[dm-crypt] General question: Encrypytion on virtual servers (VPS/Vserver)

Michael Kjörling michael at kjorling.se
Tue Feb 21 15:13:47 CET 2017


On 21 Feb 2017 14:42 +0100, from michaelof at rocketmail.com:
> But when asking the author of this article about some small
> questions left, he stated his personal opinion that any encryption
> on an externally hosted vserver/VPS would be a waste of time.
> Because the to be entered at boot time deencryption passwords would
> be stored in memory of the virtual machine (all is KVM based at this
> company), they could easily be read from memory, in case of a "real"
> attack.
> 
> Coming to the point: As this sounds reasonable, is there any chance
> to circumvent this issue?

That post was a whole lot of text to ask "is there any way to protect
data on a VPS guest against an attacker with full hypervisor access?".

Basically, the answer to that is _no_.

If the attacker has hypervisor access, they can snapshot the VM's RAM
right along with the storage. Because the data encryption key is
necessarily in RAM, the rest is simply a matter of going through the
data structures in kernel memory to locate the key material. Nothing
running inside the VM will know it ever happened.

For the purposes of the above, CPU registers can be treated as
identical to RAM.

There has been some discussion on methods of encryption without
exposing the key, but IIRC that's more about restricting exposure to
the _guest_, not the _hypervisor_. That has some value, but does not
against the threat model you describe. And I'm pretty sure not even
that is widely implemented anywhere.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list