Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to encrypt an entire VPS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to encrypt an entire VPS?

Can someone please explain (post a tutorial about) how to encrypt an entire vps installation; like in ubuntu desktop how you can encrypt the entire installation and require a password everytime you switch on the machine. And how to enter that initial password for the vps? Is it only possible with KVM over IP or can it be done on regular vps?

«1

Comments

  • Get KVM to start with... someone else here will need to give you the rest of the info.

  • You need to go with KVM or Xen HVM, and use LVM encryption.

    Thanked by 1Atomic7
  • I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

  • @Atomic7 said:
    Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    Plaintext over VNC :-)

    Thanked by 1Atomic7
  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    Yes, I get that, but you can't encrypt an OpenVZ VPS, that's what I meant. You need to go with either Xen HVM or KVM in order to be able to use LVM encryption. If you go with either of those two, your provider will provide you with VNC details, you can use those to enter your password.

  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    mind blown

    Thanked by 1k0nsl
  • @jimpop said:
    Plaintext over VNC :-)

    @dhamaniasad said:
    Yes, I get that, but you can't encrypt an OpenVZ VPS, that's what I meant. You need to go with either Xen HVM or KVM in order to be able to use LVM encryption. If you go with either of those two, your provider will provide you with VNC details, you can use those to enter your password.

    Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

  • @Atomic7 said:
    Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

    DigitalOcean provides VNC access from their control panel, so you don't need to install VNC yourself. I haven't used LVM before, but IIRC you have to set it up while installing your operating system, which is not something that DO is going to let you do. Someone else will be able to help you with LVM better, but I'd suggest you to stay away from DO if you're planning on using LVM encryption, I don't think they support it.

    Thanked by 1Atomic7
  • You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Thanked by 2dano Atomic7
  • @Giulio said: You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Same thing using OpenSSH, I should think...?

  • @Giulio gonna have to try using dropbear for the encrypted connection, as it seems as though the password is meaningless with a plain vnc console session :) - thanks!

    @aglodek as far as I have noticed, openssh isn't ready yet, or hasn't started at this runlevel.

    That being said, here is what I found after a quick search.

    http://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot

    http://blog.nguyenvq.com/2011/09/13/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu/

    I'll give it a whirl and try and remember to post about it :)

  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    @Atomic7 said: Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

    It's not that easy being GREEN
    Having to spend each day the color of the leaves
    When I think it could be nicer being red, or yellow, or gold
    Or something much more colorful like that

    It's not easy being GREEN

  • painfreepc said: It's not that easy being GREEN Having to spend each day the color of the leaves When I think it could be nicer being red, or yellow, or gold Or something much more colorful like that

    It's not easy being GREEN

    Am I missing something here or is your reply completely irrelevant and pointless and makes no sense at all?

    Thanked by 1GM2015
  • Or you can always encrypt just your data partitions? I don't see any reason to encrypt packages binaries or even config files... but if you really wanted you could simply install a normal bootable system and mount the encrypted volume everywhere you need encryption in the file system (mount -o bind)... Just make sure you don't encrypt whatever is necessary to boot hehe.

    But yeah, depends on what you're trying to achieve here :) Unlocking the server manually every time it boots can be a pain but I guess it's also the safest.

  • earlearl Member
    edited November 2013

    Are asking about a login/display manager that you need to input a password when you VNC into your VPS?

    If you are you can look into installing GDM or LightDM, if you are using Debian.

  • painfreepcpainfreepc Member
    edited November 2013

    i am just saying he is totally green,
    not understand OpenVZ is like shared hosting,
    not know DigitalOcean already has vnc

    and gives no reason for why the need to encrypt all of the vps,
    yes i have encrypted a laptop using truecrypt because someone can steal my laptop,
    don't thank anyone is going to walk into a datacenter and steal my vps,

    as agonyzt said: you only need to encrypt the data partition..

    note to Atomic7,

    if your vps is not with DigitalOcean, here is my install notes tightvncserver
    on 12.04:

    //Install X, LXDE, VPN programs

    apt-get install xorg lxde-core tightvncserver

    //Start VNC to create config file

    sudo tightvncserver :1

    //Then stop VNC

    sudo tightvncserver -kill :1

    //Edit config file to start session with LXDE:

    sudo nano /home/blackboy/.vnc/xstartup

    //Add this at the bottom of the file:

    lxterminal &

    /usr/bin/lxsession -s LXDE &

    //Restart VNC

    tightvncserver :1

    will use about 30 -40mb ram

  • I'm not so sure how effective this will be on a VPS but truecrypt will encrypt your entire hard drive, but it'll require a manual password input on boot... so I don't know how that would work

  • @dhamaniasad said:

    Thank you for all your help. :)

    @Giulio said:
    You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Thanks for the suggestion. Yeah, it's a nice and convenient solution and I don't prefer using VNC. Another solution would be to automate the entire unlocking process by
    storing key on the vps itself, but it would kind of defeat the whole purpose of encrypting the vps. I am going to try both the things and see if they work.

    @earl said:
    Are asking about a login/display manager that you need to input a password when you VNC into your VPS?

    I was asking about the password to mount the encrypted volume on boot. :)

    @BuyCPanel_Kevin said:
    I'm not so sure how effective this will be on a VPS but truecrypt will encrypt your entire hard drive, but it'll require a manual password input on boot... so I don't know how that would work

    I think it can be achieved using dropbear ssh as @Giulio suggested or can be done automatically by storing keyfile on the server. I am going to give this a try and see if it works.

  • painfreepc said: It's not that easy being GREEN Having to spend each day the color of the leaves When I think it could be nicer being red, or yellow, or gold Or something much more colorful like that

    It's not easy being GREEN

    LoL! What?

    @painfreepc said:
    i am just saying he is totally green,
    not understand OpenVZ is like shared hosting,
    not know DigitalOcean already has vnc

    and gives no reason for why the need to encrypt all of the vps,
    yes i have encrypted a laptop using truecrypt because someone can steal my laptop,
    don't thank anyone is going to walk into a datacenter and steal my vps,

    as agonyzt said: you only need to encrypt the data partition..

    note to Atomic7,

    if your vps is not with DigitalOcean, here is my install notes tightvncserver
    on 12.04:

    //Install X, LXDE, VPN programs

    apt-get install xorg lxde-core tightvncserver

    //Start VNC to create config file

    sudo tightvncserver :1

    //Then stop VNC

    sudo tightvncserver -kill :1

    //Edit config file to start session with LXDE:

    sudo nano /home/blackboy/.vnc/xstartup

    //Add this at the bottom of the file:

    lxterminal &

    /usr/bin/lxsession -s LXDE &

    //Restart VNC

    tightvncserver :1

    will use about 30 -40mb ram

    Don't jump to conclusions so fast! Did I ever mention anywhere in my post that I want to encrypt an OVZ vps? And sorry but no, OVZ is not like shared hosting. As for VNC, I have never used it. Never had to and I don't prefer it. Enabling VNC on server is a security risk. Thank you for the excellent install notes but I wasn't asking about how to install a vnc server.

    I like being green. I prefer it rather than being a red, yellow or gold snob!

  • krokro Member
    edited November 2013

    lol this is so bad its a crack up

  • @kro said:
    lol this is so bad its a crack up

    What is so bad?

  • @Atomic7 said:
    What is so bad?

    The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.


    By the way we are all green every decade or so.

  • @FrankZ said:
    The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.

    By the way we are all green every decade or so.

    This is just for the learning purpose. It's nothing like I am paranoid and want to implement this on my production server or protect some sensitive information or anything. I just want to know if it's possible. I couldn't find a good tutorial on how to achieve this and wanted some feedback and suggestions. And anyway, once the volume is mounted, everything is decrypted. I want to know if it's possible to stop the provider from accessing/snooping the data on the vps. Any relevant and useful suggestions/feedbacks are appreciated.

  • Encrypt your data partition using cryptsetup

  • Oh my god... all the terrible advice in this thread... it burns... it BURNS... LVM encryption? TRUECRYPT??? VNC?!??!?

    What you need is the ability to boot an ISO. In that ISO, you'll be able to configure all the options you need for encryption during installation. After installation, you'll either need to log into the VNC console or set up dropbear from your initramfs. The latter will be better in the long run. http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ <- That should help you with a debian-based system.

    Seriously... LVM Encryption? Really?

    Thanked by 3aglodek Atomic7 emg
  • netomxnetomx Moderator, Veteran

    @Rallias nice setup! Should made that before sending the Pi to edis :(

  • aglodekaglodek Member
    edited November 2013

    @FrankZ said: The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.

    And why not, pray tell? Not everyone can afford their own data center, while preferring to store sensitive information offshore (read: not at home or office). And a KVM VPS is about as secure (or insecure) as a dedi. Personally, I find @Atomic7's thinking and research of great interest. He may have actually gotten hold of the right idea for a LESS (Low End Secure Server ;)

    EDIT: or LERSS (Low End Relatively Secure Server), rather ;)

    @agonyzt said: Or you can always encrypt just your data partitions? I don't see any reason to encrypt packages binaries or even config files... but if you really wanted you could simply install a normal bootable system and mount the encrypted volume everywhere you need encryption in the file system (mount -o bind)... Just make sure you don't encrypt whatever is necessary to boot hehe.

    I'm in favor of encrypting everything! This way there is no way for a perpetrator to install any rootkit or otherwise corrupt the unencrypted files while the system is offline.

    But yeah, depends on what you're trying to achieve here :) Unlocking the server manually every time it boots can be a pain but I guess it's also the safest.

    Exactly right. And as far as "pain" goes, it kind of depends on how often the system reboots. With proper monitoring and notification, unlocking it manually once, say, every 2-3 months wouldn't be any pain at all ;)

    Thanked by 1k0nsl
  • @aglodek - Everyone is entitled to their opinion, I just don't agree.

    OP listen to @Rallias for a simple and correct (my opinion) way to do what you asked.

  • Rallias said: Seriously... LVM Encryption? Really?

    Hum... LVM encryption uses LUKS by default no? I don't think it's any different from using LUKS directly on a drive or partition... but I can be wrong. LVM over LUKS or even LUKS over LVM is a pretty common setup that gives you a lot of flexibility.

  • @Rallias said:
    Oh my god... all the terrible advice in this thread... it burns... it BURNS... LVM encryption? TRUECRYPT??? VNC?!??!?

    What you need is the ability to boot an ISO. In that ISO, you'll be able to configure all the options you need for encryption during installation. After installation, you'll either need to log into the VNC console or set up dropbear from your initramfs. The latter will be better in the long run. http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ <- That should help you with a debian-based system.

    Seriously... LVM Encryption? Really?

    Thanks a lot for this excellent advice. This is exactly what I wanted. I wonder why anybody didn't suggest this before and I suppose many are using encrypted installs.

    Thanks to all those who helped. I really appreciate it.

Sign In or Register to comment.