Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
How to encrypt an entire VPS?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How to encrypt an entire VPS?

Can someone please explain (post a tutorial about) how to encrypt an entire vps installation; like in ubuntu desktop how you can encrypt the entire installation and require a password everytime you switch on the machine. And how to enter that initial password for the vps? Is it only possible with KVM over IP or can it be done on regular vps?

Comments

  • Get KVM to start with... someone else here will need to give you the rest of the info.

  • You need to go with KVM or Xen HVM, and use LVM encryption.

    Thanked by 1Atomic7
  • I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

  • @Atomic7 said:
    Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    Plaintext over VNC :-)

    Thanked by 1Atomic7
  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    Yes, I get that, but you can't encrypt an OpenVZ VPS, that's what I meant. You need to go with either Xen HVM or KVM in order to be able to use LVM encryption. If you go with either of those two, your provider will provide you with VNC details, you can use those to enter your password.

  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    mind blown

    Thanked by 1k0nsl

    vpsdash.com - Tips and tricks in life, information and technology news to get things done

  • @jimpop said:
    Plaintext over VNC :-)

    @dhamaniasad said:
    Yes, I get that, but you can't encrypt an OpenVZ VPS, that's what I meant. You need to go with either Xen HVM or KVM in order to be able to use LVM encryption. If you go with either of those two, your provider will provide you with VNC details, you can use those to enter your password.

    Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

  • @Atomic7 said:
    Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

    DigitalOcean provides VNC access from their control panel, so you don't need to install VNC yourself. I haven't used LVM before, but IIRC you have to set it up while installing your operating system, which is not something that DO is going to let you do. Someone else will be able to help you with LVM better, but I'd suggest you to stay away from DO if you're planning on using LVM encryption, I don't think they support it.

    Thanked by 1Atomic7
  • You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Thanked by 2dano Atomic7
  • @Giulio said: You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Same thing using OpenSSH, I should think...?

    Andrew Glodek | Special Projects Director | 香港國際商務中心 HONG KONG INTERNATIONAL BUSINESS CENTRE
  • @Giulio gonna have to try using dropbear for the encrypted connection, as it seems as though the password is meaningless with a plain vnc console session :) - thanks!

    @aglodek as far as I have noticed, openssh isn't ready yet, or hasn't started at this runlevel.

    That being said, here is what I found after a quick search.

    http://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot

    http://blog.nguyenvq.com/2011/09/13/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu/

    I'll give it a whirl and try and remember to post about it :)

  • @Atomic7 said:
    I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?

    @Atomic7 said: Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?

    It's not that easy being GREEN
    Having to spend each day the color of the leaves
    When I think it could be nicer being red, or yellow, or gold
    Or something much more colorful like that

    It's not easy being GREEN

  • painfreepc said: It's not that easy being GREEN Having to spend each day the color of the leaves When I think it could be nicer being red, or yellow, or gold Or something much more colorful like that

    It's not easy being GREEN

    Am I missing something here or is your reply completely irrelevant and pointless and makes no sense at all?

    Thanked by 1GM2015
  • Or you can always encrypt just your data partitions? I don't see any reason to encrypt packages binaries or even config files... but if you really wanted you could simply install a normal bootable system and mount the encrypted volume everywhere you need encryption in the file system (mount -o bind)... Just make sure you don't encrypt whatever is necessary to boot hehe.

    But yeah, depends on what you're trying to achieve here :) Unlocking the server manually every time it boots can be a pain but I guess it's also the safest.

  • earlearl Member
    edited November 2013

    Are asking about a login/display manager that you need to input a password when you VNC into your VPS?

    If you are you can look into installing GDM or LightDM, if you are using Debian.

  • painfreepcpainfreepc Member
    edited November 2013

    i am just saying he is totally green,
    not understand OpenVZ is like shared hosting,
    not know DigitalOcean already has vnc

    and gives no reason for why the need to encrypt all of the vps,
    yes i have encrypted a laptop using truecrypt because someone can steal my laptop,
    don't thank anyone is going to walk into a datacenter and steal my vps,

    as agonyzt said: you only need to encrypt the data partition..

    note to Atomic7,

    if your vps is not with DigitalOcean, here is my install notes tightvncserver
    on 12.04:

    //Install X, LXDE, VPN programs

    apt-get install xorg lxde-core tightvncserver

    //Start VNC to create config file

    sudo tightvncserver :1

    //Then stop VNC

    sudo tightvncserver -kill :1

    //Edit config file to start session with LXDE:

    sudo nano /home/blackboy/.vnc/xstartup

    //Add this at the bottom of the file:

    lxterminal &

    /usr/bin/lxsession -s LXDE &

    //Restart VNC

    tightvncserver :1

    will use about 30 -40mb ram

  • I'm not so sure how effective this will be on a VPS but truecrypt will encrypt your entire hard drive, but it'll require a manual password input on boot... so I don't know how that would work

    Alex L
    BuyCPanel.com - Instant CPanel and VPS License Activations!
    Lowest-Priced External CPanel Licenses
    http://www.BuyCPanel.com

  • @dhamaniasad said:

    Thank you for all your help. :)

    @Giulio said:
    You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.

    Thanks for the suggestion. Yeah, it's a nice and convenient solution and I don't prefer using VNC. Another solution would be to automate the entire unlocking process by
    storing key on the vps itself, but it would kind of defeat the whole purpose of encrypting the vps. I am going to try both the things and see if they work.

    @earl said:
    Are asking about a login/display manager that you need to input a password when you VNC into your VPS?

    I was asking about the password to mount the encrypted volume on boot. :)

    @BuyCPanel_Kevin said:
    I'm not so sure how effective this will be on a VPS but truecrypt will encrypt your entire hard drive, but it'll require a manual password input on boot... so I don't know how that would work

    I think it can be achieved using dropbear ssh as @Giulio suggested or can be done automatically by storing keyfile on the server. I am going to give this a try and see if it works.

  • painfreepc said: It's not that easy being GREEN Having to spend each day the color of the leaves When I think it could be nicer being red, or yellow, or gold Or something much more colorful like that

    It's not easy being GREEN

    LoL! What?

    @painfreepc said:
    i am just saying he is totally green,
    not understand OpenVZ is like shared hosting,
    not know DigitalOcean already has vnc

    and gives no reason for why the need to encrypt all of the vps,
    yes i have encrypted a laptop using truecrypt because someone can steal my laptop,
    don't thank anyone is going to walk into a datacenter and steal my vps,

    as agonyzt said: you only need to encrypt the data partition..

    note to Atomic7,

    if your vps is not with DigitalOcean, here is my install notes tightvncserver
    on 12.04:

    //Install X, LXDE, VPN programs

    apt-get install xorg lxde-core tightvncserver

    //Start VNC to create config file

    sudo tightvncserver :1

    //Then stop VNC

    sudo tightvncserver -kill :1

    //Edit config file to start session with LXDE:

    sudo nano /home/blackboy/.vnc/xstartup

    //Add this at the bottom of the file:

    lxterminal &

    /usr/bin/lxsession -s LXDE &

    //Restart VNC

    tightvncserver :1

    will use about 30 -40mb ram

    Don't jump to conclusions so fast! Did I ever mention anywhere in my post that I want to encrypt an OVZ vps? And sorry but no, OVZ is not like shared hosting. As for VNC, I have never used it. Never had to and I don't prefer it. Enabling VNC on server is a security risk. Thank you for the excellent install notes but I wasn't asking about how to install a vnc server.

    I like being green. I prefer it rather than being a red, yellow or gold snob!

  • krokro Member
    edited November 2013

    lol this is so bad its a crack up

  • @kro said:
    lol this is so bad its a crack up

    What is so bad?

  • @Atomic7 said:
    What is so bad?

    The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.


    By the way we are all green every decade or so.

    Affiliate link for one of my favorite provider's special offer page

  • @FrankZ said:
    The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.

    By the way we are all green every decade or so.

    This is just for the learning purpose. It's nothing like I am paranoid and want to implement this on my production server or protect some sensitive information or anything. I just want to know if it's possible. I couldn't find a good tutorial on how to achieve this and wanted some feedback and suggestions. And anyway, once the volume is mounted, everything is decrypted. I want to know if it's possible to stop the provider from accessing/snooping the data on the vps. Any relevant and useful suggestions/feedbacks are appreciated.

  • Encrypt your data partition using cryptsetup

  • RalliasRallias Member, Provider

    Oh my god... all the terrible advice in this thread... it burns... it BURNS... LVM encryption? TRUECRYPT??? VNC?!??!?

    What you need is the ability to boot an ISO. In that ISO, you'll be able to configure all the options you need for encryption during installation. After installation, you'll either need to log into the VNC console or set up dropbear from your initramfs. The latter will be better in the long run. http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ <- That should help you with a debian-based system.

    Seriously... LVM Encryption? Really?

    Thanked by 3aglodek Atomic7 emg
  • netomxnetomx Member, Moderator

    @Rallias nice setup! Should made that before sending the Pi to edis :(

  • aglodekaglodek Member
    edited November 2013

    @FrankZ said: The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.

    And why not, pray tell? Not everyone can afford their own data center, while preferring to store sensitive information offshore (read: not at home or office). And a KVM VPS is about as secure (or insecure) as a dedi. Personally, I find @Atomic7's thinking and research of great interest. He may have actually gotten hold of the right idea for a LESS (Low End Secure Server ;)

    EDIT: or LERSS (Low End Relatively Secure Server), rather ;)

    @agonyzt said: Or you can always encrypt just your data partitions? I don't see any reason to encrypt packages binaries or even config files... but if you really wanted you could simply install a normal bootable system and mount the encrypted volume everywhere you need encryption in the file system (mount -o bind)... Just make sure you don't encrypt whatever is necessary to boot hehe.

    I'm in favor of encrypting everything! This way there is no way for a perpetrator to install any rootkit or otherwise corrupt the unencrypted files while the system is offline.

    But yeah, depends on what you're trying to achieve here :) Unlocking the server manually every time it boots can be a pain but I guess it's also the safest.

    Exactly right. And as far as "pain" goes, it kind of depends on how often the system reboots. With proper monitoring and notification, unlocking it manually once, say, every 2-3 months wouldn't be any pain at all ;)

    Thanked by 1k0nsl
    Andrew Glodek | Special Projects Director | 香港國際商務中心 HONG KONG INTERNATIONAL BUSINESS CENTRE
  • @aglodek - Everyone is entitled to their opinion, I just don't agree.

    OP listen to @Rallias for a simple and correct (my opinion) way to do what you asked.

    Affiliate link for one of my favorite provider's special offer page

  • Rallias said: Seriously... LVM Encryption? Really?

    Hum... LVM encryption uses LUKS by default no? I don't think it's any different from using LUKS directly on a drive or partition... but I can be wrong. LVM over LUKS or even LUKS over LVM is a pretty common setup that gives you a lot of flexibility.

  • @Rallias said:
    Oh my god... all the terrible advice in this thread... it burns... it BURNS... LVM encryption? TRUECRYPT??? VNC?!??!?

    What you need is the ability to boot an ISO. In that ISO, you'll be able to configure all the options you need for encryption during installation. After installation, you'll either need to log into the VNC console or set up dropbear from your initramfs. The latter will be better in the long run. http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ <- That should help you with a debian-based system.

    Seriously... LVM Encryption? Really?

    Thanks a lot for this excellent advice. This is exactly what I wanted. I wonder why anybody didn't suggest this before and I suppose many are using encrypted installs.

    Thanks to all those who helped. I really appreciate it.

  • @Atomic7 said:
    sorry but no, OVZ is not like shared hosting.

    OpenVZ:

    OpenVZ is is a linux based virtualization platform based on the Linux Kernel. OpenVZ allows a physical server to run multiple isolated operating system instances known as containers. OpenVZ can only run linux based operating systems such as Centos, Fedora, Gentoo, and Debian. One disadvantage of OpenVZ users are not able to make any kernel modifications. All virtual servers have to get along with the kernel version the host runs on. However because it doesn't have the overhead of a true hypervisor it is very fast and efficient over KVM, XEN, and VMware.

    KVM:

    KVM provide true virtualization resources which are not shared between the host kernel or other virtual servers. Almost any operating system can run through KVM.

  • @painfreepc said:

    OpenVZ:

    OpenVZ is is a linux based virtualization platform based on the Linux Kernel. OpenVZ allows a physical server to run multiple isolated operating system instances known as containers. OpenVZ can only run linux based operating systems such as Centos, Fedora, Gentoo, and Debian. One disadvantage of OpenVZ users are not able to make any kernel modifications. All virtual servers have to get along with the kernel version the host runs on. However because it doesn't have the overhead of a true hypervisor it is very fast and efficient over KVM, XEN, and VMware.

    KVM:

    KVM provide true virtualization resources which are not shared between the host kernel or other virtual servers. Almost any operating system can run through KVM.

    So? And your point is? I understand that you have some amazing copy paste skills but I have some of those skills too!

    Shared Web Hosting:

    A shared web hosting service or virtual hosting service refers to a web hosting service where many websites reside on one web server connected to the Internet. Each site "sits" on its own partition, or section/place on the server, to keep it separate from other sites. This is generally the most economical option for hosting, as many people share the overall cost of server maintenance.

    Troll:

    A troll is a person who sows discord on the Internet by starting arguments or upsetting people, by posting inflammatory, extraneous, or off-topic messages in an online community (such as a forum, chat room, or blog), either accidentally or with the deliberate intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion.

    I can start my own shared hosting service with an OVZ container but I can't start an OVZ vps service with a shared hosting account. A shared hosting is just limited to webhosting while anyone can do most of the things with an OVZ container those are possible with a KVM or dedicated server. So no, OVZ is nothing like shared hosting. And by shared hosting if you mean sharing a same dedicated server, then KVM is also included in that.

    I am done with this. I have already achieved what I wanted. This isn't a thread about virtualization technologies or anything else and you don't seem to understand the meaning of "relevant". You can continue!

  • PzeaPzea Member, Provider

    KVM&HVM install OS to encrypt disk.

    Pzea.com - jp/SG/HK| VPS & Dedicated Servers
  • Neither Atomic7 nor anyone else has mentioned the threat model. What threat or risk is he defending against? If it is his little sister, then this is obviously overkill. If it is a well-funded, skilled government or similar adversary, then it isn't sufficient.

    If the VPS is not running, then well-designed strong encryption should protect the data at rest. Of course, the problem is how to unlock the encrypted system securely at boot time. The VNC implementations that I have seen on my two KVM VPSs do not offer a secure link. The solution mentioned by @Rallias is the only secure channel solution I have seen.

    As long as the VPS is running, the encryption/decryption keys are in memory. That memory is accessible to the VPS hosting provider, as well as other attackers who may try to compromise the host node or exploit a vulnerability in the running VPS.

  • RalliasRallias Member, Provider

    emg said: That memory is accessible to the VPS hosting provider

    There's maybe 2-3 providers here that know how to dump memory.

  • emgemg Member
    edited November 2013

    @Rallias said:
    There's maybe 2-3 providers here that know how to dump memory.

    Perhaps true, but if the threat model includes a large, well-funded government, I am sure they will assist the provider to obtain the necessary decryption keys.

    Atomic7 wants to encrypt his entire VPS hard drive. Is it reasonable to say, "Your VPS is probably secure, because maybe 2-3 providers here know how to dump memory and get your decryption keys." ?

    Could simpler tools become available over the running lifetime of Atomic7's VPS?

    (P.S. Thank you for sharing that great link to unlocking an encrypted drive over SSH.)

  • @emg What you are asking is already discussed in this thread: http://lowendtalk.com/discussion/17129/how-secure-is-this-vps

    Taking a memory dump is one thing, extracting the encryption keys from that memory dump is a different story altogether. I don't think extracting encryption keys from memory dump is that simple and hardly any hosts here will have that knowledge.

    Can a government organisation do it? Yes, but I am not bothered about any government organisation confiscating my vps.

    Can any of the hosting providers here do it? Most probably not. I just want to keep any curious providers out of my boxes, not because I have anything to hide, just because it's irritating.

    And this was just for the learning purpose. The most practical implementation of this I can see is for those hosts who host their WHMCS on a vps from another provider.

Sign In or Register to comment.