64

VPS encryption

posted
by
Avatar
ouch@lemmy.world
in
Avatar
linux@lemmy.ml
31 comments
hidereport

How would you protect files of a VPS (Virtual Private Server) from snooping by the service provider?

Sort:
HotTopControversialNewOld
Avatar
Wispy2891@lemmy.world
1 point

not a technical but you can’t just do full disk encryption and put the password manually at every single boot?

It seems very unlikely that a reputable hosting company would snoop even in that case

If we’re talking about 3 letter agencies, for the dedicated servers they’ll directly seize the disks…

permalink
report
reply
Avatar
gian @lemmy.grys.it
4 points

Only real option is to crypt them before putting them on the VPS, but at this point a VPS is pretty useless.

permalink
report
reply
Avatar
oldfart@lemm.ee
6 points
*

Syncthing has a concept of untrusted node, which only gets to store files, not see them

permalink
report
reply
Avatar
ouch@lemmy.worldOP
1 point

Interesting, I didn’t know about that.

https://docs.syncthing.net/users/untrusted.html

permalink
report
parent
reply
Avatar
yaMatt@lemmy.world
5 points

I’ve done a lot of thinking about this over the years.

Ultimately the answer is you cannot, at least with certainty. If you don’t own the host, you cannot trust anything that runs on the machine.

A few people have said similar, and that for me is the right answer here. I’ll expand on how I used to run my servers, but eventually decided it wasn’t worth the effort.

Having said that, there are some things you can do to protect yourself, although it depends on how much you care about your data Vs how much effort you want to put in.

For example, you can disguise your data on disk, by creating an encrypted file on Linux that you mount as a filesystem. Everything you care about runs from there. The ideal solution is you have an encryption key that you store somewhere trusted, that you use to decrypt the volume.

But then of course you have to insert that key each time your machine reboots, such as a kernel update.

You also have to manage and protect that key yourself, otherwise 💥 your data is gone.

Another thing to consider is, is your key in memory or on disk at any time. You need to decrypt the disk without the key ending up on the machine. I passed it over SSH and I assume the LUKS folks know what they’re doing about disguising the key in memory, but I don’t know for certain. I never looked.

My expectation was that I was doing something outside the norms of how these tools were designed to function, so expect unexpected results.

This isn’t to say you cannot trust any provider, it really depends how much you want to trust them.

permalink
report
reply
Avatar
Findmysec@infosec.pub
2 points

Clevis and Tang but even that can only really do so much.

Just encrypt storage on-site

permalink
report
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 8K

    Monthly active users

  • 3.7K

    Posts

  • 48K

    Comments

Community moderators