New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Help] General security advice for file server on VPS
Hi - I was wondering whether anyone had any advice for a file server on VPS. I know it's impossible to have 100% security because they have hardware access, but what advice do you have to make it difficult enough to host your own files (say, passport photos and backup keys etc.).
I was thinking dm-crypt, but I'm not sure if even that is secure?
Comments
Might be better to just host it on a ultra low end dedi
DM-Crypt is secure (as is Truecrypt and for most usage cases even Apples/Microsofts encryption, unless you piss off the CIA/NSA/$3letteragency) - On a VPS it makes no sense though, on OVZ you can't mount it (easily) and on KVM/Xen i just run "virsh dump --memory-only" or "virsh save" and then have all time of the world to extract your private keys/encryption keys from the RAM.
If you are concerned run it on a dedicated server, if you are paranoid run it on a colo server and glue the RAM in, disable Firewire/Thunderbolt and glue the PCIe slots shut (as you can get memory dump via DMA on this interfaces).
If the container is mounted locally, that is, if remote, no dice, it will act like a block device and memory of the storage server or the packets exchanged will contain no key, even on a non-encrypted connection. Only his devices will know the keys.
How to do it:
-Export some space (iSCSI my favourite, but NFS, CIFs work too, depends on your requirements and backup copies you have);
-Mount the space on your computer and create an encrypted container on your computer to store it there only. Then you can mount it on anything that supports the method (CIFS works on everything, albeit is a bit less secure) and encryption/decryption tool;
-Make sure you never mount it on any remote server and you unmount on your devices as soon as you no longer need it.
That's about it.
What?
You should be aware that this is no different for a dedicated server in a datacenter. A rogue device into a DMA-capable port (eg. PCI, Firewire, ...) and somebody can happily dump your memory.
Yeah, and, I am sure that, if someone went through the trouble of getting a warrant, raid the facility, etc, will not be deterred by some glue, there are good solvents, for example, some even nonconducting, not to mention it can be done simply by connecting to some soldering points on the MB.
This thread takes the security paranoia to whole new level.
http://www.urbandictionary.com/define.php?term=Three-letter+Agencies - NSA; DOD; CIA; FBI etc.
eh, show me a modern MB with a pinout/header for RAM or any DMA port except Firewire/Thunderbolt (which both can be disabled in BIOS) - Modern PCBs are 4layer+ and have no pins on the bottom anymore either. Further you'd need to remove the mobo to get there (which is next to impossible without shutdown, due to weight and cabling and you'll likely short it) unlike with a PCIe port that is accesible from top easily.
Solvent will also not really help you, the glue will then run into the slot and make it very hard still to access any pin outs. You could also glue in some shitty PCIe cards (SATA or USB controllers for example) instead, then this is not possible at all anymore.
There is no 100% security but this would make it extremely hard, up to "almost impossible".
Yep, i totally didnt work 5 years for various datacenters and VPS providers and ran my own for 3 years, nope, i clearly have no idea
What about you shut up, the logout button is up there somewhere ^^^
on the other hand $7agency = LEB/LET
I know how to keep your data secure!
Go to your local electronic parts store, buy a few switches, tape it on your server and voila!
You now have 1 byte of 100% secure storage!
LOL... does that even exist?
yea lots of people doing rpi hosting and colos. pricing on atoms can be as low as some vps
Still, if someone really wanted that data, they could go to the DC and steal the SSD/HDDs
On the side note, it would still be safer to use a safe with your data written on paper.
They've got security guards there. Better to just go to the guy's house and force it out of him.
Did I do OK?