VPS encryption

NegativeLookBehind , 5 hours ago

LUKS

VPN

Encrypt sensitive files

boredsquirrel , 4 hours ago

So how do you decrypt the LUKS vault when you have no sshd running as that thing is not up yet?

NegativeLookBehind , 4 hours ago

Do VPSs typical give you LOM? Honest question. Maybe LUKs isn’t good if you can’t console in.

Zikeji , 4 hours ago

LUKS, or anything that relies on the server encrypting, is highly vulnerable (see [email protected]’s response).

Your best bet would be encrypting client side before it arrives on the server using a solution like rclone, restic, borg, etc.

boredsquirrel , 3 hours ago

Yes. No proof their LUKS prompt isnt tampered with

fuzzy_feeling , 3 hours ago

you can but an ssh server in your initramfs.
dropbear-initramfs i guess was the name in debian.

boredsquirrel , 3 hours ago (edited 3 hours ago)

Pretty cool!

Android and ChromeOS both also just use fuse for userspace (and user-files) encryption. This could totally be used too.

But of course, if something is not on your RAM it is not safe

JubilantJaguar , 19 minutes ago

Another option: encrypt a sparse file rather than a disk volume. Mount the file to local filesystem and open and close it there.

possiblylinux127 , 1 hour ago

That only works if the decryption is happening on hardware you control. You can not trust any part of the VPS including the memory and CPU

nobleshift , 5 hours ago

A hacker group in Seattle (GHI) years ago attempted to build secure systems on top of compromised hardware. Although different levels of security could be achieved, the overall outcome was No. You cannot build a fully secured system on top of compromised hardware.

A VPS for this exercise counts as ‘compromised’ hardware.

possiblylinux127 , 1 hour ago (edited 1 hour ago)

Intel is pushing there “encrypted enclave” which supposedly protects the host from being able to read or write guest memory. However, I have serious doubt as it is a black box system. It also is very problematic when a security issue (or backdoor) is found as your data is basically exposed

Ultimately you are right about this which is sad. I wonder if at some point there could be a zero knowledge cache for https. Maybe double encrypt it and have the client decrypt it fully.

Bitrot , 5 hours ago

Encrypt them before they’re ever put there. One example I can think of is in resilio sync, which has the option for sharing a folder to an encrypted peer. Other peers encrypt it before sending anything, that peer doesn’t have the decryption keys at all.

hperrin , 3 hours ago

Ultimately, you can’t. Even if everything you’re doing is encrypted, they have access to the RAM that’s holding your encryption keys.

notabot , 1 hour ago

It depends what you want to do with it. If it’s just for storing files/backups then encrypt them before uploading and make sure the key never goes anywhere near the VPS. If it’s for serving up something like a simple website, you probably care more about data integrity than exfiltration, so make sure you have the security, including selinux or equivalent, locked down, and regularly run integrity checks. If it’s for running something interactive, or where data will be generated or downloaded to the machine, you’re out of luck, there’s no even theoretical way of securing that against an adversary with that much access.

possiblylinux127 , 1 hour ago

You don’t really. Treat it as totally untrusted