New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to encrypt an entire VPS?
Can someone please explain (post a tutorial about) how to encrypt an entire vps installation; like in ubuntu desktop how you can encrypt the entire installation and require a password everytime you switch on the machine. And how to enter that initial password for the vps? Is it only possible with KVM over IP or can it be done on regular vps?
Comments
Get KVM to start with... someone else here will need to give you the rest of the info.
You need to go with KVM or Xen HVM, and use LVM encryption.
I wasn't asking about KVM as in virtualization technology, I was asking about iKVM or KVM over IP (Keyboard, Video and Mouse over IP). Anyway, if I encrypt an entire VPS, how would I enter the initial password?
Plaintext over VNC :-)
Yes, I get that, but you can't encrypt an OpenVZ VPS, that's what I meant. You need to go with either Xen HVM or KVM in order to be able to use LVM encryption. If you go with either of those two, your provider will provide you with VNC details, you can use those to enter your password.
mind blown
Thank you! Can someone suggest good tutorials (links) about encrypting a vps? How to get VNC details for a DigitalOcean Droplet? And do I need to install VNC server on my vps? If so, wouldn't that be decreasing the security of the vps?
DigitalOcean provides VNC access from their control panel, so you don't need to install VNC yourself. I haven't used LVM before, but IIRC you have to set it up while installing your operating system, which is not something that DO is going to let you do. Someone else will be able to help you with LVM better, but I'd suggest you to stay away from DO if you're planning on using LVM encryption, I don't think they support it.
You can install and configure dropbear ssh which will start before you unlock the disks, allowing you to securely enter the password, google for a tutorial.
Same thing using OpenSSH, I should think...?
@Giulio gonna have to try using dropbear for the encrypted connection, as it seems as though the password is meaningless with a plain vnc console session - thanks!
@aglodek as far as I have noticed, openssh isn't ready yet, or hasn't started at this runlevel.
That being said, here is what I found after a quick search.
http://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot
http://blog.nguyenvq.com/2011/09/13/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu/
I'll give it a whirl and try and remember to post about it
It's not that easy being GREEN
Having to spend each day the color of the leaves
When I think it could be nicer being red, or yellow, or gold
Or something much more colorful like that
It's not easy being GREEN
Am I missing something here or is your reply completely irrelevant and pointless and makes no sense at all?
Or you can always encrypt just your data partitions? I don't see any reason to encrypt packages binaries or even config files... but if you really wanted you could simply install a normal bootable system and mount the encrypted volume everywhere you need encryption in the file system (mount -o bind)... Just make sure you don't encrypt whatever is necessary to boot hehe.
But yeah, depends on what you're trying to achieve here Unlocking the server manually every time it boots can be a pain but I guess it's also the safest.
Are asking about a login/display manager that you need to input a password when you VNC into your VPS?
If you are you can look into installing GDM or LightDM, if you are using Debian.
i am just saying he is totally green,
not understand OpenVZ is like shared hosting,
not know DigitalOcean already has vnc
and gives no reason for why the need to encrypt all of the vps,
yes i have encrypted a laptop using truecrypt because someone can steal my laptop,
don't thank anyone is going to walk into a datacenter and steal my vps,
as agonyzt said: you only need to encrypt the data partition..
note to Atomic7,
if your vps is not with DigitalOcean, here is my install notes tightvncserver
on 12.04:
//Install X, LXDE, VPN programs
apt-get install xorg lxde-core tightvncserver
//Start VNC to create config file
sudo tightvncserver :1
//Then stop VNC
sudo tightvncserver -kill :1
//Edit config file to start session with LXDE:
sudo nano /home/blackboy/.vnc/xstartup
//Add this at the bottom of the file:
lxterminal &
/usr/bin/lxsession -s LXDE &
//Restart VNC
tightvncserver :1
will use about 30 -40mb ram
I'm not so sure how effective this will be on a VPS but truecrypt will encrypt your entire hard drive, but it'll require a manual password input on boot... so I don't know how that would work
Thank you for all your help.
Thanks for the suggestion. Yeah, it's a nice and convenient solution and I don't prefer using VNC. Another solution would be to automate the entire unlocking process by
storing key on the vps itself, but it would kind of defeat the whole purpose of encrypting the vps. I am going to try both the things and see if they work.
I was asking about the password to mount the encrypted volume on boot.
I think it can be achieved using dropbear ssh as @Giulio suggested or can be done automatically by storing keyfile on the server. I am going to give this a try and see if it works.
LoL! What?
Don't jump to conclusions so fast! Did I ever mention anywhere in my post that I want to encrypt an OVZ vps? And sorry but no, OVZ is not like shared hosting. As for VNC, I have never used it. Never had to and I don't prefer it. Enabling VNC on server is a security risk. Thank you for the excellent install notes but I wasn't asking about how to install a vnc server.
I like being green. I prefer it rather than being a red, yellow or gold snob!
lol this is so bad its a crack up
What is so bad?
The concept of encrypting a whole VPS as a way to provide security. Information that requires that level of security should not be on a VPS.
By the way we are all green every decade or so.
This is just for the learning purpose. It's nothing like I am paranoid and want to implement this on my production server or protect some sensitive information or anything. I just want to know if it's possible. I couldn't find a good tutorial on how to achieve this and wanted some feedback and suggestions. And anyway, once the volume is mounted, everything is decrypted. I want to know if it's possible to stop the provider from accessing/snooping the data on the vps. Any relevant and useful suggestions/feedbacks are appreciated.
Encrypt your data partition using cryptsetup
Oh my god... all the terrible advice in this thread... it burns... it BURNS... LVM encryption? TRUECRYPT??? VNC?!??!?
What you need is the ability to boot an ISO. In that ISO, you'll be able to configure all the options you need for encryption during installation. After installation, you'll either need to log into the VNC console or set up dropbear from your initramfs. The latter will be better in the long run. http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ <- That should help you with a debian-based system.
Seriously... LVM Encryption? Really?
@Rallias nice setup! Should made that before sending the Pi to edis
And why not, pray tell? Not everyone can afford their own data center, while preferring to store sensitive information offshore (read: not at home or office). And a KVM VPS is about as secure (or insecure) as a dedi. Personally, I find @Atomic7's thinking and research of great interest. He may have actually gotten hold of the right idea for a LESS (Low End Secure Server
EDIT: or LERSS (Low End Relatively Secure Server), rather
I'm in favor of encrypting everything! This way there is no way for a perpetrator to install any rootkit or otherwise corrupt the unencrypted files while the system is offline.
Exactly right. And as far as "pain" goes, it kind of depends on how often the system reboots. With proper monitoring and notification, unlocking it manually once, say, every 2-3 months wouldn't be any pain at all
@aglodek - Everyone is entitled to their opinion, I just don't agree.
OP listen to @Rallias for a simple and correct (my opinion) way to do what you asked.
Hum... LVM encryption uses LUKS by default no? I don't think it's any different from using LUKS directly on a drive or partition... but I can be wrong. LVM over LUKS or even LUKS over LVM is a pretty common setup that gives you a lot of flexibility.
Thanks a lot for this excellent advice. This is exactly what I wanted. I wonder why anybody didn't suggest this before and I suppose many are using encrypted installs.
Thanks to all those who helped. I really appreciate it.