← Back to Blog

Privacy First: Why We Host Our Own Photo Cloud

February 24, 2025

Reclaiming Your Memories

We all love the convenience of modern photo backup apps. The ability to snap a picture on your phone and have it instantly searchable, sorted by face, and backed up against loss is incredible. But with the major proprietary cloud services, that convenience comes at a steep price: your privacy.

When you upload your life’s timeline to a mega-corporation, you aren't just paying for storage. Your photos are scanned, analyzed, and used to build a profile of your habits, relationships, and location history. This data is then, further used for advertising.

By moving away from Big Tech and onto our own dedicated infrastructure or your own with bring-your-own-hardware, we are radically changing who has control over your digital life. Here is how a managed Immich instance puts you back in the driver's seat.

Total Freedom from Corporate Surveillance

The biggest shift is visual. On the surface, Immich looks and acts remarkably like the other services you’re used to. It has great mobile apps, automatic backup, and powerful search.

But under the hood, everything is different.

The most critical difference is that your data stays within our your own controlled environment.

Immich uses advanced machine learning for facial recognition and object detection, but it does this locally on our server. Your photos are never sent to a third-party to be analyzed. The AI works for you, not for an advertiser. We are just using powerful software to organize our own files.

Hardening the Perimeter: Server Security

While we manage the Immich instance, we have taken extensive measures to ensure that no one else can gain access to the server or your data in transit. Your connection is encrypted (via HTTPS), and we have gone much further to secure the infrastructure:

  • Highly-Restrictive Firewall Settings: The server is protected by a strict firewall. We operate on a "default-deny" policy, meaning only the absolute necessary connections (like the HTTPS port for the Immich app) are permitted. All other entry points are digitally sealed.

  • Brute-Force Protection with Fail2Ban: The server is constantly being scanned by automated bots trying to guess passwords. We have deployed Fail2Ban, which actively monitors access logs. If an IP address attempts too many failed logins, it is automatically and aggressively banned, stopping automated attacks.

  • Hardened SSH Access: For us to perform maintenance, I need remote access (SSH). This entry point has been heavily fortified. Password-based logins are completely disabled. Access is only possible using a unique, high-security cryptographic key file.

Conclusion

Using Immich isn't just about saving a few dollars on storage. It is an act of digital autonomy. It allows us to enjoy the best parts of modern technology without surrendering control to the companies that created it. By owning the infrastructure, we finally truly own our memories again.