New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This is not true. Get a KVM instance and install Debian 6.0 (32bit or 64bit) and when installing choose to make your volume into an encrypted LVM. This will require you to put in a 21 character+ password to encrypt the volume. However, the down side to doing this is your server will not reboot automatically if there is a node restart, every time you power on the instance you will need to login to the VNC console to type in the password for the volume before the server will boot. Once encrypted, the provider can not mount the drive or see the data without the volume password.
Edit: sorry @unused I didn't see you mention this above until after I posted.
Cheers!
It looks nice but I miss my stats (xx/xxx mb used)
http://gyazo.com/bc9a60833b9bd110f16fe00176227d96
Exactly :S
I have been trying the solarized scheme for putty, but I don't like too much the background and that pink tones...
Edit: OMG @taronyu you are running too much garbage on that vps :P
well @yomero I think the bigger issue is that @taronyu likes to run everything as root ;-)
@yomero , @TheLinuxBug Thanks, I shall give it a try. VPS not automatically rebooting should not be much of a concern for me, as long as I choose a good provider. Have two KVMs from two providers, and have been online for more than 150 days now.
Haha. Don't think I'd have to worry too much then. I have nothing important for the feds.
@yomero It is only 128mb but because of some reason I'm able to push more into 128mb than on my old 2G dedi.
Radio is on it (http://f63.net)
OpenVPN
MySQL
Rtorrent
And all my other site (low visitors tough)
@craigb Bad habbit of me, don't see how a radio or vpn could be a problem tough. (YES I KNOW IT IS BAD, GO AWAY! :P) (Production servers don't got anything on root)
1) first you will need to encrypt your file system
2) Never use their VNC but your own Remote Desktop tool
During boot you will need to enter the master key and that will be your weakness. One way will be to have remote key management like bitlocker offers at windows.
But even then they can take RAM memory dumps of your system with all keys etc .,,
So you can make it difficult but not impossible for them. Your only bet is lazy administrators
It can be made impossible as long as you do not run anything from the encrypted area.
If you need only to store and access remotely the files live, it is possible with almost 0 risks.
If you wish to run apps from the encrypted area on the VPS, there is no way to defend, the memory can be read and the keys found.
If you need only to store and access remotely the files live, it is possible with almost 0 risks.
If you wish to run apps from the encrypted area on the VPS, there is no way to defend, the memory can be read and the keys found.
If I use the encrypted LVM on a dedicated server, can the memory be read?
Firewire for example, yes you would see it in the log but unless you monitor it by a daemon every few milliseconds the exploit kit could already rewrite the entire ram of the machine to hide itself and any of its former activity in all logs and start copying the data.
Other ways would include a simulated outage by the ISP and a hot copy of the RAM (shutdown server by ripping power, freeze ram, remove, add to dump device), restore power, server boots up as usual.
Then dump the encryption keys from the ramdump.
IIRC US agencys have used this a few times as well as the germans.
And more and more possibilitys...
The disk encryption needs to store the keys in memory for read/write, otherwise the drive wont be accessible.
How that can be done, I think it is easier than what @William described which is suitable for a real machine, not a VM.
You can always read it's memory as long as it is running given admins have full control of the host node and can install anything that the guest will not be aware of, including something to dump the memory. After that it is fairly trivial to get the keys knowing how the encryption software works (being open source, everyone knows or can find out).
Efforts to virtualize the TPM (Trusted Platform Module), to extend attestation to VMs have been around for a while; example: http://researcher.watson.ibm.com/researcher/view_project.php?id=2850
A software TPM that emulates a hardware TPM...hmmm....need that tamperproof? Well, IBM will happily sell you a IBM PCI-X Cryptographic Coprocessor (PCIXCC) if you need greater assurance that the provider cannot access the keys.
Not quite LEB but expect to see this gain traction in the enterprise cloud space (DRINK!)
Having my own server on colocation withaut this encryption will allow those who work there to access my data ??
Wouldn't it be possible if you encrypt your disk and allow the login to your VM for just one IP and deny every other IP (which is of course your static ip)?
And then we have a history of providers who've even hacked into other providers' boxes. So I guess the only way if you have really sensitive stuff is to build your own server and host it yourself. Even your own desktop should be a safer place if you're paranoid about security. And disconnect the internet. And USB cards. And the Wifi. And...
Security can't be absolute. If a person has physical access to the system, no security measures can guarantee vital data won't be accessed.
The only secure computer is the one turned off, disconnected from any network and with hard disks containing no information.
Summing up, it all depends on how much an adversary wishes to access your data. When planning security measures, this should be understood very clearly.
Personally, it's OK for me to store a file on third-party service, if the file is only decrypted locally (on a computer I can sufficiently trust) and is encrypted with technique that makes it virtually impossible to "crack" the cipher.
Don't store, read and/or write important files on VPS/dedicated, unless you understand who you are hiding them from.
Problem was really to store safely sources codes, so I would do this:
install encfs locally to trusted and protected computer
place source codes to encfs-directory
share encrypted directory with btsync (with read-only secret) to at least 2 or 3 any other computer/VPS/dedi
Voila, instant and automated encrypted backuping is ready