I love the idea of having privacy in independence from all the tech giants’ services. I have a server at home that hosts my storage, media, synchronization, and backups, along with some other random services. Since all these services are basically my life, I sometimes read about better security practices to replace whatever I do. Although sometimes, I feel like I can’t figure out what practices are actually bad and really put me in a bad spot, and if they are good enough for me.
For example, I use a Keepass database to store my passwords. I want to sync them across all of my devices immediately. So I saved it in my VPS, and made the android client fetch it every time I sync. I also made a script that uploads the local database every time it is changed. However, I don’t want it to override remote changes that I may have not saved on my local machine. To solve that, I made the script download the remote database and compare it to the local one before uploading. To compare, I made the script read from a PGP encrypted file that has the password to my database, and input that to keepass-diff. However, I read that using PGP is bad from this article. I can’t say I completely understand what the author is saying, but I trust that they know their stuff. However, I feel like this is a bit nitpicky. Would using GPG make me exposed to massive risk as opposed to using any other service? I guess it’s not that hard to move over to something like ccrypt or whatever, but why bother? Besides, I can tell GPG to keep my key in the session for a long time so that I don’t have to input it every time. I don’t know if ccrypt can do that.
Another example is using F-Droid. I came across this article and this one went way over my head since I’m not really well versed on android. But the gist I got is that F-Droid is not only insecure but is also bad for getting timely updates. I checked and some apps are something like 7 patches behind which is unacceptable for me.
One last example and this one is kinda petty no lie. The fact that RSA is trash. I read here and there that RSA is an old and deprecated encryption algorithm that no one should use this is another article that (surprise surprise) also went over my head. But what I could understand is that it is too easy to make mistakes using RSA and it should be in the history books. But I already made many SSH keys without choosing the encryption algorithm, so it’s gonna be a bit inconvenient to change all of those.
So my question to yall is that, how do I find the line between using an acceptable albeit non optimal practice, and using an unacceptable practice for security?
Of course, I also have to put in mind the convenience, so I can’t just change up my practices every 8 seconds when I find out that whatever program I’m using is a ticking time bomb.
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
Additional Resources:
F-Droid allows you to add any repository, not just the one managed by them. So you don’t have to trust the platform to take advantage of F-Droid.
F-Droid build/sign cycles are a lot faster that Google Play in most cases. Google claims updates are proccessed from several hours to 7 business days. But basically if do anything more than fix a typo it’s always days before it gets processed.
If apps are out of date it’s due to a developer, not F-Droid.
Fundamentally F-Droids design and infrastructure is outdated (admitted by F-Droid developers too.) F-Droids security scanning may be faster but also less robust then Google in terms of detection of harmful apps.