observantTrapezium

Sounds doable, will need a bit of scripting, but I don’t really get the use case.

The fundamental difference between GPG encryption and encrypted partition is that of asymmetric vs. symmetric encryption. Whether you mount encrypted storage or decrypt a file with GPG, there’s some “effort” in putting in the passphrase and in both cases the system’s keyring is briefly aware of it and the plaintext is saved to memory (volatile, unless you have encrypted swap or other edge cases).

Asymmetric encryption is not normally used for personal stuff but mostly to exchange material with one party holding the private key, and other having access to the public key (which is public). Of course you can act as both parties if you like. If you do, keep in mind:

1. Asymmetric encryption algorithms may be vulnerable to quantum computing attacks in the coming years. There are quantum-resistant algorithms, but to my understanding they are not necessarily quantum-proof and could potentially be broken in the more distant future.
2. If you do choose to use GPG, make sure that the plaintext never touches the disk, for example save it to /dev/shm before encryption.
3. You can also protect your private key with a passphrase.

Personally I use Joplin. On the clients it’s secure because the database is saved on encrypted storage secured by my login phrase. On the server it’s secure by Joplin encrypting the files saved to WebDAV storage. Is it 100% safe? Probably not, but probably good enough to stop all but a nation-state level actor.

I use Baïkal for card and cal and Apache for webDAV, they provide all the features I need and were easy enough to set up, never tried alternatives.

Personally I don’t go with full disk encryption for backups. I use Borg that encrypts its repositories on a plain ext4 partition, and the key is saved in the config file (wrapped in passphrase of course). Obviously it just moved the problem of what to do with the passphrase… I also have Vaultwarden (with a separate backup mechanism).

I have elaborate Procmail rules that sort out the mail. It’s not a very modern solution and the syntax is quite horrible, but it works quite well.

I don’t really need the encryption

In this case I’d say, LUKS is an overkill and just complicates your life. Try to think of a worst case scenario and what you are trying to protect against. Full disk encryption protects you against someone physically and clandestinely tampering with your server to compromise you by altering your OS, I’d say most selfhosters aren’t at risk of this (I do use LUKS on my laptop, because if I’m not available to decrypt the drive then there’s no reason for it to get decrypted). My approach to the server is to have encrypted directories as needed. For example the SFTP directory, the logic being that some of what’s there may be sensitive, so encryption at rest prevents leakage after the drive is eventually disposed of. But my Git repos (including private ones) and calendar aren’t encrypted at rest. Other services (e.g. Matrix, Borg, Vaultwarden) provide E2E so don’t really need further encryption.

Exposing stuff to the internet shouldn’t be that scary… I haven’t had any incident so far in 8 years. Yes, you see plenty of illegitimate access attempts in the logs, but if everything is properly patched, it should be OK.

Vaultwarden isn’t actually susceptible to man-in-the-middle attacks, since the passwords are encrypted and decrypted on the end device. But some relevant metadata do go over the connection so it’d better have TLS.

Does it actually happen to people? All servers I worked with both had a back door (or two), and someone at the data centre (during work hours at least) you could contact in an emergency.

Interesting, I’ll keep it in mind next time I have to deal with this problem (hopefully never but who knows).

A few years ago I was in contact with researchers that were developing an AI tool to parse PDFs (I think they didn’t care about converting to editable formats, but extracting data), from their material I got the impression that it’s extremely difficult to do right using traditional algorithms.

It’s a curse because it’s used for things other than what it’s intended to. It’s doing a good job representing printed material, but unfortunately people very commonly expect it to be something more akin to a word processor file.

I know the pain. While there are definitely solutions that work sometimes, there’s just no “one size fits all” that I’m aware of. PDFs can represent text very differently internally.

What I did for one project where extracting the text produced a complete mess was to convert the PDF pages to images and then OCR them…

Hate? Digital decluttering feels really good, for me anyway.

To my knowledge it’s not supposed to differ.

If you trust that the client (which is open source) is doing what it’s supposed to do, security-wise I don’t think there’s a difference between self-hosting and using Bitwarden’s service.

No, you don’t need to trust the VPS provider. The VaultaWarden password storage is encrypted, and the master password is never transmitted to the server. The passwords are decrypted only locally on your device.

I read it in my head in his voice.

For files I just use WebDAV that’s built in to Apache. It’s really not fancy, but does all I need.

I use RoundCube, I think it’s one of the oldest solutions out there, and is pretty good (and not ugly as of a few years ago).

Also note that if it’s just for personal use, you don’t have to have a domain for HTTPS. You can self sign, or create your own certificate authority, you just need to clients to trust it. But domains can be cheap or even free, so it’s better to get one so you don’t have to specially configure your devices.

Not sure it satisfies your requirements but I’m quite happy with Baïkal.