-hdr-images
feat/beta-background-upload
fix/beta-timeline-memories-setting
fix/failed-uploads-not-removed
feat/groups
drift-map-page
feat/add-to-album-action
track-livephotos
feat/maintenance-worker
refactor/server-side-dedupe
feat/integrity-checks
dev/recognition-eval
lighter_buckets_test
perf/postgres-queue
tmp/demo-snapshot-preview
fix/server-migration-file-extension
rknn-toolkit-lite2
feature/Add-rocm-support-for-machine-learning
chore/async-hash-file
feat/shared-link-view-count
feat/graphql
no-video-player
fix/server-qsv-output-format
chore/server-geodata-tweaks
mobile/native-video-player-no-hero
feat/local-tileserver
feat/ml-armnn-conversion
chore/handle-output_dims
feat/capacitor-mobile-app-poc
feat/server-nvenc-hw-decoding
web/automation-ui
object-storage
ml/tflite
feat/ml-export-cli
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v3.0.0-rc.4
v3.0.0-rc.3
v3.0.0-rc.2
v3.0.0-rc.1
v3.0.0-rc.0
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.6
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.144.1
v1.144.0
v1.143.1
v1.143.0
v1.142.1
v1.142.0
v1.141.1
v1.141.0
v1.140.1
v1.140.0
v1.139.4
v1.139.3
v1.139.2
v1.139.1
v1.139.0
v1.138.1
v1.138.0
v1.137.3
v1.137.2
v1.137.1
v1.137.0
v1.136.0
v1.135.3
v1.135.2
v1.135.1
v1.135.0
v1.134.0
v1.133.1
v1.133.0
v1.132.3
v1.132.2
v1.132.1
v1.132.0
v1.131.3
v1.131.2
v1.131.1
v1.131.0
v1.130.3
v1.130.2
v1.130.1
v1.130.0
v1.129.0
v1.128.0
v1.127.0
v1.126.1
v1.126.0
v1.125.7
v1.125.6
v1.125.5
v1.125.4
v1.125.3
v1.125.2
v1.125.1
v1.125.0
v1.124.2
v1.124.1
v1.124.0
v1.123.0
v1.122.3
v1.122.2
v1.122.1
v1.122.0
v1.121.0
v1.120.2
v1.120.1
v1.120.0
v1.119.1
v1.119.0
v1.118.2
v1.118.1
v1.118.0
v1.117.0
v1.116.2
v1.116.1
v1.116.0
v1.115.0
v1.114.0
v1.113.1
v1.113.0
v1.112.1
v1.112.0
v1.111.0
v1.110.0
v1.109.2
v1.109.1
v1.109.0
v1.108.0
v1.107.2
v1.107.1
v1.107.0
v1.106.4
v1.106.3
v1.106.2
v1.106.1
v1.106.0
v1.105.1
v1.105.0
v1.104.0
v1.103.1
v1.103.0
v1.102.3
v1.102.2
v1.102.1
v1.102.0
v1.101.0
v1.100.0
v1.99.0
v1.98.2
v1.98.1
v1.98.0
v1.97.0
v1.96.0
v1.95.1
v1.95.0
v1.94.1
v1.94.0
v1.93.3
v1.93.2
v1.93.1
v1.93.0
v1.92.1
v1.92.0
v1.91.4
v1.91.3
v1.91.2
v1.91.1
v1.91.0
v1.90.2
v1.90.1
v1.90.0
v1.89.0
v1.88.2
v1.88.1
v1.88.0
v1.87.0
v1.86.0
v1.85.0
v1.84.0
v1.83.0
v1.82.1
v1.82.0
v1.81.1
v1.81.0
v1.80.0
v1.79.1
v1.79.0
v1.78.1
v1.78.0
v1.77.0
v1.76.1
v1.76.0
v1.75.2
v1.75.1
v1.75.0
v1.74.0
v1.73.0
v1.72.2
v1.72.1
v1.72.0
v1.71.0
v1.70.0
v1.69.0
v1.68.0
v1.67.2
v1.67.1
v1.67.0
v1.66.1
v1.66.0
v1.65.0
v1.64.0
v1.63.2
v1.63.1
v1.63.0
v1.62.1
v1.62.0
v1.61.0
v1.60.0
v1.59.1
v1.59.0
v1.58.0
v1.57.1
v1.57.0
v1.56.2
v1.56.1
v1.56.0
v1.55.1
v1.55.0
v1.54.1
v1.54.0
v1.53.0
v1.52.1
v1.52.0
v1.51.2
v1.51.1
v1.51.0
v1.50.1
v1.50.0
v1.49.0
v1.48.1
v1.48.0
v1.47.3
v1.47.2
v1.47.1
v1.47.0
v1.46.1
v1.46.0
v1.45.0
v1.44.0
v1.43.1
v1.43.0
v1.42.0_65-dev
v1.41.1_64-dev
v1.41.0_64-dev
v1.40.1_63-dev
v1.40.0_63-dev
v1.39.0_61-dev
v1.38.2_60-dev
v1.38.1_60-dev
v1.38.0_60-dev
v1.37.0_58-dev
v1.36.2_56-dev
v1.36.1_55-dev
v1.36.0_55-dev
v1.35.0_54-dev
v1.34.0_53-dev
v1.33.1_52-dev
v1.33.0_52-dev
v1.32.1_51-dev
v1.32.0_50-dev
v1.31.1_49-dev
v1.31.0_49-dev
v1.30.2_48-dev
v1.30.0_46-dev
v1.29.6_45-dev
v1.29.6_44-dev
v1.29.5_44-dev
v1.29.4_44-dev
v1.29.3_43-dev
v1.29.2_43-dev
v1.29.1_43-dev
v1.29.0_42-dev
v1.28.4_41-dev
v1.28.4_42-dev
v1.28.3_41-dev
v1.28.2_40-dev
v1.28.1_39-dev
v1.28.0_38-dev
v1.27.0_37-dev
v1.26.0_36-dev
v1.25.0_35-dev
v1.24.0_34-dev
v1.23.0_33-dev
v1.22.0_32-dev
v1.21.1_31-dev
v1.21.0_31-dev
v1.20.3_30-dev
v1.20.2_30-dev
v1.20.1_30-dev
v1.20.0_30-dev
v1.19.1_29-dev
v1.19.0_29-dev
v1.18.0_27-dev
v1.17.0_25-dev
v1.16.0_23-dev
v1.15.1_21-dev
v1.15.0_21-dev
v1.14.0_21-dev
v1.13.0_20-dev
v1.12.0_18-dev
v1.11.0_17-dev
v1.10.0_15-dev
v1.9.1_14-dev
v1.9.0_13-dev
v1.8.0_12-dev
v1.7.0_11-dev
v1.6.0_10-dev
v1.5.1+9-dev
v1.5.0+8-dev
v1.4.0+7-dev
v1.4.0+6-dev
v1.4.0-dev
v1.3.0-dev
v1.3.1-dev
v0.6-dev
v0.5-dev
v0.4-dev
v0.3-dev
v0.2-dev
first-android-release
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:skip
changelog:translation
cli
date-time
dependencies
documentation
external-library
format
good first issue
mobile-beta
mobile-beta
mobile-beta
needs-answer
nice to have
pull-request
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: immich-app/immich#194
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @gromain on GitHub (Aug 10, 2022).
Feature detail
As highlighted in #359, it would be nice for Immich to support encrypting data per user on the storage medium, so that even the admin can't access them.
This would need a bit of work on both the server side but also in the clients. Encryption at rest could be activated globally or per user perhaps. This will incur a performance penalty, but I believe it's a very nice feature to have.
Platform
Server
@Nonobis commented on GitHub (Aug 10, 2022):
bad idea for me ... Or only optional and with Big warning for admin ....
I think it's too risky for losing valuable pictures of familly or other type.
Even with backup...
@gromain commented on GitHub (Aug 10, 2022):
The responsibility lies with the user to not forget their password in that case in my opinion. But of course, it's something that could be activated but would not be on by default.
I don't believe it's more risky in my opinion, sure you have to not lose your password (if it's used to derive the key, which is not a necessity, it could be in-app only and local to the device, each solution has its own drawbacks and advantages) but I don't see more ways to lose you pictures when encrypting data vs when not encrypting them.
There is a use case where you host Immich for family members or friends, but want to provide them with a privacy guarantee. There is currently no solution that would offer this kind of thing.
@zackpollard commented on GitHub (Aug 10, 2022):
This is not something that we can facilitate without a huge overhaul of the application. Currently all processing of the assets are done on the server to determine geolocation, object detection, re-encoding, thumbnail generation, etc. In order to do encryption properly so the admin wasn't able to access the files, we would be required to do all of this on the client which for some features is simply no feasible. I would say that this is not in scope for now. I will discuss this with the dev team and if they agree I will close this issue.
@gromain commented on GitHub (Aug 10, 2022):
The app could share the necessary metadata with the server for some of those features.
However, I think it's an important feature for a backup application to be able to secure the data (in addition to backing it up).
Object detection is a nice toy to have, but it's not an important feature of a photo backup application in my opinion. Another way to do this could be to deactivate the features that need the pictures to be stored in clear when encryption is activated for said account.
We are talking about sensitive personal data here and a breach in security in the server could expose the raw pictures to the internet (which is something likely until a proper assessment and pentest has been made on the code, as good as it may be).
@zackpollard commented on GitHub (Aug 10, 2022):
We've discussed this internally and it's not something we are looking to implement. Although I agree with what you're saying about it providing additional security, the main focus of Immich is to provide these extra features and not just be a simple photo backup app. If we added this it wouldn't just be removing some features, all features except for viewing the photos would be gone. Thanks for the feature request but this is not within the scope of Immich for the foreseeable future
@gromain commented on GitHub (Aug 10, 2022):
Thanks for your feedback.
@omidraha commented on GitHub (Mar 30, 2023):
As far as I understand, the architecture of the app is the opposite of encryption.
While this feature will gradually become the most important.
Did you find a solution or similar apps for what you wanted? @gromain
@uhthomas commented on GitHub (Jun 17, 2023):
I was just thinking about this today, and it would be nice but I came to a similar conclusion. It would be way too hard. It may be possible to encrypt some of the photos, but encrypting database entries and dealing with shared albums would be complicated. I would encourage users to instead encrypt their data at the block or file system level with LUKS or similar.
@gromain commented on GitHub (Jun 21, 2023):
I think it was not clear in my initial proposal @uhthomas . Encryption of data at the block or fs level does not protect you against a nosy admin or against someone breaking into the server. Only protection this affords is against someone breaking into your house or datacenter, unplugging your server and leaving with it. IMO, much less likely to happen than someone finding a 0-day or an unpatched vulnerability on your server. Hence the devices E2EE request.
@gromain commented on GitHub (Jun 21, 2023):
@omidraha no, not really unfortunately. Still looking for something viable. I thought Nextcloud would be OK, but not acceptable for my needs there (E2EE is not very functional).
@etnoy commented on GitHub (Jun 21, 2023):
There is practically no way to protect users against a rouge admin
@haveachin commented on GitHub (Sep 26, 2023):
People take photos of everything nowadays, like important legal and healthcare documents. I really want to emphasize the importance of this. Privacy is a basic right, even among your closest circle. Having a secure and easy way to back up images, especially for those not so tech-savvy, is a big deal. Immich checks all the boxes except for being private for all its users. The server admins of each instance have too much control. This opens the door for censorship and blackmail. E2EE could be a possible solution to this, even if this leaves users with less features when enabled. Users should at least be educated that their private images could be viewed by any user that has read access to the files on the server.
@uhthomas commented on GitHub (Sep 26, 2023):
We really appreciate the concern of privacy and security, but it truly is out of scope for Immich. End-to-end encryption is fundamentally incompatible with how Immich works and is generally infeasible.
The best advice I can give is to run Immich on a device you trust with disk encryption and a secure network transport (TLS, VPN, etc).
As @etnoy highlighted, there really is not a great way to protect against malicious server administrators. Users with this level of concern for confidentiality should definitely not be uploading their private media to a server with such a level of distrust.
@etnoy commented on GitHub (Sep 26, 2023):
There is no way to implement "e2ee" in a solution like immich. If you want e2ee in a media storage, put your photos in an encrypted zip file and put it on an SFTP server. You can't have galleries, browsing, metadata with e2ee