VPS encryption

hperrin , 1 hour ago

Ultimately, you can’t. Even if everything you’re doing is encrypted, they have access to the RAM that’s holding your encryption keys.

Bitrot , 3 hours ago

Encrypt them before they’re ever put there. One example I can think of is in resilio sync, which has the option for sharing a folder to an encrypted peer. Other peers encrypt it before sending anything, that peer doesn’t have the decryption keys at all.

nobleshift , 3 hours ago

A hacker group in Seattle (GHI) years ago attempted to build secure systems on top of compromised hardware. Although different levels of security could be achieved, the overall outcome was No. You cannot build a fully secured system on top of compromised hardware.

A VPS for this exercise counts as ‘compromised’ hardware.

NegativeLookBehind , 3 hours ago

LUKS

VPN

Encrypt sensitive files

boredsquirrel , 2 hours ago

So how do you decrypt the LUKS vault when you have no sshd running as that thing is not up yet?

NegativeLookBehind , 2 hours ago

Do VPSs typical give you LOM? Honest question. Maybe LUKs isn’t good if you can’t console in.

Zikeji , 2 hours ago

LUKS, or anything that relies on the server encrypting, is highly vulnerable (see [email protected]’s response).

Your best bet would be encrypting client side before it arrives on the server using a solution like rclone, restic, borg, etc.

boredsquirrel , 1 hour ago

Yes. No proof their LUKS prompt isnt tampered with

fuzzy_feeling , 1 hour ago

you can but an ssh server in your initramfs.
dropbear-initramfs i guess was the name in debian.

boredsquirrel , 1 hour ago (edited 1 hour ago)

Pretty cool!

Android and ChromeOS both also just use fuse for userspace (and user-files) encryption. This could totally be used too.

But of course, if something is not on your RAM it is not safe