Ask HN: What's the 2025 stack for a self-hosted photo library with local AI?

If there's a server involved, there's no reason not to have sensitive files and information end-to-end encrypted, whether self-hosting or not.

You do want to have things encrypted in transit and at rest. e2ee means server admins (I) cannot access the user's (mine) photos.

The server admin can still access their own photos via the client. They wouldn't be able to access the photos of other users.

edit: To explain further why it's almost always desirable:

You guarantee that you and your users' information is safe if the server is compromised, if an admin goes rogue, or if local bodies of power request their information from you.

The information can't be sent to third-parties by design.

Any operations / transformations that need to be applied to the information will have to either be done via homomorphic encryption or on the client-side (which is much more likely to be open source / easy-to-deobfuscate compared to blackbox server code).

I understand what e2ee is, thank you. I just don't think it’s justified for self-hosted photo servers.

E. g., “Any operations / transformations” includes facial recognition, CLIP embeddings, &c; you want to run this on the server, overnight, and to be able to re-run at a later date when new models become available. Under e2ee, that’s a round-trip through a client device at every model update. So that’s a significant downside, for no important upsides in the case when you and your family are the only users.

I was explaining why e2ee has important upsides, not how e2ee works. With Ente (and I think Immich as well), facial recognition and generating new CLIP embeddings are done on-device[0], usually right when the photo is taken / before they're uploaded to the server.

[0] https://ente.io/blog/image-search-with-clip-ggml/

Immich does it on the server.

What happens if there’s a new, better model? You’d need to re-download, decrypt, and run inference on all your past media, which is in terabytes for many.

I understand the benefit of e2ee in a situation where there is no trust between user and admin. In personal self-hosting, that’s the same person (or family), and the upsides are not as relevant. The downsides (possibility of data loss for, e. g., kids who are not very good with passwords/keys; difficulties with updating models / thumbs; …) remain important, and outweigh the benefits, even assuming the e2ee is implemented well.

You do you, but the trust is beyond just admin and users. And family photos are treated as treasures. Data loss is a fair point, but if you're self-hosting a photos app I imagine server/db backups are part of your routine. Account recovery is all that's needed to recover lost photos from there. Well, unless your VPS is compromised in a manner of data loss for longer than you wished before your backups ran, in which case it's still better that such sensitive info was e2ee'd.

edit: also feel like I'm echoing the classic dropbox comment, but self-hosting in a sane and secure manner is harder than it's made out to be. It needs to be taken seriously.

e2ee prevents account recovery.

People have found decent solutions for that. Proton's is essentially a backup password/phrase or a file you keep safe. Not as simple as a magic link, and could still lose your backup phrase/file, but alas. Security is always a compromise on convenience.

[0] https://proton.me/blog/data-recovery-end-to-end-encryption