[resoluteteeth]

I said github, not git. You don't need to use a cloud service to use git for synchronization.

[gruez]

You don't, but are people really manually running "git pull" between their various devices, or are they using a (self) hosted git service? Even in the self hosted case, I wouldn't want the security of all my passwords to be dependent on my $5/month VPS not being compromised.

[eptcyka]

I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

[gruez]

> I believe that people do just sync got repos between machines. 5$ VPSes, Raspberry Pi's, laptops from 2009. Why not?

it's a pain because of NAT/port forwarding, not to mention the chore of making sure every device is up to date. You can get around the NAT/port forwarding issue by having a $5 VPS, but then you're essentially storing your password database on dropbox.

>Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?

1. Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.

2. While I agree that a server with only sshd and auto-updates enabled would be pretty hard to compromise (foregoing the above), I doubt that's the typical setup. Most people probably have a "general purpose" VPS that they use to host all sorts of stuff, which means there's lots blindly typing in "npm install ..." or even "curl ... | sh" going on.

[resoluteteeth]

> it's a pain because of NAT/port forwarding

Tailscale or zerotier. It's a solved problem. You don't need to use a vps at all.

[jkepler]

Or Syncthing

[msravi]

> Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.

Nope. My account on my vps is protected with a strong ssh key and password-logins disabled. Also fail2ban is set up to forever disallow ips that try failed logins. So not the same at all.

> lots blindly typing in "npm install ..." or even "curl ... | sh" going on.

Nope

[gruez]

> > Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.

>Nope. My account on my vps is protected with a strong ssh key and password-logins disabled. Also fail2ban is set up to forever disallow ips that try failed logins. So not the same at all.

By "account", I don't mean the account in /etc/passwd on your VPS, I mean the account with your hosting provider. That can be hacked/phished just like a dropbox account, not to mention the provider themselves getting hacked or social engineered.

[msravi]

The vps can be encrypted by a customer supplied key. In google compute, for example: https://cloud.google.com/compute/docs/disks/customer-supplie...

[msravi]

Yes, I do a git pull between my vps and various devices. Works perfectly well. But my threat model does not include 3-letter security agencies, so I'm completely ok with that. Beats having my passwords stored on the cloud controlled by XYZ company and then waking up to a news article saying that their servers were compromised. That is the threat model that I optimize for.

[doubled112]

Yes, I am, and the server is in the house.

I periodically do a "git pull" onto an encrypted HDD that's stored at the office.

Offsite and backups outside of my normal backup procedures, in case I'm suddenly really screwed.

The PGP key is on a YubiKey, and I have an encrypted offline backup of that as well.