New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@onidel does SEV
thanks for the mention mate! :-)
@buzzyLET feel free to ask me or @oloke if you have any questions.
@buzzyLET please check this thread as well.
@jfrac also started offering SEV-SNP in their @VirtFusion recently! Here's YABS.
And yes we (onidel) do support SEV-SNP, you can read our docs on it:
https://kb.onidel.com/hc/kb/articles/1771943583-sev_snp-verified-boot-and-memory-encryption
@MannDude doesn't:
https://lowendtalk.com/discussion/comment/4585769/#Comment_4585769
Well they claimed they did, but they didn't and eventually removed this statement after ~6 months.
Just curious, what's your use case for this?
We do and can, just by request and if it's worth my time to enable it.
SEV-ES is available on some hypervisors, not all. Statement removed about its availability on all only because some newly deployed ones offered to us does not support it and it's such a low demand request that I'm not passing on hardware to accommodate less than 1% of users.
If someone wants it, they can generally have it. Can just be moved to where it's supported. No cool on/off toggle like you, though. Still enabled manually.
Do you have it on any of your SE nodes?
Beware though, it's not flawless: https://tee.fail.
in hosting scenario, if a vm is compromised, it could peek into another vm’s memory and stolen your data, but if encrypted memory exists, it just get rubbish bits
In order for that to be fully effective, you also need to use FDE with an authenticated cipher and perform remote attestation. Simply turning on AMD SEV-SNP is nice and helps protect against a simple memory dump or "casual" snooping with Volatility, but it's not enough on its own.
Of course, with physical access, the security guarantees are significantly weakened.
Usually those who go extra mile for encrypted RAM does not encrypt storage
. And LET providers love to snoop!
Will this affects performance?
Not much.
https://kb.onidel.com/hc/kb/articles/1771943583-sev_snp-verified-boot-and-memory-encryption#performance-benchmarks
Orbital datacenter when?
Sounds to me more issue with health like paranoia instead of true usage case! Why not to encrypt all data on VPS.
Many reasons, a big one is run-time variables.
Saved only in ram, e.g credentials to AWS S3, or Databases.
It's worth noting large hyperscalers like Azure, GCP, AWS and even Oracle already support SEV-SNP for some time and people somehow still buy from them. So I don't think it's just paranoia - unless I'm missing something.
For the 2nd part - I definitely agree. RAM encryption without encrypted data at rest makes little sense. In my view, it's best (and perhaps more important) to encrypt the drive first, then consider working memory encryption.
However for SEV-SNP in particular there's an argument it can be also used to verify boot integrity, memory encryption comes as a bonus.
Low End Orbit