All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Low-spec VPS encryption at rest
Who offers encrypted block storage (whether add-on block storage or even better the default root filesystem too)?
I'm looking for that in the context of cheap VPS with an established provider on which I can set up docker or run a custom VM image - cheap meaning I guess ca. $5/month including compute, bandwidth, public IP, but excluding DNS. "Established" doesn't have to mean "big" like the companies I listed below, just anybody I can see seems to have a decent reputation.
Ideally Europe located but e.g. US is OK.
I see block storage encryption at rest as a defence against fellow tenants (other VPS users) using the same physical hardware later reading data (e.g. database files). I have no desire to hand-roll this feature with LUKS or similar.
My own little list so far, from what I've been able to tell (corrections welcome, and apologies if I'm posting this list in the wrong place):
Hetzner: no [1]
OVH: no [1]
Vultr: yes
https://docs.vultr.com/products/cloud-storage/block-storage/provisioning
Vultr Block Storage volumes support up to 10 TB of data encrypted with Advanced Encryption Standard (AES-256).
Digitalocean: yes
https://docs.digitalocean.com/products/volumes/details/features/
Volumes are encrypted with LUKS (Linux Unified Key Setup). The entire storage cluster is encrypted, so snapshots of volumes are also encrypted at rest.
[1] doesn't offer it as far as I can tell, but I couldn't find an explicit statement
Comments
why? you can just use the VNC KVM most offer to install whatever OS you want on top of LUKS or ZFS encryption.
Because then I have to spend extra effort on deployment automation, which I'd like to minimize (I've done enough manual deployment). It also creates the problem of boot needing manual intervention, which doesn't arise if the VPS provider does the job. There are systems designed to serve decryption keys at boot, but that creates whole new problems.
Oh yeah, I manually formatted ZFS on one of my VPSs, it would be pain to restore this setup.
The > @resting said:
If your threat model is accidental storage reuse, LUKS with NBDE (one line to install tang server, exposed via CF or TS) is not that bad. You only need to setup your automation script once, which works with any providers with console access. This already beats many CMEK solutions in high end cloud providers.
OTOH, I do hope providers do this by default per tenant as a table stake feature.
But then I need a place somewhere else to run tang right? And mess about with some sort of virtual networking?
Agree re table stakes.
You can run it on your laptop (or a VM inside your laptop) and expose it via CF tunnel or TS funnel, during boot time of VPSes. The tang server and/or CF tunnel doesn't need to be up all the time. Everything can be done with a few clicks or a simple script with some API calls, for free!