This seems to be more of an argument against self-hosting (or “non-self”-hosting in the case of using a cloud provider/VPS). But that is different topic I think.
Where I agree with you:
- Most people probably shouldn’t self-host
- Using a cloud provider for “”“self”“” hosting, is a different context with more threats and risk to consider, and shouldn’t be confused with actually self-hosting.
- All other things being equal, E2EE is usually preferable from a security/privacy point of view.
Where I don’t agree:
- I think Self-hosting is a valid approach for some people, and E2EE in that context isn’t strictly mandatory.
Then you still e.g. need physical security to the place
You do, but you need this anyway. If someone can physically steal your home server, they can physically steal your personal devices.
Where physical theft (or seizure) is a risk, traditional physical security, strong passwords, and encryption at rest is important (for servers and for personal devices). A primary use for both Ente and Immich is backing up photos from a phone or personal device, if your server isn’t at greater risk of physical theft and compromise than your personal devices, I don’t think you are fundamentally less secure by self hosting.
E2EE is a way more efficient security measure
Depends what the goal is. E2EE is a minimum requirement for me in many/most contexts, but it does limit or complicate things in other ways, and can add complexity. Proton (also Signal) is a good example, they make great products, but otherwise not too complicated features that non-privacy focused companies trivially build out, can sometimes take Proton years to get around to, Not all of that relates to difficulties related to E2EE but some of it does. Proton and Signal are cloud based solutions, so the tradeoff makes sense in that context, but in the context of self-hosting the benefits of E2EE seem a lot smaller and those costs in complexity are still present. I’m not saying E2EE has no value in a self-hosted context, just that the cost/benefit is a lot different.
E2EE is not only about service provider, but also a measure against theft, interception, etc.
It does offer robust protection in those contexts. But its not the only valid approach.
- FDE/at-rest encryption is a much more common approach against theft/seizure.
- And there are various approaches to protecting against interception that don’t involve e2ee (also, for most of us, I think targeted interception of our photos is out of scope for our threat models). If you trust Wireguard to protect your connecting to a commercial VPN, I don’t see why you wouldn’t trust it on your own hardware.
I think we are agreeing broadly that E2EE is usually desirable and good in most ways and a really elegant and desirable feature, but disagreeing in the specific context of self-hosting (on your own hardware), I understand preferring E2EE but I don’t think it should be anywhere near a hard requirement.
FWIW, the E2EE requirement in the Photo Management Section seems intentionally written to apply to cloud providers and exclude self hosted options:
Summary
Cloud-hosted providers must enforce end-to-end encryption.
And from the github discussion:
For Cloud based photo management products, that can not be self-hosted, we can borrow points from
Cloud Storagesection.
- Must enforce end-to-end encryption.