There's a lot of things I spent a ton of time setting up, use once, and then never again. Tons of things that are easy to set up, and provide small benefits every day for a long time. Immich has got to be the thing that I've spent ages setting up, use extremely infrequently but the one time a year I use it I'm so happy I did. Great software.
Man, I wish my experience was as nice. I used the proxmox lxc for it and after a 2 months of organizing I had some corruption and didn't have the fortitude to get through the debugging. It might have been related to a big version migration if I remember correctly. It turned me off the stack. The upgrading wasn't as turnkey as I wanted it to be and I dont think the case is different today.
I just want to be able to organize my folders outside of some dumb library system and immich at the time fought that as well.
I'm not sure I will ever upgrade Immich again. When I upgraded to the next minor version (I forget which off the top of my head), the data migration corrupted my database such that no images would be served. Fortunately I had the old database backed up, so I restored it, rolled back to the older version of Immich, and things were back to normal. I like Immich, but this is not good for software that's beyond the first major version, and also handles archiving people's personal data.
You say this as if it wasn’t Immich itself that backed up the database automatically next to your image files.
I think they’re one of the best self-hosted services when it comes to backup/restore — enabling it by default — and when it comes to migrations — no breaking changes in minor versions after 1.0.
Did you report this issue so I could try and reproduce it?
I had an issue where my thumbnails were borked somehow, so I deleted them all. However, I didn't delete the database entries, so they never got regenerated.
I ended up doing that manually, but it's great to see that is now a first class citizen in 3.0.0. I love Immich.
In my case I spent it not so much time setting it up, some time upgrading with some manual work required from time to time with breaking changes (but not so often) and I use it weekly, it just works and it's wonderful.
Okay? So don't use it, use a managed service like Google Photos, Apple Photos, Dropbox, etc where your photos and files might be arbitrarily removed or your access to them limited while they are scanned for disavowed content.
You can also just use a secure transport layer (like WireGuard or a VPN) instead of relying on every project to implement end-to-end encryption.
That's the objective answer. There's no mystery here. That's exactly how you get what you want and it's not too hard. Not trying to dunk on you or anyone one but this is an easily solved problem, and I think I want to highlight it like this to make sure everyone understands.
Anything web/internet/network service thing, you can add this on. This composability is important to remember in software, this even goes back to "The Unix Way" type stuff.
It's also a kind of funny thing how HN has the attitude of "never implement your own encrypted anything" but then demand their apps build in e2e encryption. It may be one abstraction higher, but it's still fundamentally the same problem.
When we talk about "E2EE" messenger apps, that usually means more than just using HTTPS. VPNs can certainly help with encryption in transit, but that's a very different concept.
Unfortunately this comes up a lot, with people asking if Immich supports end-to-end encryption and getting told to use LUKS or Tailscale.
I think I dug my own grave by not being explicit that I thought S3 as a protocol and not the AWS product. :)
To elaborate a bit further, the S3 layer makes sense once you self-host S3 yourself. This allows clusterization of multiple hosts to offer redundancy in self-hosted setting -- for example, a friend of mine and I run S3 instances and "seed" each others' buckets for photo storage, but also for package manager (Nix). Having this kind of sane object storage just expands in use-cases, like with Matrix, etc., which all then inherit the clusterization hence redundancy for free.
The E2E encryption is also very useful when you are backing up or hosting photo galleries for friends and family -- because you cannot do metadata analysis on encrypted files, they have to do that on their own devices. This makes self-hosting much more "fearless" because I do not have to account for the fact that when/if my nodes are becoming a sauna-stoves for doing inference when someone dumps an album in.
The datasets that I have are terabytes. At some point it's just cheaper (accounting your time as free) to buy a 20tb drives and get yourself a runway for 5 years or more + space to do other stuff.
So if you don't want a self hosted service there are tons of cloud providers. Google photos, iCloud, etc. Some people don't want to pay a monthly fee to store their photos or don't want to risk losing something with sentimental value just because a company decides to ban you
You can have immich on truenas that has the whole pool encrypted, same goes with opencloud for other docs/files. Plus all nas backup features, I think it’s a better approach than dealing with each app encryption.
Lessons from using self hosted image services years ago:
- Upgrade breaks things. Need to restore from DB, install previous version, etc.
- Need to update frequently (i.e. if I wait 2 years, the upgrade script doesn't work).
- Discovering a corruption months/years later. Some data just lost by that point.
- Backward incompatible changes
Of course, if you need the features, by all means use it. I just want to back up my photos and use FolderSync daily. I have a separate workflow for pruning. As long as FolderSync (or some similar app) exists, I know this flow will work 10 years from now (heck, I've been using it for almost as long). No time spent worrying about upgrading, etc.
However, i also want the availability of my photos to be reliable, just like e-mail. It always has to work, wherever i am.
When i'm on the road, and there's some random issue due to power outage, database corruption, or whatever else, i don't want to have to wait until i get back home and make the time to fix things.
On the other hand, when i'm self hosting something like an RSS reader or Jellyfin to stream videos, it's less of an issue. That can wait a few days or weeks until i can fix it.
Valid points. But I see self-hosting even as renting a VPS from someone and running the service there. Which solves most of the dev ops problems that I dont wanna bother with.
Maybe it's not "actual" self-hosting, but concenient enough to use it
Immich is an amazing software. I use it regularly as an alternative along side Google photos. I keep in it large videos that I wouldn't upload normally to Google photos + the snappy experience at home vs Cloud-Bades solution.
Does anyone have any pointers on the best way to import roughly 14 Google takeout chunks into immich?
I've downloaded all the chunks once, only to find them corrupted due to... Their 50gb size and using a browser in theory. One also cannot seem to use wget or alternatives because of the auth / session cookies required via Google takeout.
I've yet to even broach the aspect of importing each giant bundle into immich because I've not had success in even grabbing the takeout files correctly, but would LOVE pointers on the best way of importing the roughly 700gb into the database without it ALL going wrong.
I've had great success with immich running in docker for the past year or so, although I have yet to upgrade to the newest version. Google photos backups have been disabled on my phone for a year or so, but I yet to haul in all of the past years.
Also, anyone know if I can get immich to upload the photos without... Running immich once in a while? Would be great if it just automatically sent them to "my cloud".
You can use this tool to get them into Immich, it will parse all the metadata and recreate albums as you have in GPhotos https://github.com/simulot/immich-go
Oh wow, it recreates the Google Photos albums? That's the first time I've heard of a tool doing that. I've spent a ton of time organizing my Google Photos albums, that's a big reason I stay with it.
Just a quick note that native windows extract is 32bit and dies on archives gt 4gb. Use 7zip or something to extract in case you happen to be using that one.
If you can get all the images into a filesystem (on a NAS or similar server share), you can use the External Libraries feature in Immich (https://docs.immich.app/features/libraries/). This allows it to crunch through the media files via an async import job (a bit more reliable than having to directly upload via the web api).
In my setup, I exclusively use the external libraries feature, pointed at a read-only share from my NAS mounted onto my Immich server. (The external libraries are set to resynchronize to the database every few hours). This means I can manage all my media assets myself without worrying about Immich accidentally corrupting them, and if I eventually move off Immich, I just have a single folder of media files organized by date to port around.
The only downside is that I don't directly upload any media files directly to Immich, but that's okay. I have Syncopoli sync files from my phones (on a scheduled cadence) to an intermediary server which organizes and cleans exif data from media files before dropping it into its permanent home on my NAS share. No manual steps to get photos from my phone to my Immich instance!
This is a good usage pattern if you're absolutely married to the file structure you have and/or want to keep using the files where they are.
Not really applicable if what you have is a google takeout dump. Better in that case to import all the photos and let immich handle them moving forward using a tool like https://github.com/simulot/immich-go
I had ~200GiB. I selected below 10k files at a time to upload in the web UI (selected all 2014, then 2015). It was fine. More than that many and the UI became unusable.
External Libraries seem like a good option.
They have also recently improved the background import in the Android app so I have heard so that might be worth a try.
I went through the same path as you - I think I even landed up with 14 takeout files as well!
Its a bit of a trial, but quite doable. Its likely that things have improved since I did it about 6 months ago.
*Getting the files from takeout*
I tried downloading the files onto my laptop via a browser, and then copying them over to my NAS, but quickly gave up. The best approach is to download them directly to the NAS. As you pointed out auth/cookies is an issue. There are multiple ways of solving the issue, but for me I found the best way was to use chromes dev console network view to identify the network request for each file, then right click on it and select "Copy cURL". SSH into my nas and use that command to download the file. There is a bit more info on how to do this here:
This took a bit of tweaking to get the right set of command line args that worked well for what I wanted it to do. I also found immich errored out a few times during the import. Fortunately immich-go can just pick up the import where it left of, so I kept re-running it until everything was imported.
*Cleaning it all up*
If you just want a huge flat dump of your files your probably good. In my case there were various things I wasn't quite happy about. The default handling of stacking edited images with the originals in albums wasn't what I was after. I wanted to replicate sharing of albums with immich users to match what I had in google photos. For all this kind of cleanup work, I found it quite helpful to work with an AI agent. Give it an API key for your server + the url and get it to help you write cleanup scripts.
> Also, anyone know if I can get immich to upload the photos without... Running immich once in a while? Would be great if it just automatically sent them to "my cloud".
See the release note that this HN thread links to ;-)
>>> Background backup improvements
Background backup on Android is now significantly more reliable. Previously, the background backup on Android was limited to newly taken photos. Now, the app uses a new periodic task scheduler, which allows you to upload your entire library in the background, and it plays nicer with Android's background execution limits, properly cleans up tasks, and warns you when battery optimization and notification settings might interfere with backups.
On iOS, the background refresh task now runs its sync and upload work in parallel, so uploads actually start within the short time window iOS allows.
Ente Photos is an extremely polished e2ee solution that I prefer over Immich. It's cool they keep the server open instead of only open clients like many e2ee products do.
I've been bitten too many times - is Ente a commercial product that pays lip service to self hosting as form of marketing, but with friction to guide you towards the hosted version (e.g. rocketchat and many others) or does it genuinely support self hosting as a first class product?
Ente Auth is also the best, because it works on any device, including the one you're trying to access (maybe it defeats the purpose of 2FA but sometimes I don't care).
I got into Ente because I wanted to create photo upload links on a per-even basis - I can tell all my friends, if you take pics or video tonight, upload it at this URL - and it just works. No app necessary, very simple, very cheap. Then from there, I got the photo backup / archive service because why not.
They really are pretty much just what they appear to be. Im a fan.
For what it's worth, Immich supports this too. You can create an album (for each event), create a shared link, allow public anonymous uploads for the shared link, and then give the link to everyone at the event, and ask them to upload their photos. It can be done from any web browser.
> Ente Photos is extremely polished and it's comparable quality to Apple photos.
If only. It can’t even upload photos any reliably (I self-host). I had it simply fail to upload anything for days (it doesn’t provide any diagnostics, gotta figure out how to build and debug it myself), with no apparent reason. That’s despite keeping app in the foreground, on a charger, for hours, with video uploads and ML features all disabled so it was supposed to focus on just the photos. Server side is fine, web-based uploads work without any issues, app just doesn’t. I haven’t figured it out yet.
Has the ios photo sync gotten better? I've got 20k photos on my phone, and last I tried it filled up the storage on my phone with the originals, and never completed the process, even after leaving my phone open, unlocked, and the immich app running in the foreground for several days, on the same local network as the server.
I know they were working on it, but haven't kept up, I just want to know if it works better now and I should try again.
I have synced ~9000 photos from my phone in february. That worked pretty well. I was done in about 10 hours. I don't remember whether the originals were downloaded, or whether they were deleted automatically afterwards. Felt like a smooth process though.
No, it’s an Immich issue. Not OP, but I was already using Synology Photos. Synology finished syncing my library in two days, while Immich was still syncing after more than a week. I decided it wasn’t worth it after that experience.
Large file uploads are non-resumable. That is, if you have any videos at a decent bitrate and resolution, you need to be able to upload the whole file in a single session. iOS doesn't make this easy to do via background uploads. I uploaded everything by keeping the app open overnight.
> On iOS, the background refresh task now runs its sync and upload work in parallel, so uploads actually start within the short time window iOS allows.
I have a largish library at about 400gb. I synced it completely using the mobile app. It took a few months (it just finished in early June) but it’ll eventually do it. I know there are other ways but I figured this was the laziest way to do it.
Beware that migrating back from Immich to iCloud/Google is not something Immich cares about. There is no "download all" anywhere, best way is to go to the server and get raw files from there.
A download button would be great but the files are already stored on the device you can copy them with a usb or go on the device and upload it directly.
what do you mean download all? its your server over your files. If you want them, go get them! Or just point google / apple / whatever upload at your library directory.
But the way I do access Immich externally is not with Tailscale directly on my phone but involves exposing a caddy instance, running on a $1 VPS, to the internet.
If requests include a specific very long header (which I randomly made up), it then forwards those requests to my real Immich instance, which runs on my NAS. Headers can be configured within the mobile app. It has worked really well for me so far.
It’s obviously not a magical security layer that eliminates all issues related to public Internet exposure, but in my opinion it is good enough for the average home user.
I leave my phone connected 24/7 and don’t notice any downsides. Only have to disable it on some networks when traveling to make awful captive portals work.
I remember having problems using tailscale vpn 24/7 and pihole on my home network with the phone pointed at the 192.168 address for DNS. Pages would take 5s to resolve and start loading.
Unfortunately, Pihole was less important than Tailscale and I have to put up with mobile ads.
I have a static route configured on my home's gateway that enables any device on my network to access Tailscale. I have Tailscale turned on my iPhone pretty much all the time anyway, but even if I didn't I'd still be able to access services I have hosted that are only accessible on my tailnet.
I can only comment about battery life. It's proportinal to how much tailscale is really being used: If you use tailscale with an "exit node", i.e. all traffic is routed through it and it's working continously, it drains battery. If it's only used for services on your tailnet, e.g. Immich, the impact will be very small.
i've had tailscale almost permanently enabled for a couple of years at this point and it's never a problem (ios, nextdns with a tailscale specific profile rather than a pihole or something)
I only wish it would support nested albums (or albums in folders) so it could be an easy replacement for lightroom cloud as well.
I have all of my photos organized like this: `events -> year/month - holiday -> (album_1, ...)`. and: `home town -> year -> (album_1, ...)`. Photos will be in multiple albums, and there will be edits as well. And I need to track the picked/rejected state as well (and filter on it).
Only reason I haven't moved over to Immich yet is because I am struggling to map my photo organization onto it's way of doing things in a way that's nice. So far my attempts have been unwieldy.
Are there any side effects of leaving Immich public? I think people overestimate the risks. Just update your stuff regularly, follow simple rules, and set up something like CrowdSec. I know it's simpler to just use Tailscale and similar tools, but recently I see the trend that people don't even consider otherwise.
I'm in the same boat, and have been meaning to try immich but slightly worried about migration effort. Should I import fresh into Immich or setup my existing photoprism as an external library? I think the former is probably correct, but the latter might be easier?
Anyone have experience with this? I haven't done much modification or album creation in photoprism, so am happy to start from scratch on that front.
I got annoyed with Immich and external storage, because in order for every user to have their own facial recognition data on a large set of photos, you have to add the folder as external storage for each user, which means image previews for each user, even though the source image is the same. So if you have 3 users, you use up 3 times the space for the same thumbnail image.
It got to where I had 20% of my space was just thumbnails for each user, even though it was one set of images in the external storage.
So many comments here about missing end to end encryption, but seriously - why would anyone want this?
Lets say burglars break in and steal your homelab. Because you don't have e2ee, they can see all the photos you saved of your dead grandmother! Oh no!
Or, in the more likely scenario that something happens to your phone, the lack of e2ee means that even if you lost your keys you didn't lose the only memories that remain of your grandma - you just copy across the .jpgs to a new device.
If they steal your homelab, e2ee doesn't help, it's encryption at rest. E2ee is for rogue devices sniffing the network, which is more or less of a concern depending on your setup. I'd not have unencrypted traffic in my network if I had for instance those shady TV boxes.
I have a multi-region homelab cluster and I share some photos with my friends in the US and my parents in Russia. I’m auto-uploading full library (basically replacing iCloud/Google Photos) and I can share links to selected photos or albums (a reachable node will be determined by a split-view DNS). All without risks of exposing my full photo archive in case either node gets seized or otherwise compromised.
(Now, this is what I’m trying to do. I set things up, but it’s not really functional at the moment, because Ente is buggy af, and I haven’t yet learned how to rebuild and debug their iOS app.)
It would make hosting a "Family and/or friends" instance possible.
I do go back and forth on the accessibility tradeoffs of E2EE for average people though. In this scenario, lose or forget your key/password and you lose ALL of your photos which are very important to some people. Losing them is pretty catastrophic. Google Photos or iPhotos really gives people a sense of security about their photos.
ps: It would also make it easier to host cloud instances for Immich without encrypting the file system of a remote server/VPS. Especially when renting servers from small-time sellers, I'm always weary about how much I can really trust their employees access control. I know some level of trust is unavoidable with physical access, but how do they handle those disks during maintenance would also be relevant.
Two people in my life when I was a kid have since been sent to prison for pedophilia. There's a 0.0% chance I'm hosting encrypted media for anyone other than my spouse. The low but nonzero risk of the cops asking me about some encrypted files I'm holding for a friend simply would not be worth the risk for saving someone the tens of dollars a month to self host their own content.
I think the point of E2E encryption is that you could host it with a cloud provider and the provider would not be able to see your data. Kind of like how Proton Drive claims it does not know which files you have.
This would force features like semantic search, face detection, video transcoding and thumbnail generation into the clients instead.
Immich assumes trusting the server to have access to your photos is fine. That is always the case when you’re self-hosting.
And I think that’s reasonable, since most users give that trust to Google and Apple.
I think the application layer is the wrong layer for encryption for immich anyways, I just encrypt the whole disk on my server. When _self_ hosting, there's no need to prevent access to files from the operator.
To me there are two good products: Immich and Ente.
* Immich doesn't have end-to-end encryption, so I see it for self-hosting (i.e. on hardware I trust, typically at home).
* Ente has end-to-end encryption, which means I can host it on a random VPS.
Two different requirements for two different setups. E2EE adds some complexity, typically to set up a backup somewhere accessible. The fact that I have an unencrypted SDD next to my server at home that my family can grab and access photos is a feature to me: if I disappear I want them to be able to access them.
Agreed. It's especially frustrating to read of extremely high standard (even though justified, I'm not suggesting it's OK to have a subpar experience) while most people just share everything and anything on Facebook, TikTok, SharePoint, etc and have no idea what permissions even mean.
So... yeah, sure, e2ee and encryption and all that but don't wait on perfection when the otherwise situation is pretty dire. It's only encroaching BigTech fueled by surveillance capitalism even more!
I agree, we used to have photo albums in cupboards, and they used to get burnt if the house burned down, or water damaged if the boiler broke, or even stolen. Now we have them digitally and we can back them up off-site. That's all the change I need with immich.
To fully encrypt them would just be inviting more problems.
I just want to be able to share my hosted service with other people and not have the responsibility of being able to access their photos. Me or anyone that happens to gain access to my server.
I want to host an instance for me and my family. Right now we have a Google One instance shared by 5 people. Having e2e means my family members can rest assured that I or whoever I share admin rights with cannot look at their private photos. It's an important enough feature even without thinking about 3rd party bad actors.
>So many comments here about missing end to end encryption, but seriously - why would anyone want this?
I trust GrapheneOS's security 10x more than my server. Why would I want encryption on messaging, if it's 'just for messaging my grandma'. My data is important to me and I want to keep it secure, even if I don't have a high threat model. E2ee should be the baseline, there's no reason to make security worse on purpose. Encryption in this case is important because it allows defense in depth, it allows others to know their photos are private when using my server and it prevents data access if someone has physical access.
Why trust two devices when one trust one device do trick?
> Or, in the more likely scenario that something happens to your phone, the lack of e2ee means that even if you lost your keys you didn't lose the only memories that remain of your grandma - you just copy across the .jpgs to a new device.
Yes, that's what happens when you lose your keys with e2ee. Every e2ee service is like this. Apple photos, Ente photos, Signal. If I couldn't manage a few words, why would I trust myself to manage a whole server?
I have no idea, I use wireguard to access it. I have disk encryption setup. They'd need to hack my linux server SSH which I have protection turned on to shut it down after failed attempts. It would be a challenge to get access to my photos on disk. They could steal my phone and access through the app if they could get them all before I disabled access since Im using encrypted icloud account.
In the end who would want all my photos for that amount of work lol?
I wish they would better support external image sources - images not uploaded/managed by Immich, just a folder of images it has access to - especially if it's read only. It mostly works, but the UI and logic breaks in a lot of little ways.
Yup. I love Immich, but I'm also a control freak, so my 25 years of digital photos I had before using Immich still exist in an External Library. It mostly works but I still have some issues. Like I keep getting a batch of ~70 photos that lose their "date taken" and revert to the date/time I started using Immich. (Fortunately the file names are date/times and I can manually go through and fix them, but having done it at least three times, it's getting old!)
I "restarted" maybe twice when I first got into Immich to find a good set up for playing reasonably nicely with external libraries, but it does need just a bit more polish. Good to see a sibling comment that it's on their list of priorities!
Hackers
The coolest thing I've done with Immich is just set up Docker on a more powerful machine, run the machine learning libraries, and point my instance (on a low powered server) to use that external computing for face recognition and OCR. Very cool!
yes. https://docs.immich.app/features/editing/
And it is very aware of exif. It also has AI features to analyze the photos (or videos) and you can for example search for "cat" and it will find all photos with cats.
I have a different bash with them than the lack of E2EE: they do not make it easy to import from other servicesvlike Google Photos or iCloud, which should be a priority.
They rely on immich-go project, which is ridden with bugs and basically abandonware by now. Their own iOS app, which can also be used for syncing iCloud gallery, has outstanding, 2 y/o or so bugs that will fail to upload the Live Motion photos.
My photos exported to Immigh have some 9000 broken, half imported Live Photos and I just don't have time to fix that.
The fact that THIS is not their priority, the most comprehensively A-B tested feature is beyond me. Who cares about OCR if you can't trust that they didn't butcher your imported memories? I just don't get it!
This is open source, volunteer developers often focus on doing things that are fun to them, or that scratch their own itch. I can't imagine dealing with Google Photos semi-broken exports is fun to anybody, and you only deal with the pain of the import once, afterwards there's no itch to scratch.
An incredible piece of software, on par with Google Photos. I've been using it behind Tailscale for months with no problems ever since I first got into homelabbing.
Actually, moving from Google Photos to Immich after I hit my 100GB storage limit was the whole reason I got into self-hosting, and what a fun ride that has been!
I can't believe self-hosted products of this caliber are free. Huge shout-out to HomeAssistant, PiHole, paperless-ngx, Dawarich, and countless others for the same reason.
Congrats to the team on the release and thank you for helping me catalogue my personal memories
I would say at this point it's better than Google Photos!! The team is absolutely amazing, and I agree that it's astounding to see IMO the best (general purpose) photo app out there being open source
I would like to replace iCloud but it doesn't seem to sync changes/deletions with iPhone yet. I don't want to have to make changes/deletions in two places every time. v3 seems to have improved background uploads which is great as that has been a frequent complaint.
I've been considering it as well. I'm using 1.5TB in google one storage. mostly from photos/videos from the last decade from 4 family members.
Have you thought about backups and redundancy? I was thinking of hosting it on my homelab with backups on some cheap cloud storage but almost any cloud storage ends up costing somewhat similar to Google One so I've been a bit reluctant.
A good backup story is probably the only thing keeping me from switching.
Admittedly I have not set up backups yet because my homelab setup is not very mature.
I'm running everything off a single mini PC connected to a fresh 1TB SSD. My next "homelab goal" is setting up a NAS/DAS once I can snag something affordable off eBay/FB Marketplace/Kleinanzeigen/etc.
I think there are some super cheap cloud storage solutions where you pay a lot less in costs to not have on-demand access. That is the route I was going to go personally.
A lot of people talking about encryption in the comment section, thought I would share my setup. I have been running Immich for family and friends on a Hetzner auction server for about 1.5 years now.
Hetzner community provides official full-disk encryption documentation:
Letsencrypt gives free reliable SSL. You can easily hide Immich behind Nginx proxy that handles SSL for you.
Add cron based automated backup of the entire Immich data to a local encrypted NAS and there you go. Reliable, end-to-end, encrypted at rest setup. So far, it required exactly 0 maintenance.
It’s also more secure because I just drop traffic from all but 3 geographies at the IP level. And you can also add a WAP on the Nginx proxy.
It is also more more secure than Google/iCloude because the „employee of the company“ attack vector is much smaller. It’s documented that Google looks at your photos and is perfectly happy to file false police reports:
https://www.eff.org/deeplinks/2022/08/googles-scans-private-...
By comparison, yes it is theoretically possible for Hetzner employees to access my server physically and extract the encryption key from RAM, or setup a fake SSH server to try to steal the key, but that is far more complicated attack and hasn’t been documented yet. And it risks detection.
If you want a cheaper alternative, maybe look into ServaRica. That's where I run my Immich instance for my wife and me. 4TB for $11 per month. The servers (cpus) are not super fast, but fast enough for me.
I see e2e encryption over photo galleries a must since is a way of protecting yourself against misconfigured servers, future exploits or unpatched software.
FYI the setup you mention is not "end-to-end" encrypted. E2EE means client-to-client encrypted, with the server processing encrypted bits only. Your approach is encryption in transit and at rest. At rest is relatively irrelevent for large cloud providers, as they are probably better at managing the lifecycle of disks than most businesses or people. It's unlikely someone's going to physically rob a data center or end up with a refurb drive that hasn't been thoroughly processed and wiped.
It's not necessarily more secure than managed providers either, simply because you are probably not a security engineer, and have far less resources to secure your server. It does prevent Google/iCloud from scraping your data, but it certainly does not mean Hetzner can't access your data. They control the overarching hypervisor and control plane managing your servers/VM's, so there's no way to know what capabilities have been implemented. The majority of what intelligence agencies are capable of has not been leaked or documented publicly.
For 99.99% of the population, does the threat model really include targeted NSA attack with higher probability than „Google’s automated system sent the police to my door“? No, no it doesn’t.
It is demonstrably more secure for even a semi experienced sysop to host Immich for their family than for them to use Google/Apple.
But I do agree that _some_ experience is required.
In memory. If the police shows up and they disconnect my server to sieze it, for example, the photos are lost to them.
And the Hetzner employee would need to specifically target me, because I doubt they would implement a dragnet that pierces through the bespoke random process on my bare metal server to scan the photos in memory.
That is a lot more secure than „Google scans all pictures routinely and fully automatically sends the police to your door, and you have no recourse if they are wrong“ that the EFF article discussed.
He's understandably using the wrong term because E2EE should include private servers as a variant, but does not by definition.
In the case where I own the server end of the communication, the data being fully encrypted on that server is far less important than when it is stored in the cloud.
The effect is the same however, since sending encrypted photos over HTTPS to be decrypted client side would be completely unnecessary in most cases.
This is not end to end encryption. There is nothing stopping you (or Hetzner) from accessing your family’s data, as one the disks are mounted to a host they are decrypted and available for use.
True E2EE would be that all data on those disks is encrypted by the client your family uses, so even if you combed through the disk volume you would only see cipher text
This is only true if you are so highly individualistic you don’t consider a family unit as a single entity.
If you consider nuclear family as an entity, it’s e2ee. Practically.
Putting aside the fact that yes, the server can be compromised if somebody chose to attach to the live RAM and recover keys. But practically, nobody will. Same way Google will not deliver a special compromised image of the mobile app on my phone, even though they completely can.
It's a definition question. E2ee means in this cases that "the server" cannot decipher the data: the keys to that are only on the client and never shared with the server.
This setup simply does fit the definition. And trying to say it is "e2ee practically" is a bit dishonest: there is no definition for "practical e2ee".
The point of e2ee is that you do not have to trust the server (see Bitwarden for instance).
> End-to-end encryption (E2EE) is a method of implementing a secure communication system where only the sender and intended recipient can read the messages
It is only about the sender and intended recipient. In this case, if they actually would self-host, the server and sending devices are in the same entity group and it is encrypted where it matters. In the case of Hetzner, it is not, because Hetzner can access the machines as they are not in the sender's or receivers basement.
But there are some other benefits with E2EE if going strictly with "client-to-client" model - if server is compromised by the bug, there is higher chance that then data gets stolen as plaintext.
True. But the server is not completely unprotected even if not stored in my basement.
The disks are fully encrypted, so the attacker must be careful not to accidentally interrupt power or force a reboot.
And they can’t just log into the machine, it is still a normal Linux machine with passwords.
So they need to attach to a running system and actively hack it, which is completely possible but is not going to be done by a random employee for no reason.
How does the mobile app sync work with Immich? My use-case is that I want to install the mobile app on the phone of my relatives (including iPhones), and it should keep syncing their pictures "forever" even though they never, ever open the app.
I tried Nextcloud, but the apps/server end up failing to sync after at most a couple month, and it's painful to recover from that. So it doesn't work for me.
I have been considering Immich and Ente, but I would love to know if somebody has experience with that.
With works for me on Android with Pixel phone, after I added Immich to the list of apps that can work in the background.
But as you can see in the linked release note, they made a lot of change to background sync on Android and iOS. It should (TM) work out of the box now.
193 comments of 194
[ 0.17 ms ] story [ 78.6 ms ] threadI just want to be able to organize my folders outside of some dumb library system and immich at the time fought that as well.
You say this as if it wasn’t Immich itself that backed up the database automatically next to your image files.
I think they’re one of the best self-hosted services when it comes to backup/restore — enabling it by default — and when it comes to migrations — no breaking changes in minor versions after 1.0.
Did you report this issue so I could try and reproduce it?
I ended up doing that manually, but it's great to see that is now a first class citizen in 3.0.0. I love Immich.
Unfortunately Immich is not end-to-end encrypted. If that would have be the case i'd use https://pixelunion.eu/
Seems like a great app though. So... i'm still pondering what to do :-)
You can also just use a secure transport layer (like WireGuard or a VPN) instead of relying on every project to implement end-to-end encryption.
That's the objective answer. There's no mystery here. That's exactly how you get what you want and it's not too hard. Not trying to dunk on you or anyone one but this is an easily solved problem, and I think I want to highlight it like this to make sure everyone understands.
Anything web/internet/network service thing, you can add this on. This composability is important to remember in software, this even goes back to "The Unix Way" type stuff.
Unfortunately this comes up a lot, with people asking if Immich supports end-to-end encryption and getting told to use LUKS or Tailscale.
https://ente.com/reliability/
For self-hosting, “S3” usually just means “S3-compatible.” Although maybe that’s exactly what you meant.
Apparently HN does not like "not self hosting" and/or "e2e encryption" ?
Meanwhile, i also found https://zeitkapsl.eu/
To elaborate a bit further, the S3 layer makes sense once you self-host S3 yourself. This allows clusterization of multiple hosts to offer redundancy in self-hosted setting -- for example, a friend of mine and I run S3 instances and "seed" each others' buckets for photo storage, but also for package manager (Nix). Having this kind of sane object storage just expands in use-cases, like with Matrix, etc., which all then inherit the clusterization hence redundancy for free.
The E2E encryption is also very useful when you are backing up or hosting photo galleries for friends and family -- because you cannot do metadata analysis on encrypted files, they have to do that on their own devices. This makes self-hosting much more "fearless" because I do not have to account for the fact that when/if my nodes are becoming a sauna-stoves for doing inference when someone dumps an album in.
The datasets that I have are terabytes. At some point it's just cheaper (accounting your time as free) to buy a 20tb drives and get yourself a runway for 5 years or more + space to do other stuff.
It they don’t consider that e2e encrypted, literally nothing is then…
Isn't system administration a solved problem now with LLMs? At least for these simple problem domains?
- Upgrade breaks things. Need to restore from DB, install previous version, etc.
- Need to update frequently (i.e. if I wait 2 years, the upgrade script doesn't work).
- Discovering a corruption months/years later. Some data just lost by that point.
- Backward incompatible changes
Of course, if you need the features, by all means use it. I just want to back up my photos and use FolderSync daily. I have a separate workflow for pruning. As long as FolderSync (or some similar app) exists, I know this flow will work 10 years from now (heck, I've been using it for almost as long). No time spent worrying about upgrading, etc.
Alternate title: "Outdated lessons I haven't re-evaluated"
Apparently HN does not like "not self hosting" and/or "e2e encryption" ?
Meanwhile, i also found https://zeitkapsl.eu/
However, i also want the availability of my photos to be reliable, just like e-mail. It always has to work, wherever i am.
When i'm on the road, and there's some random issue due to power outage, database corruption, or whatever else, i don't want to have to wait until i get back home and make the time to fix things.
On the other hand, when i'm self hosting something like an RSS reader or Jellyfin to stream videos, it's less of an issue. That can wait a few days or weeks until i can fix it.
I've downloaded all the chunks once, only to find them corrupted due to... Their 50gb size and using a browser in theory. One also cannot seem to use wget or alternatives because of the auth / session cookies required via Google takeout.
I've yet to even broach the aspect of importing each giant bundle into immich because I've not had success in even grabbing the takeout files correctly, but would LOVE pointers on the best way of importing the roughly 700gb into the database without it ALL going wrong.
I've had great success with immich running in docker for the past year or so, although I have yet to upgrade to the newest version. Google photos backups have been disabled on my phone for a year or so, but I yet to haul in all of the past years.
Also, anyone know if I can get immich to upload the photos without... Running immich once in a while? Would be great if it just automatically sent them to "my cloud".
Great software.
In my setup, I exclusively use the external libraries feature, pointed at a read-only share from my NAS mounted onto my Immich server. (The external libraries are set to resynchronize to the database every few hours). This means I can manage all my media assets myself without worrying about Immich accidentally corrupting them, and if I eventually move off Immich, I just have a single folder of media files organized by date to port around.
The only downside is that I don't directly upload any media files directly to Immich, but that's okay. I have Syncopoli sync files from my phones (on a scheduled cadence) to an intermediary server which organizes and cleans exif data from media files before dropping it into its permanent home on my NAS share. No manual steps to get photos from my phone to my Immich instance!
Not really applicable if what you have is a google takeout dump. Better in that case to import all the photos and let immich handle them moving forward using a tool like https://github.com/simulot/immich-go
I had ~200GiB. I selected below 10k files at a time to upload in the web UI (selected all 2014, then 2015). It was fine. More than that many and the UI became unusable.
External Libraries seem like a good option.
They have also recently improved the background import in the Android app so I have heard so that might be worth a try.
Its a bit of a trial, but quite doable. Its likely that things have improved since I did it about 6 months ago.
*Getting the files from takeout* I tried downloading the files onto my laptop via a browser, and then copying them over to my NAS, but quickly gave up. The best approach is to download them directly to the NAS. As you pointed out auth/cookies is an issue. There are multiple ways of solving the issue, but for me I found the best way was to use chromes dev console network view to identify the network request for each file, then right click on it and select "Copy cURL". SSH into my nas and use that command to download the file. There is a bit more info on how to do this here:
https://trog.qgl.org/20241001/downloading-a-google-takeout-f...
*Importing them into immich*
Once I had all my takeout files on the nas, I used immich-go to import them: https://github.com/simulot/immich-go
This took a bit of tweaking to get the right set of command line args that worked well for what I wanted it to do. I also found immich errored out a few times during the import. Fortunately immich-go can just pick up the import where it left of, so I kept re-running it until everything was imported.
*Cleaning it all up* If you just want a huge flat dump of your files your probably good. In my case there were various things I wasn't quite happy about. The default handling of stacking edited images with the originals in albums wasn't what I was after. I wanted to replicate sharing of albums with immich users to match what I had in google photos. For all this kind of cleanup work, I found it quite helpful to work with an AI agent. Give it an API key for your server + the url and get it to help you write cleanup scripts.
See the release note that this HN thread links to ;-)
>>> Background backup improvements Background backup on Android is now significantly more reliable. Previously, the background backup on Android was limited to newly taken photos. Now, the app uses a new periodic task scheduler, which allows you to upload your entire library in the background, and it plays nicer with Android's background execution limits, properly cleans up tasks, and warns you when battery optimization and notification settings might interfere with backups.
On iOS, the background refresh task now runs its sync and upload work in parallel, so uploads actually start within the short time window iOS allows.
"Ente Photos is a paid service, but we offer 10GB of free storage. You can also >>clone this repository and choose to self-host<<."
So both forms...
https://github.com/ente/ente
Ente Auth and Locker both seem like limited feature subsets of solutions like 1Password.
They really are pretty much just what they appear to be. Im a fan.
If only. It can’t even upload photos any reliably (I self-host). I had it simply fail to upload anything for days (it doesn’t provide any diagnostics, gotta figure out how to build and debug it myself), with no apparent reason. That’s despite keeping app in the foreground, on a charger, for hours, with video uploads and ML features all disabled so it was supposed to focus on just the photos. Server side is fine, web-based uploads work without any issues, app just doesn’t. I haven’t figured it out yet.
Did you try it with the free 10GB on their hosted servers?
I'm using Android so maybe it's different on iOS.
I know they were working on it, but haven't kept up, I just want to know if it works better now and I should try again.
> On iOS, the background refresh task now runs its sync and upload work in parallel, so uploads actually start within the short time window iOS allows.
But I don't know if that fixes your issue.
https://github.com/immich-app/immich/discussions/14365
But the way I do access Immich externally is not with Tailscale directly on my phone but involves exposing a caddy instance, running on a $1 VPS, to the internet.
If requests include a specific very long header (which I randomly made up), it then forwards those requests to my real Immich instance, which runs on my NAS. Headers can be configured within the mobile app. It has worked really well for me so far.
https://developers.cloudflare.com/tunnel/
It’s obviously not a magical security layer that eliminates all issues related to public Internet exposure, but in my opinion it is good enough for the average home user.
Unfortunately, Pihole was less important than Tailscale and I have to put up with mobile ads.
I have all of my photos organized like this: `events -> year/month - holiday -> (album_1, ...)`. and: `home town -> year -> (album_1, ...)`. Photos will be in multiple albums, and there will be edits as well. And I need to track the picked/rejected state as well (and filter on it).
Only reason I haven't moved over to Immich yet is because I am struggling to map my photo organization onto it's way of doing things in a way that's nice. So far my attempts have been unwieldy.
(I keep meaning to look at it and keep kicking it down the road.)
Yes: it is necessary to share selected albums through public URL.
Anyone have experience with this? I haven't done much modification or album creation in photoprism, so am happy to start from scratch on that front.
It got to where I had 20% of my space was just thumbnails for each user, even though it was one set of images in the external storage.
Maybe that's changed recently.
Lets say burglars break in and steal your homelab. Because you don't have e2ee, they can see all the photos you saved of your dead grandmother! Oh no!
Or, in the more likely scenario that something happens to your phone, the lack of e2ee means that even if you lost your keys you didn't lose the only memories that remain of your grandma - you just copy across the .jpgs to a new device.
I also imagine that a true E2EE architecture means you have more flexibility with cloud storage, managed hosting, and off-site backups.
I have a multi-region homelab cluster and I share some photos with my friends in the US and my parents in Russia. I’m auto-uploading full library (basically replacing iCloud/Google Photos) and I can share links to selected photos or albums (a reachable node will be determined by a split-view DNS). All without risks of exposing my full photo archive in case either node gets seized or otherwise compromised.
(Now, this is what I’m trying to do. I set things up, but it’s not really functional at the moment, because Ente is buggy af, and I haven’t yet learned how to rebuild and debug their iOS app.)
I do go back and forth on the accessibility tradeoffs of E2EE for average people though. In this scenario, lose or forget your key/password and you lose ALL of your photos which are very important to some people. Losing them is pretty catastrophic. Google Photos or iPhotos really gives people a sense of security about their photos.
ps: It would also make it easier to host cloud instances for Immich without encrypting the file system of a remote server/VPS. Especially when renting servers from small-time sellers, I'm always weary about how much I can really trust their employees access control. I know some level of trust is unavoidable with physical access, but how do they handle those disks during maintenance would also be relevant.
This would force features like semantic search, face detection, video transcoding and thumbnail generation into the clients instead.
Immich assumes trusting the server to have access to your photos is fine. That is always the case when you’re self-hosting.
And I think that’s reasonable, since most users give that trust to Google and Apple.
* Immich doesn't have end-to-end encryption, so I see it for self-hosting (i.e. on hardware I trust, typically at home).
* Ente has end-to-end encryption, which means I can host it on a random VPS.
Two different requirements for two different setups. E2EE adds some complexity, typically to set up a backup somewhere accessible. The fact that I have an unencrypted SDD next to my server at home that my family can grab and access photos is a feature to me: if I disappear I want them to be able to access them.
If you have a server in your homelab where you self-host I mich just encrypt the hard drive with LUKS.
So... yeah, sure, e2ee and encryption and all that but don't wait on perfection when the otherwise situation is pretty dire. It's only encroaching BigTech fueled by surveillance capitalism even more!
To fully encrypt them would just be inviting more problems.
Maybe people have pornography production streams they want to manage using Immmich?
I trust GrapheneOS's security 10x more than my server. Why would I want encryption on messaging, if it's 'just for messaging my grandma'. My data is important to me and I want to keep it secure, even if I don't have a high threat model. E2ee should be the baseline, there's no reason to make security worse on purpose. Encryption in this case is important because it allows defense in depth, it allows others to know their photos are private when using my server and it prevents data access if someone has physical access.
Why trust two devices when one trust one device do trick?
> Or, in the more likely scenario that something happens to your phone, the lack of e2ee means that even if you lost your keys you didn't lose the only memories that remain of your grandma - you just copy across the .jpgs to a new device.
Yes, that's what happens when you lose your keys with e2ee. Every e2ee service is like this. Apple photos, Ente photos, Signal. If I couldn't manage a few words, why would I trust myself to manage a whole server?
The people who care about this disproportionately collect distasteful media and would be in criminal proceedings if their material was uncovered.
In the end who would want all my photos for that amount of work lol?
I "restarted" maybe twice when I first got into Immich to find a good set up for playing reasonably nicely with external libraries, but it does need just a bit more polish. Good to see a sibling comment that it's on their list of priorities!
Hackers
The coolest thing I've done with Immich is just set up Docker on a more powerful machine, run the machine learning libraries, and point my instance (on a low powered server) to use that external computing for face recognition and OCR. Very cool!
Which I am yet to do...
And yes, we only look at physical photos or the "on this day X years ago" reels. But to get here, Immich was a valuable tool.
Only it is different 100 photos every year.
They rely on immich-go project, which is ridden with bugs and basically abandonware by now. Their own iOS app, which can also be used for syncing iCloud gallery, has outstanding, 2 y/o or so bugs that will fail to upload the Live Motion photos.
My photos exported to Immigh have some 9000 broken, half imported Live Photos and I just don't have time to fix that.
The fact that THIS is not their priority, the most comprehensively A-B tested feature is beyond me. Who cares about OCR if you can't trust that they didn't butcher your imported memories? I just don't get it!
This is open source, volunteer developers often focus on doing things that are fun to them, or that scratch their own itch. I can't imagine dealing with Google Photos semi-broken exports is fun to anybody, and you only deal with the pain of the import once, afterwards there's no itch to scratch.
I set up immich backed by ceph last week and I got everything migrated via immich-go, with all metadata albums and all.
Had to change some parallelization option, but otherwise it was a breeze.
Because those services are closed black boxes that don't really let you access them except in a very roundabout way?
Actually, moving from Google Photos to Immich after I hit my 100GB storage limit was the whole reason I got into self-hosting, and what a fun ride that has been!
I can't believe self-hosted products of this caliber are free. Huge shout-out to HomeAssistant, PiHole, paperless-ngx, Dawarich, and countless others for the same reason.
Congrats to the team on the release and thank you for helping me catalogue my personal memories
Have you thought about backups and redundancy? I was thinking of hosting it on my homelab with backups on some cheap cloud storage but almost any cloud storage ends up costing somewhat similar to Google One so I've been a bit reluctant.
A good backup story is probably the only thing keeping me from switching.
Admittedly I have not set up backups yet because my homelab setup is not very mature.
I'm running everything off a single mini PC connected to a fresh 1TB SSD. My next "homelab goal" is setting up a NAS/DAS once I can snag something affordable off eBay/FB Marketplace/Kleinanzeigen/etc.
I think there are some super cheap cloud storage solutions where you pay a lot less in costs to not have on-demand access. That is the route I was going to go personally.
IMMICH_VERSION=v3
docker compose pull
docker compose up
No issues so far. The web UI is not significantly changed, the biggest improvements are on mobile.
Hetzner community provides official full-disk encryption documentation:
https://community.hetzner.com/tutorials/install-debian-with-...
Letsencrypt gives free reliable SSL. You can easily hide Immich behind Nginx proxy that handles SSL for you.
Add cron based automated backup of the entire Immich data to a local encrypted NAS and there you go. Reliable, end-to-end, encrypted at rest setup. So far, it required exactly 0 maintenance.
It’s also more secure because I just drop traffic from all but 3 geographies at the IP level. And you can also add a WAP on the Nginx proxy.
It is also more more secure than Google/iCloude because the „employee of the company“ attack vector is much smaller. It’s documented that Google looks at your photos and is perfectly happy to file false police reports: https://www.eff.org/deeplinks/2022/08/googles-scans-private-...
By comparison, yes it is theoretically possible for Hetzner employees to access my server physically and extract the encryption key from RAM, or setup a fake SSH server to try to steal the key, but that is far more complicated attack and hasn’t been documented yet. And it risks detection.
I pay 60/month for 50 TB with a 10 year old intel xenon.
It's not necessarily more secure than managed providers either, simply because you are probably not a security engineer, and have far less resources to secure your server. It does prevent Google/iCloud from scraping your data, but it certainly does not mean Hetzner can't access your data. They control the overarching hypervisor and control plane managing your servers/VM's, so there's no way to know what capabilities have been implemented. The majority of what intelligence agencies are capable of has not been leaked or documented publicly.
For 99.99% of the population, does the threat model really include targeted NSA attack with higher probability than „Google’s automated system sent the police to my door“? No, no it doesn’t.
It is demonstrably more secure for even a semi experienced sysop to host Immich for their family than for them to use Google/Apple.
But I do agree that _some_ experience is required.
And the Hetzner employee would need to specifically target me, because I doubt they would implement a dragnet that pierces through the bespoke random process on my bare metal server to scan the photos in memory.
That is a lot more secure than „Google scans all pictures routinely and fully automatically sends the police to your door, and you have no recourse if they are wrong“ that the EFF article discussed.
True E2EE would be that all data on those disks is encrypted by the client your family uses, so even if you combed through the disk volume you would only see cipher text
If you consider nuclear family as an entity, it’s e2ee. Practically.
Putting aside the fact that yes, the server can be compromised if somebody chose to attach to the live RAM and recover keys. But practically, nobody will. Same way Google will not deliver a special compromised image of the mobile app on my phone, even though they completely can.
This setup simply does fit the definition. And trying to say it is "e2ee practically" is a bit dishonest: there is no definition for "practical e2ee".
The point of e2ee is that you do not have to trust the server (see Bitwarden for instance).
Let's see e.g. Wikipedia:
> End-to-end encryption (E2EE) is a method of implementing a secure communication system where only the sender and intended recipient can read the messages
It is only about the sender and intended recipient. In this case, if they actually would self-host, the server and sending devices are in the same entity group and it is encrypted where it matters. In the case of Hetzner, it is not, because Hetzner can access the machines as they are not in the sender's or receivers basement.
But there are some other benefits with E2EE if going strictly with "client-to-client" model - if server is compromised by the bug, there is higher chance that then data gets stolen as plaintext.
The disks are fully encrypted, so the attacker must be careful not to accidentally interrupt power or force a reboot.
And they can’t just log into the machine, it is still a normal Linux machine with passwords.
So they need to attach to a running system and actively hack it, which is completely possible but is not going to be done by a random employee for no reason.
TOO BAD YOU IDIOTS CAN'T FIGURE OUT HOW TO BAN PEOPLE. RETARDS. LEARN TO CODE.
I tried Nextcloud, but the apps/server end up failing to sync after at most a couple month, and it's painful to recover from that. So it doesn't work for me.
I have been considering Immich and Ente, but I would love to know if somebody has experience with that.
But as you can see in the linked release note, they made a lot of change to background sync on Android and iOS. It should (TM) work out of the box now.
> works for me on Android with Pixel phone
But do you open the Immich app on Android from time to time, or never and just use it to sync transparently in the background?