Not trusting the provider of dedicated machines

Comments

• egoror Member

  October 2024

  @kevinds said: That is why I mentioned needing to go to the datacentre to enter the password to unlock the drive..

  Separate virtual luks volume for sensitive data + ipsec + ssh to mount it manually?
• kevinds Member, LIR

  October 2024

  @egoror said:
  Separate virtual luks volume for sensitive data + ipsec + ssh to mount it manually?

  But the keys are exposed at rest for the initially booted OS.
• khadhafi1083 Member

  October 2024 edited October 2024

  Hmm...
• allnetstore Member

  October 2024

  @kevinds said:

  @allnetstore said:
  Full disk encryption protects against 'normal' threats, unless you are dealing with attackers with direct physical access to the RAMs.

  That is why I mentioned needing to go to the datacentre to enter the password to unlock the drive.. There is no safe way to do it remotely, I've tried to think of a way it could be done, but haven't come up with anything yet..

  Newer systems encrypt the RAM too.

  For luks, there is https://recompile.se/mandos so you don't have to be at datacenter. But then you may want to worry about MITM, ip hijacking, etc. etc.
• kevinds Member, LIR

  October 2024

  @allnetstore said:
  For luks, there is https://recompile.se/mandos so you don't have to be at datacenter. But then you may want to worry about MITM, ip hijacking, etc. etc.

  That is exactly my point.. If an adversary has physical access they can mount the decrypted part and copy your keys to MITM your decryption, which is one of the reasons your server would be encrypted in the first place. One could also use IPMI to unlock the system, the same applies, tap the USB communication between the IPMI and server.

  I'm hoping a truely secure way to unlock the system but I haven't thought of a way yet..