New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How can vps user protect their privacy?
I have a kvm vps and the provider provides the function that allows user to reset their root password when they forget it, so I wonder if the provider can get access to user's data inside the vps technically.
I also wonder if the provider can know the md5 of file inside the vps or the process name.
So how will you protect your privacy as much as possible?
It's just like I rent a house from the landlord, but I am not willing to let him to get into my rent house and check my thing as long as he wants.
I know that it's easy to know the process name inside the openvz or lxc container.
I wonder will kvm vps be safer?
Comments
passwd command
what do you mean?
VPS user can modify the password by the command 'passwd', and so?
If you don't trust your provider then you should install your operating system from the ISO and encrypt the partitions with sensitive data. That way it can't be accessed/mounted by anyone. If it's OpenVZ then there is no way.
If you run the passwd command to change your password right after first login and change the password it is more secure than using the provided password because the provider won't know it.
I don't know the the provider can change the root password by password reset function after I changed the password that the provider provides.
I install the operating system from the ISO that provided by the operating system's official website.
What kind of encryption method that you recommend?
Like MikeA already mentioned it's probably best to use ur own operating system and encryption.
Thank you for your replies.
You're welcome.
Use KVM for added security or even better a dedicated server (bare metal).
any provider can mount your VPS disk image and transfer Taylor Swift on there but nobody cares to take the time to do this unless you're up to some questionable stuff at a $7 price point
I share all my src files with my provider. It improves our relationship tenfold. They love it as well
what about justin bieber?
Frankly if you don't trust your hosting provider you probably shouldn't be with them.
Good company may leak out customers' information by mistake, so why not the user take measures to protect their information if they can do it. I am not talking about the trust.
I install the operating system from the ISO that provided by the operating system's official website.
What kind of encryption method that you recommend?
Encrypting the filesystem using the OS tools is all you need if you want to prevent a host from accessing your files. Just search it on Google, "centos encrypt filesystem" if you didn't do anything during install.
http://rand.pw/howsecure/
hey @xiyan a host could also simply run qemu-img convert -O raw /dev/VolGroup00/your_vps_disk /root/nice-data.img
Without your password, you will never find out and then they can mount/browse your partitions and look at all your data.
If you dont want data online, dont put it online, it is that simple, if you want to make every precaution for data you MUST put online then, trust your host, encrypt your data, use dedicated servers.
Cool story about keys in the RAM memory. Really cool.
Did you have tried to extract them? Or just talk about theory? I tried several times. It's not a task, what easy to do for just simple hosting provider which renting servers and deliver it to clients as VPS'es. Even for programmers, it's not an easy task.
If the encryption key is loaded into memory, I could be dumped.
So even on KVM, no way.
Trust your provider and/or get a Dedicated and trust your provider.
Reinstalling from a trusted ISO and encrypting your VPS will prevent casual snooping, it could be like changing your door's lock. Sure a LEA or a devoted hacker with physical access to your server can still pick your lock and enter without consent, but that's a rather corner case scenario and that's beyond your stated goal.
You could also deploy "go away" messages here and there. Nothing scares more than a German-ish Lorem Ipsum in your issue{,.net} file
LOL.
Nice "german".
You can store your data in a custom encrypted format. You also need trust your provider. IF you don't have trust then switch to a trust worth provider.
This.
I observed this discussion with Nextcloud, which has encryption, but end-to-end encryption is being worked on because the server provider can simply wait for you to enter the password.
However, it still protects your files because no one is going to modify Nextcloud/to make a custom script to steal your password. It's a useful barrier against prying eyes, a confiscated HDD, or forgetting to wipe the drive before the server expires.
@xiyan
Sorry but: no you can't. @KuJoe has provided a link to about the best answer for your level.
The good news is that one can protect quite well even against LEA, NSA, etc. - if one can at a very minimum specify well (sufficiently precisely), what exactly one needs to protect and against what kind of threat and player and if one is willing and able to pay the price. Note that "price" is not limited to money but typically also means factors like "ease of use". Also note that the major problem (e.g. in my job) is not the crypto or opsec side but simply to get someone to properly specify what their security worries and needs are. Most can't (and typically think in terms of somehow "locking it down").
The other "good news" (kinda ...) is that any hacking (incl. by LEAs) in the real world is virtually never based on attacks against algorithms, nanosecond precise side channel attacks, or even (relatively simple) RAM dumping. NSA quite probably could not crack even a "lowly" common 256 bit ECC - but they don't need to; they can attack e.g. the SSH implementation. Similarly they might have problems to crack your disk encryption key - but they don't need to; they can use one of a variety of much simpler attacks, etc.
Finally, note that buying an expensive server, colocating it in an expensive bunker, and encrypting the disks but then running say some PHP application with nginx and MySQL very, very likely provides no more effective security over a 5$ VPS on KVM with a good provider.
Too many hardware backdoors to protect against the nsa, ...
Just skip MaxMind and ID check and protect your privacy as well.
Use ROT13 twice.
No! Even smarter: Use rotL13 once and then - to confuse them - use rotR13!