The struggle for democracy and civil rights is not always easy – and it certainly needs technology to succeed. Open Source software like Tor is an important tool for activists all over the world; if you can’t trust your government, you need at least software which you can trust.
Storing files online, and sharing them with the right people, can help activists in authoritarian states to enjoy freedom of speech. It’s especially important for whistleblowers; exposing crimes against humanity needs evidence, and such evidence needs to be stored securely.
Activists might need an anonymous file sharing service which is hard to shut down, and which doesn’t expose their identity to the authorities. ownCloud can be such a service, and this blog post shows how you can provide it to others while protecting your identity.
Security Considerations – What Can You Protect Yourself Against?
Online Security can never be fully complete. There is so much to think of, and you can only protect yourself against certain threat models. There is always a compromise who you trust and who not. Paranoia is a virtue in times of fully automated global surveillance; but we should take care not to become crazy in the process of resisting it.
That’s why this blog post defines a clear threat model: it aims to help groups of activists who work on political topics underground, and don’t want to be discovered by a surveillance state. It may require different tools to protect against corporate surveillance, or against criminal hackers.
This blog post also assumes that we can trust Let’s Encrypt certificates and Open Source projects. If it’s possible to hide backdoors in the open, we have a whole load of different problems to deal with.
Because it’s easy to say “never trust your life with software”, but only you can decide which risks are worth it, and which aren’t. If you need insecure tech to warn your partners of a police raid, you would probably take the risk.
On the other hand, technology might not always protect you. If you are de-anonymized, your password strength will probably not save you. If your law enforcement is known for torture, you better run.
In the end, you have to make your own decisions; this guide hopefully helps you to better understand how to protect yourself in which situation. But it does not substitute critical thought.
The Toolbox – What You Need for This
If you want to tackle such a project, you will need a few things: a USB flash drive for Tails and some Bitcoin every month, to rent an anonymous server and a domain. I’ll explain how you can get them, and what for:
Tails – a Flash Drive for Every Situation
We need Tails to buy and manage the server we want to install ownCloud on. To use the ownCloud as soon as it is installed, a Tor Browser will suffice, but for SSH connections you have to use Tails.
Tails is a Linux operating system which runs from a USB flash drive. Tails sends all your traffic over the Tor network, obscuring your IP address. Not only HTTP(s) traffic as with the Tor Browser, but also SSH traffic.
To run Tails, you just plug it into some computer and boot from USB (for an explanation, see the Tails installation guide). Tails does not leave a trace on the computer, if you don’t mount the hard drive.
Note: everything you do with a Tails stick will be lost when you shut down afterwards, unless you configure a persistent encrypted storage and save the files there. Choose a long password you can remember.
Programs You Will Need on Tails
You will need several passwords through this guide: for your SSH key, for the DNS and server provider login, for the ownCloud admin account, for the full disk encryption of your server… generate passwords longer than 30 letters and store them in KeepassX.
The password for your encrypted persistent storage and your KeepassX password database should be long, but easy to remember. This comic has some good tips on how to make up a good passphrase:
Another advantage of Tails for our use case is that Electrum, a Bitcoin wallet, is already pre-installed in Tails. If you have a persistent encrypted storage on your Tails stick, it saves your Bitcoin Wallet, as well as your SSH and GPG keys.
Intrigued? The installation guide is really straightforward, also for people with not so much technical experience. You can read how to install it here:
But before you use Tails, you should consider this security advise for the situation we are talking about:
If Using Tor Is Dangerous or Blocked in Your Country
Tails provides a long wiki page about warnings and general security considerations. You might read them, they are a very good start to gain a better understanding of online operational security. One thing is especially important for our threat model:
If you are using Tails, your Internet Service Provider can not see what exact site you are accessing. But they will notice that someone in your home network is using the Tor network, which might be dangerous in your country.
Tor bridges protect you against this; you basically only connect to the bridge server, which proxies the traffic to the Tor network. If your state or Internet Service Provider blocks the Tor network, the Tor Bridging mode will also help you accessing the Tor network.
You can activate it when you booted the Tails stick, before you start your user session. You will need the address of a Tor bridge, which are not completely public to avoid blocking and censorship. One way is to ask the Tor project for a bridge server. You could also host it yourself on a server in a foreign country.
This is already useful to circumvent Tor blocking. But if it’s really dangerous to use Tor in your country, you might take your laptop to a public Wifi and boot Tails there, instead of accessing the Tor bridge from home.
A Pseudonymous E-Mail Address
You will probably need an E-Mail address to register an account at the hosting and/or domain provider. A trustworthy provider for that is riseup.net; if you need an invite code, you can write me an E-Mail to firstname.lastname@example.org (PGP-Key).
Bitcoin or Monero for Anonymous Payments
Bitcoin is a cryptocurrency for anonymous, decentralized, secure payments. Although I should say pseudonymous, because an attacker can try to trace back payments to you. With Tails, you don’t have to worry about your IP address leaking.
But to avoid that attackers can trace back your payments, you should either use a coin mixer or use the alternative cryptocurrency Monero instead, which has coin mixing implemented by default. For extra Security, wait a few hours before you spend the Coins; this lowers the possibility of an EABE attack.
Buying Bitcoin can be difficult or dangerous depending on your country. On certain online marketplaces you can buy bitcoin with your bank account or credit card.
If you don’t want to leave this trace, you might either buy it from local cryptocurrency nerds, or ask your supporters in other countries for donations in Bitcoin. But even in countries like Iran it’s possible to get it somehow.
Buy an Anonymous Server
There are a bunch of hosting providers who accept Bitcoin and don’t ask questions. One that is often mentioned is anonymously.io, which has an expensive, but very good offer for 2×1 TB of storage.
This is about as cheap as it gets for a dedicated server; and you need a dedicated server if you want security features like full disk encryption for your server.
If you really only want to host some images and documents, less storage might suffice. Then njal.la might be a good provider – we will also need them for the anonymous domain, so you minimize the parties you have to be involved with.
You can look around for more anonymous providers, there are plenty. This list might help you, it already lists some good providers, and mentions what criteria you have to look for.
Get an Anonymous Domain
Usually having a domain name means that your personal information is stored as publicly available WHOIS information. Some top level domains offer exceptions though, for example .org and .net.
In other cases, DNS providers allow you to register a domain name with their legal information, while still handing the control over to you. And finally there are some DNS providers which only ask for an E-Mail address.
njal.la is the best example for such a DNS provider; it was founded by Peter Sunde, one of the co-founders of the Pirate Bay, to enable online anonymity. It is most trustworthy, accepts both Bitcoin and Monero, and has a great support service.
Registering a domain name and paying with cryptocoin is very easy and straightforward.
Hidden Services – Why Not Get a .onion Domain?
Setting up a hidden service might also be a good idea, and might even save you the 15€/year for a .org domain. The main security advantage is that your users can only connect via the Tor Browser. This way, they don’t accidentally access it via a non-anonymous browser.
But that is not always a good idea. There might be situations where you desperately need a file, but don’t have a Tor Browser around, e.g. when you are having a trial, and still have to print out paperwork from some internet café.
Just telling your users that they should use a Tor Browser gives them the flexibility to choose their security model. Surveillance almost never sees everything; surveillance works because we don’t know when they are listening and when they aren’t.
Setting up a hidden service is not straightforward, and out of scope for this article. If you really need such a setup, you could look into how to run a hidden service with docker, and configure the nginx container to reverse proxy to your ownCloud container.
Prepare the Server
Now you have a Server that you can login to via SSH. Let’s assume it is a Debian server, because it is most common. You should now take some security measures to protect the server; if your government can hack it, all your efforts towards privacy will be worthless.
First, generate an SSH keypair on your Tails stick. It should be automatically stored on your encrypted persistent storage. This is what keeps the control over the server in your hand; don’t lose the SSH key. Reboot your Tails stick to make sure that the encrypted persistent storage works and your SSH key stays available.
Best you make a backup of your SSH key and your Bitcoin wallet on a Veracrypt-encrypted USB drive, and hide it in the woods, or at another place where your adversary won’t look for it. Make sure not to take a phone with you. Make sure no one is following you.
Now, as your private SSH key is secured, you can copy your public SSH key to the server and store it in
~/.ssh/authorized_keys. This way, you can login with your key instead of requiring the user password.
Keeping Your Server Secure
A good idea is configuring your SSH Server to only accept public key authentication instead of password authentication. You might also change the SSH port to evade the most annoying automated brute force attacks. For real brute force protection, you should install fail2ban and configure it for SSH.
Another good security measure is disabling SSH login for the root user, and using a normal user account for that instead. You can login as an unprivileged user, and do admin tasks either through
su, which requires an attacker to find out one more password.
To protect your service in the long run, make sure to always install the most recent security upgrades.
How to Encrypt the Files?
Encrypting your files is important to protect against raids of the data center. The other reason is that you might not want to trust the hosting provider. Even if they have no reason to go after you, they might be open to bribes or cooperating with their local law enforcement, which might cooperate with your law enforcement.
The best option would be to encourage your users to use Cryptomator. This tool for End-to-End Encryption enables them also not to trust you as the admin. This is the best way how they can protect their data, but you can’t enforce or enable it.
Full Disk Encryption – Hide Your Files From Your Provider
If you want to protect your server against data center raids, you better encrypt your server hard disk. This is not completely fool-proof; the data is only secure when the server is shut down. As long as it is turned on and unlocked, the password is resting in the RAM of the machine.
Whoever has physical access to the machine can try to extract the RAM by keeping it cool, and try to find your password in there. Chances are high though that they are not technically capable to do this or that it’s too expensive; so full disk encryption might still be worth a try.
Configuring full disk encryption will vary from provider to provider; there is no guide which will work everywhere. With some providers you might have an installation daemon which allows you to encrypt the disk.
With others, you have to encrypt it after installation, which is not straightforward. This is a guide for Hetzner which might give you an idea how to do it with your provider.
Encrypting the disk is one thing; you also have to install a dropbear SSH server to the initramfs so you can unlock the disk at boot. This way, when booting the server, you first login to the dropbear SSH server, unlock the disk, log out again, and then login to your normal system.
Installing ownCloud via Docker
Now, as the server is ready, you can start installing ownCloud. Installing ownCloud is very easy with Docker. You should use Traefik as a Reverse Proxy, as it automatically takes care of TLS encryption with Let’s Encrypt certificates. There is a simple guide to get started:
When you can login to your ownCloud under your domain, with working https, we are ready so far! You might also create a backup strategy; if the server is lost for some reason, or you encounter errors after an upgrade, you will be glad to be able to just restore the backup.
Install ownCloud Apps for More Security
With this setup, you should be fine and have a secure and anonymous ownCloud setup. Be cautious and use a Tor Browser or even Tails every time you login to your admin account, and make sure to pay for your server in advance as far as possible. This way, you should be safe, and able to focus on the real struggle.
To enhance security even more, you can install ownCloud apps through the Marketplace. Most of them specifically protect your users. You could look into these apps:
- Brute Force Protection
- Password Policy
- PrivacyIdea 2-Factor Authentication
- TOTP 2-Factor Authentication
- Password Manager
I hope this blogpost was helpful. If you encounter holes in my logic, don’t hesitate to leave a comment! And please share it with people who could use this kind of knowledge.