mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-15 22:54:03 -05:00
Closed
opened 2026-04-10 16:41:56 -05:00 by GiteaMirror
·
8 comments
No Branch/Tag Specified
master
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
enforce-append-only-migrations-ci
claude/error-codes-worker-boundary-26i5uu
api-browser-custom-data-dir
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#7018
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Silvenga on GitHub (May 5, 2022).
Original GitHub issue: https://github.com/actualbudget/actual/issues/41
Introduction
This is a request for comment (RFC) on if client-side encryption should be sunset in Actual OSS.
Actual clients support syncing between many instances using a centralized server (sync server). As clients make modifications, the changes to their internal state are set to the sync server to be received and applied by other individual client instances.
Further, under Actual (in the before times), the client supported encrypting all data locally before the data was sent to the sync server, as documented here (end-to-end-encryption).
Effectively, client side encryption allows for a zero-trust model for the syncing server. The end-user could assume both the data was encrypted on disk in a format that even the operator of the server would not be able to access.
Terminology
When I refer to the sync server, I refer to a hypothetical server that only handles syncing of encrypted data between clients. The OSS server is functionally different from the previous implementation.
When I refer to a client, I refer to the full-fat clients in the model of the before times Actual e.g. the Mobile client and the Electron Desktop client. The OSS server blurs the lines.
Proposal
In Actual OSS, servers are hosted and maintained by the same individuals using the Actual OSS client. These individuals may employ full-disk encryption or other security measures if they believe such protections are warranted. Since there is no longer a third-party operator who may have access to the Actual data, the zero-trust model is less useful.
Client-side encryption should be considered for removal from Actual OSS.
Pro Removal
44d045f546/app-sync.js (L126-L135)Additional work will be required to support client-side encryption.Against Removal
Commentary
@genebean commented on GitHub (May 5, 2022):
I’d suggest keeping client side encryption since, if I understand things correctly, this would protect data on a sync server even if said server is compromised. Full disk encryption doesn’t help when a running server is compromised as everything is unencrypted while the system is up. e2e encryption is virtually always better from a security perspective.
@Silvenga commented on GitHub (May 6, 2022):
Question around that @genebean, would you rather focus on encryption or features like automatic bank import, stocks import, developer API, multiple users, notifications, etc.? It's always easier to say "security is good", but it's still something that should be prioritized. 😁
@genebean commented on GitHub (May 7, 2022):
That’s a fair question @Silvenga. Financial information can tell someone how we live our lives so I’d actually lean towards security being paramount. That said, I wonder if some of the import bits being done client side via a mobile app that has the data decrypted might help allow both to progress. Alternatively, maybe the import processes could be run on a separate box that has no inbound access allows to it and it could have the decryption keys on it. That could make for a reasonable balance that reduces the likelihood of the system with decrypted data being compromised as the system open to the internet to facilitate devices syncing wouldn’t have knowledge of the data contents. Users less concerned with the security implications could even choose to run both processes on the same system while those of us more concerned could use separate systems like I described. The import system could even be a home computer as opposed to a public one since it’d only need outbound access.
@Silvenga commented on GitHub (May 7, 2022):
My thinking of not adding encryption support is so that the client side wouldn't need to be coded to support every plugin. Rather, we can use standard developer API's and not require plugin developers to use JavaScript. Encryption might double or tipple development time for features, making them significantly less likely to be worked.
I wonder @genebean, If security is most paramount, then wouldn't it be most appropriate for the server to only operate inside a private network with no internet access? Again, the idea being that security concerns are of the hoster. Remember the client data isn't encrypted in either case.
Aside, another problem, what if the importer would need ingress access to operate? I know that's how some of the bank scrapers would need to operate e.g. ingress webhooks. This importer would have access to all your finances anyway (and such data would likely need to be cached and stored unencrypted).
@utf8decodeerror commented on GitHub (May 7, 2022):
It may be possible to provide encryption capability as a flag on the server that would enable/disable other features like plugins that need a full instance of actual to operate on the data.
It would essentially be swapping sync-simple for sync-full here based on a flag passed in when the server starts: https://github.com/actualbudget/actual-server/blob/master/app-sync.js#L126-L133
@Silvenga commented on GitHub (May 7, 2022):
Hmmm... that's a good idea.
@jmiguel-hdez commented on GitHub (May 12, 2022):
I personally would rather have end to end encryption. I am kind of worried that my self deployed server could be hacked. If we can keep the feature flag in settings and slowly work on it that would be great.
I understand that perhaps there are other priorities right now but if encryption is not considered from the beginning it will likely very hard to add it back again in the future.
@jnimmo commented on GitHub (Aug 3, 2022):
I would support the removal of client side encryption, considering your well thought out arguments. Users with requirements for higher levels of security can always host locally for example, and the work involved with maintaining two different models here seems fairly high. Especially given the OSS server doesn’t currently support it.