Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VPS providers, do you encrypt disks behind your kvm servers?
New on LowEndTalk? Please Register and read our Community Rules.

VPS providers, do you encrypt disks behind your kvm servers?

Hello all,

i've read a sad little story regarding Scaleway, they lost a SSD that was sold on "Leboncoin", a CraigList like website. A Youtuber found it and tried to find some contents, he identified the name of Scaleway. Scaleway did a communication about it. With a friend we are talking about responsabilities and how this could be handled so, we have a question.

As a VPS provider, you probably host or rent some dedicated. Do you encrypt disks on host side? Does this encryption can prevent a stollen disk to reveal its datas? If you don't do that, can you tell me if you have the choice or if it's not possible?

I understand that as a customer it's my responsabilities to encrypt my datas, even if my provider do it for me.

Thanks a lot for your feedbacks and informations, i'm really curious now ^^.

Thanked by 1AlwaysSkint

Comments

  • MarcoooMarcooo Member, Provider

    We use self encryption ssds if you lose the password you can trashcan them.

    Thanked by 1o_be_one
  • yoursunnyyoursunny Member, IPv6 Advocate

    Oracle Cloud always encrypted their disks, as well as iSCSI connection between compute VM and storage.
    User has some control over the encryption key, but the encryption key is stored somewhere in Oracle Cloud, so that it wouldn't help if the whole cloud infrastructure is compromised.

  • Not a provider but all my KVMs have LUKS encrypted root partitions. Doesn't prevent the provider from yoinking the encryption key from memory when running but it does protect data-at-rest as in cases like this.

    Thanked by 1o_be_one
  • Elsewhere Windscribe VPN weren't using disk encryption on some of their servers.

    Source: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/

    Thanked by 1o_be_one
  • Daniel15Daniel15 Member
    edited July 27

    @yoursunny said: but the encryption key is stored somewhere in Oracle Cloud

    My guess would be that the encryption key is stored securely in a TPM somewhere. Most large providers store encryption keys in some way that makes them very very difficult to exfiltrate.

    Thanked by 1yoursunny
  • aquaaqua Member, Provider

    I believe it can slow read/write speeds, and some providers choose to leave them not encrypted to prevent it

    Thanked by 1o_be_one
  • Daniel15Daniel15 Member

    @aqua said:
    I believe it can slow read/write speeds, and some providers choose to leave them not encrypted to prevent it

    It's definitely slower than regular speeds, but it shouldn't be too slow if the CPU supports AES-NI. Most CPUs in use today should support it.

    Thanked by 2o_be_one maverickp
  • o_be_oneo_be_one Member

    I'm curious about @Francisco and @seriesn and @VirMach and @MikeA and @MikePT and @ViridWeb and @dustinc answers as well, as they are known and experienced providers here also ^^.

    Thanked by 3that_guy MikePT IamMad
  • AlwaysSkintAlwaysSkint Member
    edited July 27

    @o_be_one said: .. encrypt my datas.
    .. and informations, i'm really curious now

    (You are indeed. :D )
    There are no plurals.

    Doing useless pushing things in on..

    Also see my sig. ;)

    Thanked by 1o_be_one
  • FranciscoFrancisco Top Provider

    @o_be_one said:
    I'm curious about @Francisco and @seriesn and @VirMach and @MikeA and @MikePT and @ViridWeb and @dustinc answers as well, as they are known and experienced providers here also ^^.

    No, if a user wants to they can do their own cryptoluks. It's a performance hit that the majority of our users wouldn't care for.

    We do zero out user data at cancellation time though.

    Francisco

  • VirMachVirMach Member, Provider, Top Provider

    @o_be_one said:
    I'm curious about @Francisco and @seriesn and @VirMach and @MikeA and @MikePT and @ViridWeb and @dustinc answers as well, as they are known and experienced providers here also ^^.

    We do not encrypt data. We thought about it for the new hardware we're doing but decided against it there too. We did set something up with SolusVM where at some point after cancellation the LVM is nuked to some degree in a write-intensive operation. I don't remember the details very well, it was set up a while ago, I didn't handle it personally, and I am not sure how well it works, but from my understanding this would result in the data actually being physically overwritten versus pretend deleted.

    We initially enabled this to deal with a SolusVM bug that otherwise appeared. I'm paraphrasing very hard on this... I think SolusVM basically would think that the data is still written and/or thought the LVM didn't create properly.

    Data may still linger in the form of a disaster recovery backup.

    Thanked by 2AlwaysSkint o_be_one
  • HxxxHxxx Member

    Always encrypt your drive. KVM or DEDI. Doesn't matter. Is only your responsibility as the customer, not the provider.

    Thanked by 1o_be_one
  • For those who encrypt their disks, how do you handle entering the decryption password without manual intervention? I'm OK if it's for 1 disk, but I cannot imagine doing it at scale.

    Thanked by 1o_be_one
  • FranciscoFrancisco Top Provider

    @quicksilver03 said:
    For those who encrypt their disks, how do you handle entering the decryption password without manual intervention? I'm OK if it's for 1 disk, but I cannot imagine doing it at scale.

    ...that's the point you should always be doing it manually.

    Francisco

    Thanked by 3Hxxx MannDude o_be_one
  • ViridWebViridWeb Member, Provider

    @o_be_one said:
    I'm curious about @Francisco and @seriesn and @VirMach and @MikeA and @MikePT and @ViridWeb and @dustinc answers as well, as they are known and experienced providers here also ^^.

    No we don't do that by default.

    Thanked by 1o_be_one
  • dedicatserver_rodedicatserver_ro Member, Provider
    edited July 27

    no big cloud provider encodes the disks, except for customers who explicitly request such a service most for dedicated servers ( or VM with dedicated storage ).
    It's also nonsense when using distributed storage!! the disk of each VM is actually the sum of many crunches on different disks in different storage ;) - without metadata table the disk are not readable

    We use for cloud :

    • 2 x SSD RAID 1 for OS + Opennebula on each compute node or OS + storage hypervisor for distributed storages + 512 GB NVMe for metadata - ( only on this SSD can man read the data )
    • Disstributed storage NVMe-oF - cluster 4 node, each node 6 NVMe ( total 24 NVMe )
    • Distributed storage SSD - BeeGFS - cluster 8 node, each node 4 SSD ( total 24 SSD )
    • Backup distributet storage - 2 node HA + 1 JBOD 102 HDD
    Thanked by 1o_be_one
  • dustincdustinc Member, Top Provider

    Hi @o_be_one -- by default, no - though I have noticed some customers choose to install their own OS from ISO and/or encrypt it themselves after the VPS is provisioned.

    Additionally, upon decommissioning any drive physically from production should we ever need to, we do securely wipe/zero out the drive(s). For our bare metal/dedicated servers, should a customer ever consolidate or cancel one - we use dban before repurposing it for another end-user.

    Thanked by 2AlwaysSkint o_be_one
  • Encouraging assurances from some of the providers. B)

  • MikePTMikePT Member, Provider

    @o_be_one said:
    I'm curious about @Francisco and @seriesn and @VirMach and @MikeA and @MikePT and @ViridWeb and @dustinc answers as well, as they are known and experienced providers here also ^^.

    Disk encryption is great, we just don't use it for our shared/reseller hosting servers. There's always a way to get in. Granted, it's a preventive way to avoid that.

    For the companies we provide NOC Services / Ticket Support to, I don't know exactly how many VPS/Dedicated Customers encrypt their disks, but I'd say it's pretty rare to be honest.

    Thanked by 1o_be_one
  • MikeAMikeA Member, Provider

    no? pay for a managed service and request it.

  • tomazutomazu Member, Provider

    Encrypting the disks still causes a performance hit, but of course customers can encrypt their disk on VPS and/or during server (re-)installation.

    We use encrypted connections between data centers e. g. for migrations and backups etc. and of course we securely erase disks.

    Thanked by 1o_be_one
Sign In or Register to comment.