New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do providers have access to customer files? (vps)
Hello,
Did any of you ever wonder how much privacy you got as customer related to data you store on your vps?
I know that I did.
Recently i heard from my friend who provides all kinds of hosting services
that it is possible to get & view data from a customer vps without having to know the customer's login information.
If i remember correctly he said that this is possible in XEN, KVM, OpenVZ the only virtualization this wasnt possible in is VMWare.
Can anyone confirm this? if this is true then how can we prevent the providers from obtaining personal/sensitive data from out of our vps? would encrypting the HDD work?
Comments
vzctl enter
And the host can browse your vps if it is openvz.
So yes, it is possible.
I'm not sure how it works with KVM and XEN. But there are always ways to see what you are doing and get data from your vps.
OpenVZ, one mouse click. KVM they need to mount your disk, when it's entcrypted would be harder. Theoretically they could get your key for ssh login from the memory and could login into your machine also KVM.
So basicly, in OpenVZ its like a inbuild Feature in the virtualization software
what about XEN and KVM?
VMWare ESXi is not immune to this. Same ballpark as KVM/XEN. Snapshot image, remount in new VM, enjoy.
If the provider has physical access to your nodes they can get in.
Debian 7 wont let you get into single user mode without a root password (Ironic if you need to reset your root password). This only is good for a KVM/Xen VPS though.
If a disk can be mounted it can be accessed so the answer is yes.
Yes but what i dont get is how they can bypass the login
it makes me think that the virtualization software has a buildin bypass feature to gain access without login details.
They don't have to. Just imagine:
Open your computer case, pull the HDD out, plug it on another computer via USB or whatever, access the files.
It's the same thing really, you can just mount a VM disk image as a second drive just like if it was a physical drive.
It means user have no privacy
Basicly it is easy on every virtualization technique used, only the steps are different.
Which reminds me of a cade where one of my customers vm in vmware wouldn't start because of no free space. Mount the diskimage to another running vm and remove some files. Then unmount and start original vm.
Easy as pie.
That's why it is important to choose a trusted provider.
I doubt whatever is being hosted is top secret. Get off your high horse, and accept that your data can be seen unless you colo your hardware.
Even with colo, someone can get into your cage.
Deja vu....
https://www.google.ca/search?q=site:lowendtalk.com+vps+security
You might as well encrypt the virtual disk since there's no reason not to, as its easy these days (if you're installing through ISO). Still they can dump memory.
Like BuyMyVM
:P :P :P
Thing is, I think I'm not only speaking for myself but any hosting company with a decent amount of customers but we have better things to do than snoop in your VPS.
I obviously know that my data can be seen smartass
that doesnt change the fact that i wanna try to make it harder to be accessable for the provider.
Thanks @agonyzt
that answered it for me.
What software would you guys recommend to encrypt the HDD in a way that the provider would have to spend alot of time in decrypting in order to access it?
Debian seems to come with a encrypt entire disk LVM feature upon installing its OS
is that something that would work and make it real hard for the provider?
I need something that does this encrypting realtime.
Encrypting the hard disk is an option during the installation/partitioning of most Linux flavours these days. Ensure you install via ISO on KVM or XEN HVM
@Mark_R
All your questions are already discussed in these threads:
http://lowendtalk.com/discussion/16941/how-to-encrypt-an-entire-vps
http://lowendtalk.com/discussion/17129/how-secure-is-this-vps
http://lowendtalk.com/discussion/13275/securing-your-unmanaged-vps-vps-provider-threats-and-mitigations
It's possible to create a relatively secure VPS using full disk encryption on KVM virtualization but if your node gets rebooted, your VPS won't be online until it's mounted.
Looks like i got some reading to do.
If in the meantime someone comes up with new ways of protecting vps data
feel free to share it!
Xen/KVM/VMWare/OpenVZ it takes all of 10 seconds at the most if you wanted to access customer data, this applies to shared hosting as well.
If a DC wanted to access the data on a physical server a power cycle and live boot disk and 60 seconds later they have access.
So yeah if your worried encrypt, if your extra worried colo with a pre encrypted hardened server.
However I would like to say that as a host, the only time customer data is accessed is on request e.g. I fried my OS can you get some files for me, or if malicious or criminal intent is suspected and even then it is not to look through your stuff it is to pin point any issues.
Granted it is more effort and more obvious on KVM/Xen if a host has been snooping where as with OpenVZ there is zero separation of data, essentially your VPS exists as a directory on the host node so literally no trace is left and no effort required and in 99% of cases you will find you cant encrypt on OpenVZ.
And if you are extra worried after that, take pills
Or change your business.
the only thing that makes me think twice about encrypting my vps
is the resources it will take, it probably will slow down my vps due the active decryption and eats extra HDD space.
it wont be a budget vps anymore if i choose todo this because i will have to upgrade it again.
@Mark_R sure it puts overhead on but honestly the impact is minimal so minimal in fact that if the performance difference was actually of any real concern you would not be using a VPS to begin with
If you don't trust providers with data, buy your own hardware and build your own datacenter.
Simple as that.
Even then, there's always going to be someone that can access your data at will -- Law enforcement.
If that was a option i would've done it already
but thanks for your "input"
You're complaining for a completely useless cause then.
Providers need access to your data to assist you in cases where you lock yourself out, suspicions are raised that you're hosting illegal material, etc.
I'm not complaining, read the thread before posting sherlock.
I also know that i never want my provider to access my stuff
if i lock myself out or anything i always format my vps and just reinstall it
but this i didn't need todo yet because i know what im doing.
If you still dont get the intention of this thread then i suggest you read the main post again
That's why we, as users, need a trustworthy providers that we can entrust our personal information, credit card information, and data.
Not a 14 years old kid that get hacked more than 5 times in a row, trying to sell VPS.