New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
KVM XEN OpenVZ, which one more secure (private)?
Wira_Soenaryo
Member
in General
Hello,
From these three wellknown virtualization, which one is more secure. Secure here I mean from the provider side. Does the provider can see our files or progress running inside the container from the server node?
Thanks..
Comments
Dedi.
To be safe, colocating your equipment in a trusted datacentre with security measures is technically better, but it isn't always viable in terms of pricing.
Edit: openvz = vzctl
OpenVZ any diddlewad with the ability to use CD can access your data.
With KVM and Xen, providers can access your data, although I'm willing to bet that only 2 of the providers on the front page of LEB even know how to (one for sure, I remember showing him how). Even then, it's a pain in the ass, and the only way to really do it safely is to shut down your VM, which you would notice.
With Encryption, one can dump your memory and look for constructs that look like your key. I significantly doubt ANY provider on the front page of LEB knows how to do that. I only know how to on a subset of encryption programs myself, all of which are deprecated.
So yes, providers can see your files, but for the most part, most of them are too damn stupid to figure out how, unless they're on OpenVZ.
http://rand.pw/howsecure/
I don't host a critical data, just wondering which Virtualization is more private.
So, I believe the OpenVZ is the worst one in regards of this "spy" things..
Between KVM and XEN (PV), which one is better?
Thanks..
Best explain.
They're equally the same. Xen and KVM both have the same on-disk format, they both allow the host to dump the full memory, they both have the same traditional networking setup.
All you're relying on is the provider being too stupid to do so or too reasonable to not consider doing it.
Yeah, basically this type of question gets asked at least once a month so I put that website together so I don't have to keep repeating myself.
Provider can always see your files. Get a dedi.
Thank you all..
I think this topic can be close..
OpenVZ, XEN and KVM are same. They can all get your data. Dedi too they just take your server down and mount disks
Actually, there is no need to take down anything.
True.
So, LUKS/TrueCrypt containers on KVM/XEN vps can be accessed by 'big' providers?
No... but you can kill system performance by doing that.
What do you mean by that (why only saying 'big' providers)? Provider can always try and find your keys in RAM, although this isn't trivial so they won't have an incentive to unless you have 10000 BTC on your VM or FBI/NSA is torturing the provider in black site. But professional providers that have reasonable privacy policies and adhere to them won't access your container (this follows logically since, if they accessed your container without permission, our assumption that they are adhering to their privacy policy would no longer be valid), and encrypting or not encrypting your container won't change that? (if that's what you meant by 'big')
Both are equally good. KVM is supported by default int the kernel of CentOS 6 which is majorly used in the Hosting Community.
Xen is supported with newer kernels and if you are running CentOS 6, you will need to update the kernel to a 3.x one.
Of the three, OpenVZ is the worst, in terms of security, functionality and overselling. Everytime I use it, I regret it.
The remaining two is similar. They're better than VZ and maybe you need a few more commands than what you need at OpenVZ but they can all be subject to prying eyes.
Best option is a dedicated server as all the people above say. That can also be accessed with rescue mode or plugging the disk but... Once you start being paranoid there's no way out. Someone can always see your data or watch your traffic.
Just in case, in your config files, try not using passwords that can also lead people to your other accounts.
I guess on dedicated servers is not an standard operation (dumping ram for enc keys or just surfing on user files) but i dont like suggestion about large VPS providers like (do/vultr/linode/other) can surf and maybe indexing my encrypted machines like surfing on google.com
(on abuse reports/other XXX agency i understand). And about small providers..maybe cloning VMs is an standard operation.. xD
Maybe an good discussion can be about one solutions to protect RAM on vps for attacks like this. Or maybe to protect at basic scenarios for easy dump&read..
I use LUKS containers on linux and TrueCrypt containers or system encryption on windows,How do you protect your data on VPS servers?
Unfortunately you can't. Your only option is to trust the provider and not do anything to get their (or others) attention.
Case in point, one data center that I know of would have visits from a certain government agency and law enforcement quite regularly. They would have "specialists" (I put it in quotes because the data center staff I spoke with didn't think they were really agents/LEOs) take care of the cloning and RAM dump when they didn't trust the techs to do it or the techs on duty didn't know how to do it. The "specialists" would brag about how impressive the encryption was but how simple the password was (because it was sitting in RAM for them to grab). In the many times this happened only once did a client open a ticket asking if their was a problem with their VPS or network.
Now of course if the government or law enforcement is involved then all bets are off. If you're worried about a data center tech just browsing your data for fun then my advice is get another provider who doesn't make you worried. Even if a provider is too dumb to do it (like @Rallias said), there's a good chance that if they are willing to browse your data for "the lulz" then they are willing to give somebody else access to do it if they can't.
If you are worried about privacy and absolutely can't let anybody else see your data, then don't put it online at all.
@Wira_Soenaryo choose summerhosts, they usually don't know anything.
And if the provider is too stupid or without knowledge to do it, then, there is a possibility your data become soon very very very private that even God could recover them!
Is fine..in someday maybe i will get my lost backups from hackers torrents..
If you go with a reputable provider who you trust, then there's no real reason to not use OpenVZ, the provider has no reason to ever go through data, we have a ton of OpenVZ nodes and we have NEVER logged into a node and used cd to enter someones VPS data, and the only time our admins have used vzctl enter to enter a VPS was when a customer managed to block all SSH connections and that was with his full consent, a provider has no reason whatsoever and if you feel the provider has done this or they will do this theyn don't use them, even if it's for non private data, it should never happen.
@rethinkvps, is too easy to access users data .. on openvz is insane, not by admins,but can be some 'evil guys'. If someone can sandbox escape on some virtualization systems... is over with people data, and with provider too. Maybe this is.. one sandbox escape with big damages and virtualization world will change this transparency of data. (my opinions)
http://en.wikipedia.org/wiki/Virtual_machine_escape
GOOD, this is good example , total control of host vs guest! http://lowendtalk.com/discussion/52545/venom-vulnerability#latest http://venom.crowdstrike.com/
+1. OpenVz is great technology. It has limitations compared to full virtualization, but it can still do great stuff.
If you're concerned about privacy and security of data, then you shouldn't be putting that data on a VM of any kind. Better to keep it locked in a vault in the basement.
This! You guys never admit it but if you are that concerned it must be because you are doing something that violates providers ToS.
From the providers end, they have better things to do than snoop for no good reason. Especially a big provider. Unless of course...again...if they suspect you are doing something to violate their ToS. I think a lot of you guys are claiming that you think providers snoop for no reason as an excuse to deflect from the fact you are doing something that violates providers ToS.
7 years ago - https://blog.xenproject.org/2008/08/27/xen-33-feature-memory-overcommit/
How other say If you do not trust you provider to do what they promise... do not use them ...
If provider promise to undersell ram until 2 GB left free on the hypervisor is question of trust that they keep that promise ... No choice of virtulization technology will force them to keep it...
Big biz need to overcommit to effectively use hardware they have... so it is a fetaure...