Does anyone have any recommendations for setting up a VPS (KVM virtualization) that has full disk encrpytion? I remember in the past I ordered a test KVM VPS and tried to set it up but it kept failing. It was a test VPS and I didn't renew it as I forgot or got busy. Now would like to try again, and if I can get it working properly will use it to store website backups or emails or something.
Full disk encryption on a KVM VPS?
- Thread starter Conky
- Start date
tchen
New Member
Like the heartbleed issue, the encryption is fine. It's everything around it that's the problem. LUKS works fine at rest and as a walk-away disposal tool. When you're mounted however, everything is wide open from inside and out. The only redeeming quality of full drive encryption on a VPS is that you don't have to worry about your own swap, but any time you've requested a live migration or any other snapshot has come close to your VM, then what's the point.
In a way, there's two sets of people you're guarding against. The opportunist that's rummaging through old hard disks vs the rogue admin. To the OP who's storing website backups or something, just gpg encrypt the tar files as you're backing up. No leakage and it addresses both.
Full drive encryption in a virtual environment is really just a media disposal problem, which only addresses the opportunist.
In a way, there's two sets of people you're guarding against. The opportunist that's rummaging through old hard disks vs the rogue admin. To the OP who's storing website backups or something, just gpg encrypt the tar files as you're backing up. No leakage and it addresses both.
Full drive encryption in a virtual environment is really just a media disposal problem, which only addresses the opportunist.
drmike
100% Tier-1 Gogent
Well, the obvious insecurity of an open encrypted volume exists regardless of what technology, platform, dedicated, virtual, etc.
I can see a lot of cover your arse situations. Numero uno is your provider asked to cut a copy of your disk volume for government. Maybe someone can speak about KVM and the common tools they use to comply with such inquiries. Imagine if you are encrypting your volume, they are going to cut an encrypted volume that goes to the alphabet agency.
In today's world such an event is more and more common and not for very good reasoning - just that they have the bully power to demand such.
I can see a lot of cover your arse situations. Numero uno is your provider asked to cut a copy of your disk volume for government. Maybe someone can speak about KVM and the common tools they use to comply with such inquiries. Imagine if you are encrypting your volume, they are going to cut an encrypted volume that goes to the alphabet agency.
In today's world such an event is more and more common and not for very good reasoning - just that they have the bully power to demand such.
Isn't this the point of LUKS or am I not reading the thread properly?
If you have a VPS with access to AES flags (L56XX's, E3's, E5's), you can do whole-drive encryption without
much issue.
Infact, Ubuntu has it as an install option and others wouldn't take too much effort to get done.
I know we have many users that use LUKS (and it drives me nuts when they need my help and I reboot
the VPS
)
Francisco
If you have a VPS with access to AES flags (L56XX's, E3's, E5's), you can do whole-drive encryption without
much issue.
Infact, Ubuntu has it as an install option and others wouldn't take too much effort to get done.
I know we have many users that use LUKS (and it drives me nuts when they need my help and I reboot
the VPS
)Francisco
If it's backups and you don't want to depend on VM for security, then you should obviously perform the encryption external to the VM.
But there is almost no reason NOT to do the basic encryption things, since they are so easy to set up nowadays. Only reason would be convenience of you need to reboot your VM a lot, but most people keep VM online for as long as possible.
But there is almost no reason NOT to do the basic encryption things, since they are so easy to set up nowadays. Only reason would be convenience of you need to reboot your VM a lot, but most people keep VM online for as long as possible.
Last edited by a moderator:
I guess I have some things to think about. I wanted to do full disk encryption more for learning than for a real need for the extra security, though extra security is never a bad idea I guess.
What then would be the best way to secure your VNC connection so that if you have to reboot and re-enter your encryption password it stays hidden?
What then would be the best way to secure your VNC connection so that if you have to reboot and re-enter your encryption password it stays hidden?
drmike
100% Tier-1 Gogent
Have you tested the disk speed / overhead on such gear where crypto volume running AES is happening? Wonder how heavy this would be on a shared server environment....
I remember thinking it might be feasible to tunnel the VNC to another VPS on the same host node (or at least at the same host, on the same local network switch) as the one you were rebooting. The traffic might have to go unencrypted on a small LAN segment at the host DC, but wouldn't go over the internet that way.
drmike
100% Tier-1 Gogent
This crypto OS topic needs more airtime in general in light of the world we live in today and providers often that are meh. Meh is all up in containers, snooping things for their leisure activity, etc. Plus the heavy burden of government bulldozing data out of weakling providers often with no real basis.
peterw
New Member
Thank you for this great post!
drmike
100% Tier-1 Gogent
What is your disk speed like? I dont need fast disks, not my goal but curious what impact the encryption has on this. I have never compared the two so am curious.