I am a big fan of Cloudflare Tunnels, it's let me muck about with quite a few low risk apps and it's been fun.

one thing that's always bothered me though is the SSL setup.

According to their website, only enterprise users are allowed to manage their own TLS private keys.

I can kinda understand the logic behind free accounts not having that perk.

But if you are someone who really doesn't like cloudflare reading your traffic or you are a business, it seems odd to me that it's not being demanded of cloudflare that they make it more available for paid users to not expose their TLS private keys to cloudflare.

Why are so many folks OK with cloudflare essentially being able to read all their traffic?

or am I overestimating how many people are using the Pro and Business account? is the majority of their users just Free or Enterprise?

So I am finally starting the process of designing a personal website that can help manage and organize my finances for me.

So obviously, the security of such data is paramount and for the heck of it, I want to design a webapp where it doesn't operate by the rules of "trust me bro" even though I will be the one designing it and most likely will be the only one ever to use it. Just want that experience of proper encryption setup.

Also, even if I am the one operating it, I'd like to set it up so that even if the database is compromised, none of my information is.

skip to bottom if you want to just see my 2 question

Did some reading online, between reading when StandardNotes does encryption as well as how it does it and some basic reading into encryption

• https://www.baeldung.com/java-aes-encryption-decryption
• https://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit

and the importance of not having a local unencrypted database like Joplin does

So all that got me curious how Google encrypts the user data it has and would up reading

• https://security.stackexchange.com/questions/269341/how-does-googles-on-device-encryption-work
• https://developers.google.com/workspace/cse/guides/encrypt-and-decrypt-data

and the basic take-aways seem to be:

• utilize encryption on a field before storing it in a database so that even if the machine gets compromised, the data won't be
• if you want to go even further, take the approach of StandardNotes, where it seems even the web server itself never touched unencrypted data it seems? Looks like all the encrypting and decrypting happens locally and only encrypted data is sent to the server

1. But that got me curious. It can't be argued that Google is not secure. they have the best minds working there to ensure just that. and yet its also well known that their respect for user privacy is non-existent. Which means that they've made sure to protect the data [email, google searches, google docs, google maps history] from hackers but they can themselves decrypt at least some user data for the purpose of data collection and selling ads.
   But if Google can decrypt the data and that implies they store the keys on a server from what I can tell from my reading, how it is protected if someone malicious gains access to the database? If that person got access to the database and the keys that Google uses to decrypt the data, wouldn't that compromise the data?

2. if I decide to design my webapp so that all the encrypting and decrypting happens locally, that means that if I were to decide to create a REST API for my application, that would also have to be taking in data in encrypted format, no? Cause if that takes it in plaintext, that means that my webserver would have to be responsible for encryption, which it needs the keys to do that with and if it can encrypt with keys it has access to, then it can decrypt too, no? or are websites that deal with encrypted databases and have REST APIs that can take in plain text information generally coded to be using asymmetric encryption? meaning its different keys being used for encryption and decryption? Or is API Token the key in an encrypted format? or have I misunderstood the whole thing?

I am planning to use Plaid API and have a spring boot backend but given that I will be storing my financial information (such as whatever the Plaid API needs me to store to use their endpoints as well as just the transactions on my credit and chequing account), the security of the data is obviously crucial. and I think my problem is I don't know what I don't know.

I have a basic idea of what kind of things I need to protect against.

1. WIll have to use Spring security (or whatever is best) for thing like protecting against xss and csrf
2. I need to ensure that the PostgreSQL database is encrypted

but beyond that, I don't know much about the nuances of each type of security and customizations I should be on the look-out for. wonder if there's a trustworthy resource for at least detailing for me the kind of security I need to implement on either the Spring or PostgreSQL side of things?

My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat after it's been decrypted on the other end. What options do we have for messaging that don't have this issue? I understand that anything that I can see can still get taken by the OS, etc., but I'm curious about that first step.

Hi all,

I’m looking for advice re making a full snapshot/backup of a running Linux system (Debian).

In an ideal world, should an issue occur, I would like to be able to load a live USB with the backup, boot and write from that.

Timeshift seems to be an option but I’m wondering how the above would work in my case. A few questions.

1. My disk is fully encrypted with LUKS. Would this pose a problem?
2. I would like to write my backups to a veracrypt container. Would this pose any issue? I’m not sure how I would boot from a live USB in this case I could not decrypt the USB.

Essentially I’d like a step-by-step guide to backing up my full system (including all files in home) in such a way that I can easily roll back should the worst happen. Do any of you know of such a guide or can perhaps offer some help?

Recently NordVPN rolled out an update which forced users to use an encrypted username and password combination when connecting through OpenVPN. I haven't seen any posts on this here, and it took me way longer than I want to admit troubleshooting this issue because I knew my original credentials were correct.

If you use a gluetun container for routing any of other containers traffic, you might have recently noticed a 500 Internal Service Error in your Health Status and when you check your logs you will find a AUTH_FAILED message.

Solution below:

1. Go to NordVPN website and log in (using your normal credentials)
2. Under accounts, services, click NordVPN
3. Click "Set up NordVPN Manually" at the bottom of the page
4. You will receive an email verification code, using whatever email you have set up for your NordVPN services. Type this code into the popup window.
5. Copy your new encrypted credentials for your Open VPN client settings.

This is my first post, please add tags as required.