Using Fava with encrypted Beancount data

[Phractured Blue]

I am aware that beancount has builtin support for GPG-encrypted files, and that Fava supports using those files.

However for me there are a few issues with this implementation:

1) I would need to store all of my beancount files GPG encrypted, which makes my automated ingest workflow more complicated

2) Fava does not support modifying encrypted beancount files

3) I also have statements (pdf) that are accessible through Fava that I'd also like encrypted

4) Fava requires that the GPG key be configured such that it can access files on startup

My workflow is that I am running fava in an always-on unattended Docker container on a secure machine.  Because it is unattended, I don't have the ability to enter the passphrase whenever the container is restarted, and even through the machine is secure, I don't want to have the decryption key lying around.

My goal is to have Beancount data (and my financial statements) stored in an encrypted state when I'm not using them, and to not have any decryption keys stored on the server while addressing points 1-4 above.

My solution to this is to instead use an encrypted volume (in this case SecureFS because it is cross-platform, and I sometimes access the volume from Windows) to store my beancount files as well as my financial statements.  I host Fava behind a Nginx reverse-proxy with the auth-plugin, and use an authorization server to decrypt the SecureFS volume on demand (using a key derived from the user's entered password), and then stop SecureFS when Fava is done reading from it.  I had to monkey-patch Fava's 'watcher' module to ignore 'changed()' queries when the volume is encrypted (otherwise the volume would never unmount).

I realize this leaves my data in an unencrypted state (inside the Docker container) at times, which would not be advisable on an insecure host, but it keeps the data secure at-rest (i.e. when I'm not interacting with Fava) which was my primary goal.  I believe this solution could be adapted to also grant Fava access to the GPG key in an as-needed basis as well, but that doesn't help address issues 1-3 above.

Mine is probably not a common use-model, but I thought I'd share the project in case anyone wants to make use of it, as it includes a full Docker solution integrating Nginx, an authorization-server, and Fava.

https://github.com/PhracturedBlue/fava-encrypt

[Martin Blais]

Thanks PB,

Added to contrib links.

--
You received this message because you are subscribed to the Google Groups "Beancount" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beancount+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/beancount/ece6f424-a86b-4e6d-8ecc-4e05c8e74373n%40googlegroups.com.

[redst...@gmail.com]

Very useful. Thanks for sharing, and for the write ups.