egutierrez
1cbbad9ff9
Server-side homeserver.yaml on organic-machine VPS: - encryption_enabled_by_default_for_room_type: invite -> all - presence.enabled: false (block EDU metadata leak) - url_preview_enabled: false (block SSRF + IP leak) - msc4108 rendezvous endpoint uncommented (QR login) Synapse restarted, /versions shows e2ee_forced.* + msc4108 unstable features active. Backup at synapse_data/homeserver.yaml.bak.1779659423. Issues opened for remaining gaps: - 0165 LUKS for media_store (at-rest encryption) - 0166 LiveKit TURN deploy (NAT traversal gap) - 0167 STUN leak to Google (hardcode external_ip) - 0168 UDP range expand 200 -> 500 - 0169 LIVEKIT_SECRET rotation (audit exposure) - 0170 livekit.example.yaml rename hygiene Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.5 KiB
id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
| id | title | status | type | domain | scope | priority | depends | blocks | related | created | updated | tags | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0165 | Cifrar media_store/ Synapse con LUKS at-rest | pendiente | infra |
|
app:element_matrix_chat | media |
|
2026-05-24 | 2026-05-24 |
|
0165 — Cifrar media_store/ Synapse con LUKS at-rest
Status: pendiente Created: 2026-05-24 Type: infra Priority: media Domain: matrix Scope: app:element_matrix_chat Depends: — Blocks: —
Problema
synapse_data/media_store/ contiene archivos subidos (fotos, voice messages, attachments) + thumbnails. Rooms NO-E2EE: media cleartext en disco. Tabla media_repository Postgres: filename/mime/uploader/room_id siempre cleartext. Riesgo: VPS provider snapshot disk, backups desencriptados, disco fisico.
Objetivo
media_store/ cifrado at-rest. Synapse arranca y sirve media normal. Decrypt automatico via keyfile en TPM o passphrase al boot.
Plan
- Decidir estrategia: LUKS container file-based (loop device) vs LUKS sobre volumen Docker dedicado.
- Crear LUKS container 50GB (ajustar segun crecimiento previsto).
- Montar como
/home/ubuntu/CodeProyects/element_matrix_chat/synapse_data/media_store_encrypted/. - Stop Synapse → rsync
media_store/→media_store_encrypted/→ swap mountpoint. - Verificar Synapse sirve thumbnails + uploads OK.
- Configurar auto-unlock via keyfile en
/root/.luks-media.keycon permisos 0400. - Documentar recovery passphrase en
pass(entrymatrix/luks-media-passphrase).
Acceptance
media_store/montado sobre LUKS,lsblk -fmuestra crypto_LUKS.- Synapse arranca tras reboot completo del VPS sin intervencion manual.
- Test: subir imagen via Element, verificar thumb generado.
- Test: leer media_store via
dd if=/dev/sdXdirecto retorna basura cifrada. - Passphrase backed up en
pass.
Definition of Done
- Repetibilidad: reboot VPS, media accesible sin intervencion.
- Observabilidad: log entry en
journalctl -u systemd-cryptsetup@*. - User-facing: clientes Element no notan diferencia.
- Recovery probado: detach LUKS y reattach con passphrase.
Notas
LUKS solo protege at-rest. VPS provider con acceso a RAM viva ve plaintext via memory dump. Sin TPM atestado, utilidad real = anti-snapshot/anti-backup-leak/anti-physical-theft.
Caveat: si keyfile vive en mismo disco que LUKS device, no protege contra disk theft. Mover keyfile a USB removible o TPM2 (systemd-cryptenroll).