Source code security when using Cloudron

zonzonzon

Hello everyone,

I have a question regarding our usual practice of installing Cloudron on a VPS due to usage needs.
When we move to a new provider or if, for some reason, an unauthorized person gains access to the old VPS or its disk, can they access the source code of all websites installed on Cloudron?

What would be the best security solution for us when using Cloudron to minimize the risk of data loss? Thank you.

fbartels

@zonzonzon said in Source code security when using Cloudron:

can they access the source code of all websites installed on Cloudron?

Yes, as soon as someone has physical access to a server they will have means to also see what is stored on disk. The only way around this would be full disk encryption, but during the runtime of the server the data is still decrypted which means as long as the server is running data is readable and only becomes inaccessible upon reboot (up until you enter the decryption passphrase).

Or you are using an app that implements end to end encryption. If you're developing wordpress apps and you are concerned about someone stealing your source, then maybe obfuscation would be a means, but this only makes it harder still not impossible.

girish

When you say 'source code all websites', maybe you mean WordPress and LAMP websites? If so, ignore this comment. But source code of all cloudron packages and the final built images is all public - https://hub.docker.com/u/cloudron . you don't even need server credentials or install Cloudron for that matter to see the source code of apps.

For WP/Lamp, I consider the websites themselves as "data" and "configuration" and not "source code".