HomeDrive establishes a TCP tunnel to HomeDrive's Fabrics service, so that users can visit the services on HomeDrive from the Internet without the need to expose user's real IP addresses by setting up Dynamic DNS services or port forwarding.
HomeDrive also routinely queries homedrive.io for software updates.
As a result, we know if a user's HomeDrive endpoint is online or not.
All traffic transferred via HomeDrive Fabrics service are HTTPS/TLS, so the HTTP service traffic is always end-to-end encrypted. Users trust HomeDrive Fabrics service no more than an Internet service provider that is routing Internet IP packets.
So technically, yes, Fabrics sees all the TCP/IP data, but protecting user's privacy and security do not rely on hiding these data from attackers anyways.
When HomeDrive is connected, it establishes a long-lived tunnel to HomeDrive's fabrics service. All traffic going through the tunnel are end-to-end encrypted, so we cannot see what exact bytes are being transferred over the tunnel. However, the servers do know roughly how many bytes are being transferred at any given time.
HomeDrive also routinely queries homedrive.io to check for available updates. Because of that, homedrive.io also knows if a HomeDrive is online, and what version of software release it is currently using.
When HomeDrive is installed for the first time, it reports the admin passwords to homedrive.io so that the user can easily login. We recommend users to set the passwords to new ones on first login, and set up two-factor authentication. We never login into services running on users' HomeDrives without user's explicit authorization.
Not really. VPN (or Virtual Private Network) often works at IP layer, and wraps IP datagrams directly into a tunnel, joining two networks effectively. HomeDrive Fabrics is a TCP layer TLS-only tunnel service. A Fabrics client does not create any virtual network interfaces on HomeDrive devices, so there is also no network joining or bridging with any external networks. Unlike VPNs, even when HomeDrive's Fabrics servers are compromised, the attacker will not be able to further compromise local networks on a user's HomeDrive devices. This is sometimes called "Zero Trust Network Architecture" in the networking industry, where the user authentication and authorization relies on end-to-end encrypted transports and verifying secure user credentials, rather than trusting a remote network entirely.
Yes. Please contact firstname.lastname@example.org and we will disable the traffic forwarding on our end, and show you the instructions to disable the Fabrics client on the device.
Note that after it is disabled, you need to setup your own traffic forwarding to the 443 port on the device. Otherwise, the TLS certificates will fail to auto refresh and expire in a few months.
We are working on a better user interface so that users can disable the Fabrics service on their own.
Yes! You can do this by setting your local DNS resolving of your
HomeDrive's domain (such as
nextcloud.foobar.homedrv.com) to its
local IP address. You can set up a local DNS proxy resolver on your own,
or by just editing the
/etc/hosts file. You can find the local IP address of
the HomeDrive by running
ip addr show dev eth0 on your HomeDrive's command
For example, if your HomeDrive's local network IP address is 192.168.1.10,
and your Nextcloud domain is
nextcloud.foobar.homedrv.com, you can add the
following line to
By doing this, all traffic to your Nextcloud will go through the local network directly. The network performance will often be much better, and we recommend setting this up when trying to transfer big chunks of data. This also enables you to visit your HomeDrive at home even when your home temporarily loses Internet access.
We are working on a better user interface and a built-in DNS proxy service to make users easier to set this up.
Receiving HomeDrive updates requires a valid endpoint credential, and the updates are fetched from trusted sources over HTTPS.
That said, users do need to trust HomeDrive's update service to curate good software updates.
We plan to (and are working on) open source all software that runs on users' HomeDrive devices in the near future, so that users can audit the source code and even build all the endpoint software by their own.
You can manually verify the signature of the HTTPS certificates. The HTTPS
certificates can be found in the
autocert directory of the
container, and are provisioned and refreshed by Letsencrypt. You can list
the certificates via the following command.
docker exec -ti doorway.homedrv ls /prod/autocert
These certificates never leaves the hosting machine, and are critical to the HomeDrive's security, so please keep them secret (and do not copy the contents out).
We are working on building better user interfaces for easier certificate verification.
Not at the moment. We are working on implementing this feature.
It is not encrypted at the moment. Anti-theft protection often requires a TPM (Trusted Platform Module), and it is not available on the hardware that HomeDrive uses now. We are actively evaluating other hardware options. Please feel free to tell us your requirements via the hardware survey if you need Anti-theft protection.
Not on the hardware we are selling. Intel NUC 7 only has one drive slot for storage, so RAID is not feasible without additional external drives. We are evaluating the possibility to support other types of hardware.
That said, you can use HomeDrive on your own custom hardware that has RAID.
Not at this point. We are working on implementing it.
Not at this point. We are working on implementing the feature.