[dm-crypt] General question: Encrypytion on virtual servers (VPS/Vserver)

Arno Wagner arno at wagner.name
Tue Feb 21 14:59:48 CET 2017


On Tue, Feb 21, 2017 at 14:42:51 CET, michaelof at rocketmail.com wrote:
> 
> Dear list members,
> 
> 
> as a newbie I've read the detailed FAQ at
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
> and was deeply impressed by the carefulness of the author aubout the
> highly political various perilous aspects of encryption.  Great job, thank
> you !!!

Thank you. It is nice to have one's work appreciated.
 
> My intention for a usage of LUKS / cryptsetup are less political, but
> privacy.  To get control back for my private data, I'm running a Vserver
> with a complete mail server setup (postfix, dovecot, ...) plus owncloud
> and a couple of other free software.
> 
> My questions here are of a more general nature, hopefully not be seen as
> off-topic by the valued list members:
> 
> As my Vserver is hardened against potential outside attacks as much as
> I've been able to, it's currently completely unprotected against
> "internal" attacks.  Means that anyone from the hosting company e.g. 
> could clone this Vserver or copy the unecnrypted virtual disks, even
> without my knowledge, and access all data on it.
> 
> Of course I trust this hosting company, otherwise I wouldn't have chosen
> them.  But I would like to "solve" this generic issue, if possible,
> independent of a specific company.
> 
> In the German IT journal "c't" I've found an interesting article about
> encrypting a home server against data theft, if the home server get's
> physically stolen.  Could easily be done by encrypting the whole disk(s),
> sure.  But imho a very nice idea of this article was a LXC container based
> setup.  A non-excrypted base setup with more or less only sshd, and an
> encrypted container for anything else.  Nice idea, because this setup is
> able to "survive" a reboot after power-loss, sending an email to the
> server-owner, notifying him to ssh-login and restart the inner container =
> entering the deencryption password(s).
> 
> Having read this article, I've started to think about if this scenario
> wouldn't also be perfectly suitable for my Vserver requirements.
> 
> But when asking the author of this article about some small questions
> left, he stated his personal opinion that any encryption on an externally
> hosted vserver/VPS would be a waste of time.  Because the to be entered at
> boot time deencryption passwords would be stored in memory of the virtual
> machine (all is KVM based at this company), they could easily be read from
> memory, in case of a "real" attack.
> 
> Coming to the point: As this sounds reasonable, is there any chance to
> circumvent this issue?

What I personally do is much sinpler than the c't solution: I just 
have an additional data partition with LUKS for critical data.
The whole base-system with everything is non-encrypted. That way
I have a fully functional linux-system on reboot, but just no
access to any confidental data. 

My rationale is that an attacker with physical access can always 
do what they want. An initrd that decrypts the root partition
makes it a bit harder, but not that much. The attacker simply needs
to first compromise the initrd, or he can directly compromise
the kernel image. That is not even very hard, just find an exploit
whith samle code, and undo the patches done to the kernel to make
it not work.

As to the vserver, I am afraid nothing can be done against a 
malicious hosting provider. They can do everything and that 
inclused root-logins you never see and querying of the LUKS 
master key that you also never see (see FAQ Item 6.10 for a
bit of background). They can also just crash your vserver 
and listen to the password as you type it in to get it up 
again. Countless other possibilities exist.

I do agree that it would be really useful to have VMs in
"secure containers" that are secure aganst the owner and
operator of the hardware, but that is not happening anytime
soon, if ever.

Regards,
Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list