# Full disk encryption on a KVM VPS?



## Conky (May 11, 2014)

Does anyone have any recommendations for setting up a VPS (KVM virtualization) that has full disk encrpytion? I remember in the past I ordered a test KVM VPS and tried to set it up but it kept failing. It was a test VPS and I didn't renew it as I forgot or got busy. Now would like to try again, and if I can get it working properly will use it to store website backups or emails or something.


----------



## perennate (May 11, 2014)

Use encrypted lvm, not much else to say. There shouldn't be any special configuration needed compared to non-KVM environment.


----------



## drmike (May 11, 2014)

So how allegedly secure is encrypted LVM as say installed as option in Debian?   Anyone aware of any reviews of the encryption attack vectors, crypto analysis, etc.?   Has such truly been vetted or are we blindly believing in it like we did with SSL  ?


----------



## tchen (May 11, 2014)

Like the heartbleed issue, the encryption is fine.  It's everything around it that's the problem.  LUKS works fine at rest and as a walk-away disposal tool.  When you're mounted however, everything is wide open from inside and out.  The only redeeming quality of full drive encryption on a VPS is that you don't have to worry about your own swap, but any time you've requested a live migration or any other snapshot has come close to your VM, then what's the point.

In a way, there's two sets of people you're guarding against.  The opportunist that's rummaging through old hard disks vs  the rogue admin.  To the OP who's storing website backups or something, just gpg encrypt the tar files as you're backing up.  No leakage and it addresses both.

Full drive encryption in a virtual environment is really just a media disposal problem, which only addresses the opportunist.


----------



## MCH-Phil (May 11, 2014)

loop-aes?  I don't know if this is even relevant nowadays.


----------



## peterw (May 12, 2014)

Full disk encryption is useless for KVM. You have to enter the password on each reboot with unsecured VNC. If the password is entered the volume is unencrypted. It is only usefull for dedicated servers to secure your information if someone is stealing exchanging the disks.


----------



## drmike (May 12, 2014)

Well, the obvious insecurity of an open encrypted volume exists regardless of what technology, platform, dedicated, virtual, etc.

I can see a lot of cover your arse situations.  Numero uno is your provider asked to cut a copy of your disk volume for government.   Maybe someone can speak about KVM and the common tools they use to comply with such inquiries.  Imagine if you are encrypting your volume, they are going to cut an encrypted volume that goes to the alphabet agency.

In today's world such an event is more and more common and not for very good reasoning - just that they have the bully power to demand such.


----------



## Francisco (May 12, 2014)

Isn't this the point of LUKS or am I not reading the thread properly?

If you have a VPS with access to AES flags (L56XX's, E3's, E5's), you can do whole-drive encryption without

much issue.

Infact, Ubuntu has it as an install option and others wouldn't take too much effort to get done.

I know we have many users that use LUKS (and it drives me nuts when they need my help and I reboot

the VPS )

Francisco


----------



## perennate (May 12, 2014)

If it's backups and you don't want to depend on VM for security, then you should obviously perform the encryption external to the VM.

But there is almost no reason NOT to do the basic encryption things, since they are so easy to set up nowadays. Only reason would be convenience of you need to reboot your VM a lot, but most people keep VM online for as long as possible.


----------



## MiguelQ (May 12, 2014)

peterw said:


> Full disk encryption is useless for KVM. You have to enter the password on each reboot with unsecured VNC. If the password is entered the volume is unencrypted. It is only usefull for dedicated servers to secure your information if someone is stealing exchanging the disks.


http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/


----------



## Conky (May 12, 2014)

I guess I have some things to think about. I wanted to do full disk encryption more for learning than for a real need for the extra security, though extra security is never a bad idea I guess.

What then would be the best way to secure your VNC connection so that if you have to reboot and re-enter your encryption password it stays hidden?


----------



## drmike (May 13, 2014)

Francisco said:


> Isn't this the point of LUKS or am I not reading the thread properly?
> 
> 
> If you have a VPS with access to AES flags (L56XX's, E3's, E5's), you can do whole-drive encryption without
> ...


Have you tested the disk speed / overhead on such gear where crypto volume running AES is happening?  Wonder how heavy this would be on a shared server environment....


----------



## willie (May 13, 2014)

Conky said:


> What then would be the best way to secure your VNC connection so that if you have to reboot and re-enter your encryption password it stays hidden?


I remember thinking it might be feasible to tunnel the VNC to another VPS on the same host node (or at least at the same host, on the same local network switch) as the one you were rebooting.  The traffic might have to go unencrypted on a small LAN segment at the host DC, but wouldn't go over the internet that way.


----------



## drmike (May 13, 2014)

This crypto OS topic needs more airtime in general in light of the world we live in today and providers often that are meh.  Meh is all up in containers, snooping things for their leisure activity, etc.  Plus the heavy burden of government bulldozing data out of weakling providers often with no real basis.


----------



## peterw (May 14, 2014)

MiguelQ said:


> http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/


Thank you for this great post!


----------



## drmike (May 14, 2014)

MiguelQ said:


> http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/


+1 looks awesome!

Anyone tried this yet?


----------



## dano (May 14, 2014)

Been using a KVM virtual machine with disk encryption in Debian for about a year, and I haven't had any issues with it booting, or stability, etc.


----------



## Conky (May 14, 2014)

dano said:


> Been using a KVM virtual machine with disk encryption in Debian for about a year, and I haven't had any issues with it booting, or stability, etc.


What is your disk speed like? I dont need fast disks, not my goal but curious what impact the encryption has on this. I have never compared the two so am curious.


----------

