New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Most secure VPS virtualisation type?
Greetings all
Yes I know there is no truly 100% secure anything
but based on VPS virtualisation technology alone, which one is the most secure against unscrupulous providers?
For instance, with OpenVZ am I right to say that an unscrupulous provider can easily browse whatever's in your VPS if they want to?
Is this also the case for Xen and KVM?
Comments
I'm guessing they can always descend into, or view any files they want. But isn't there a process you can disable from ovz that disallows host descend into your vm container? @mrladoodle may know.
You can always make a script to watch out for the vz process spawning in your container, I think Webmin actually does this.
But they can just cd /vz/private/
I'm inclined to think that they're all fairly equal as far as the provider's ability to view your files. At some level you have to trust someone in this business (this being anything related to storing data on someone else's property), just choose wisely and don't store important data with a provider you're not yet sure about.
KVM/Xen with encrypted drives.
With Xen is more complicated because the providers just give you one drive.
Given sufficient effort from an attacker that has access to the host node, no virtualization technology will protect your files.
I hear morphology!
Are you sure you can decrypt my partitions? well...
is your vm booted -> yes
@yomero
they will probably take a few years but then sooner or later the stuff still can get decrypted
As in EVERY system. That isn't a concern about virtualization.
How? Maybe you will inject some code to the qemu process or sth?
Or you will dump my memory to search the key maybe.
Agree, but too complex.
If the VPS can decrypt them itself if rebooted, sure.
If you need to enter a password to mount, sure, but it's harder. They can dump your memory at any time necessary, or get your SSH private key (edit: I meant host key) from your unencrypted partition and MITM your SSH session where you mount the encrypted partition, or eavesdrop on any out-of-band access you might use to enter a passphrase (KVM VNC, Xen serial console/hvc0), or (depending on virtualisation type) control your boot options or the selection of the kernel itself, or I'm sure there are a multitude of other ways I can't even think of.
Of course.
Yes, and search. You have a point here. Too complex (again).
Why I would choose to save ssh keys somewhere? nah
Yes, and you get a normal login prompt. You can't do nothing there.
Is encrypted, you can't do nothing using another kernel
I think the lesson here is that one needs to go through significant effort to hide the data on their system from the system itself.
Tell me how you expect a system to boot automatically if the decryption keys are not present on that same system or some kind of system that it can access. Which would be a typical usecase for a VPS. Encrypted partitions only work if the owner has to enter a password on boot/mount. Considering no specific usecase (such as 'remote work') was mentioned, I am assuming the typical VPS usecase - providing some kind of public service. A public service has to be available, and as such has to survive a reboot and boot itself automatically. In which case you cannot encrypt your data in a manner that cannot be unencrypted by the host.
With OVZ it is a matter of one command, and the host node has full root access to the container.
Or you will dump my memory to search the key maybe.
Agree, but too complex.
I think that since your VPS is decrypting the partition to view and run files, the hacker will only have to get control over your VPS without knowing the encryption key, and then he will transfer all your data outside, since it's probably decrypted by your system during startup of VPS to have access to, isn't it? So that makes your partition "open" during system/programs run :O
@PAD Does that mean it is not as effortless to snoop on KVM and Xen VPSes?
The drive of XEN can be also mounted from the provider, but it's not that simple as in OpenVZ. I think KVM should be the securest way since it is like a dedicated server you can encrypt your drives and encrypt it on booting over ssh. But it's difficult to set that up. I usually need about 2 hours for that...
But you as long as you won't host critical files on the vps that shouldn't be necessary... and even if you encrypt the harddisk the provider could read the passphrase out of the RAM or sniff your traffic...
The most securest way is, to rent a dedicated server with one of these new Invy bridge CPUs, because there you're able to put the passphrase in the L2/L3 Cache so it should be impossible to get the key...
But be ware, for example in france that would be against the law...
Exactly. That is your personal preference.
Yes, I mount manually. VNC/SSH (Ok, VNC and MITM is another issue).
Indeed. But ok, now my disk is mounted, how you will "hack" my system? That is another story, and as I said, I mount manually.
In conclusion, and as a cliché, there is no 100% secure system, but I think you are looking for vulnerabilities completely independent of the main idea.
There isnt a "Vitualisation" that will protect you from nasty hosts, it's just how it is, they own the node you're on. So they have FULL access to it, even if it's encrypted, if they wanted to get in, there's always a way.
As others have suggested, you have to have some trust in the company you're going to store any sensitive information on, and if you're still not satisfied, get yourself a small dedi like the KimSufi -- Even though OVH can most likely access them too, being how automated it all is, custom kernals etc.
Nah, use for example the standard debian kernel and remove their ssh-key from .ssh/authorized_keys2 and you should be more secure. And also: If you have a dedicated machine you have much more freedom to protect your stuff.
Nope. Putting the key into the L2 cache is done to prevent cold-boot attacks.
There is no way to securely store data on a remote machine (as long as the data also needs to get decrypted remotely).
Yes, right. And it prevents also if police tryes to get the key when they freeze the RAM sticks and try to read it out of them.
It always depends against who you want to be secure. Show me one law enforcement that is able to get the key of a L2 cache...
Thats exactly what cold-boot attacks are.
That doesn't change that its theoretical impossible to achive security. Also this discussion is about virtualization technologies and providers, not about dedicated servers and law enforcement agencies. But for the record i don't think any normal police force would attempt a cold-boot attack or likewise and if you have data on your servers that the NSA wants you're fucked anyway.
I think the main question isn't about the technology here.
If you don't trust your host, then why are you buying services from them to host sensitive files? If you have that sensitive of data that you don't want people seeing, then you shouldn't be choosing a host that is charging $3/m and been around for 4 months.
You should trust your host to put you on a secure node and to give you privacy.
I agree with @vdnet, and if your information is that sensitive why bother with the administrative time to encrypt everything and try to make it unreachable when you can just have the provider sign a NDA.