KVM, LUKS, I/O

bbb

New Member
Anyone else encrypt their / and swap on their KVM VPSs? If so, have you noticed any significant decreases in read/write speeds?

I think it's another good reason to choose KVM -- full-disk encryption.
 
Last edited by a moderator:

wlanboy

Content Contributer
As long as there is shared memory the host can always catch the encrytion key out of the shared memory.

Second thing is that you have to enter the key through VNC on boot.

Third thing the disk access is decrypted if the server is running. The host can just jump into your VM.

I would just tcpdump the VNC traffic... the VNC server is running on the host too.

Full disk encryption helps if you cannot sleep because someone can shutdown the server and steal your harddisk. I do this for all of my laptops and external hard drives.

So why do you want disk encryption on a vm?
 
Last edited by a moderator:

TheLinuxBug

New Member
As long as there is shared memory the host can always catch the encrytion key out of the shared memory. Second thing is that you have to enter the key through VNC on boot. Third thing the disk access is decrypted if the server is running. The host can just jump into your VM.
1. You assume that most people know how to pull this directly from memory, most with out experience wouldn't even know where to begin.

2. If you as a host are dumping my vnc sessions, we have a whole other conversation we need to be having, mostly about your customer privacy

3. I wasn't aware that KVM had a way you can drop into the server without knowing the root credentials for it, can you give me an example of how this is done? (Seriously, I want to know, I have several testing environments with KVM running and I am yet to figure out how I can just drop into an instance)

So why do you want disk encryption on a vm?
Why wouldn't someone want encryption on their vm?  It is called privacy.

Anyone else encrypt their / and swap on their KVM VPSs? If so, have you noticed any significant decreases in read/write speeds?
Back on topic, there is defiantly overhead  associated with doing full disk encryption, you will use more IO and you will notice that it also uses a small chunk of you memory up for the drive encryption. If you are on good hardware, especially SSD, you shouldn't notice too much slow down on IO, but if you test with vs without there would defiantly be a difference in performance.  It is a trade off of some resources for the ability to feel a bit more secure.

Cheers! 
 
Last edited by a moderator:

acd

New Member
1. You assume that most people know how to pull this directly from memory, most with out experience wouldn't even know where to begin.


2. If you as a host are dumping my vnc sessions, we have a whole other conversation we need to be having, mostly about your customer privacy


3. I wasn't aware that KVM had a way you can drop into the server without knowing the root credentials for it, can you give me an example of how this is done? (Seriously, I want to know, I have several testing environments with KVM running and I am yet to figure out how I can just drop into an instance)
  • I'll just leave this here ( T. Petterson, 2007, Cryptographic Key recovery from linux memory dumps ) It was the first google hit anyway.
  • True, also luks/dmcrypt unlock does not require VNC. Research your options, console is not required (hint: sshd in initrd). This is obviated by 1 & 3.
  • Easiest way is to pause the kvm, modify kernel memory structures to run an additional process, unpause kvm. 
To do any poking about on the hostnode, the linux and libvirt permissions model requires the attacker to have root, which is about the same as no encryption at all, just an extra layer of abstraction.

Long story short, dmcrypt is pretty useless on KVM unless the VM is off when the attack starts. However, if your provider is willing to attempt #1 or 3 without a court order, you need to find a new provider. If you are a provider willing to do #1 or 3 on a customer KVM, your privacy policy sucks and I hope your clients figure out you're shady before buying in.
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
The sad truth is, once someone has physical access to the host machine, all bets are off. With a little know-how, it's usually possible to retrieve stuff. Dedicated is a different story, encrypt that and you should be all set. But really, I wouldn't store sensitive stuff on a machine where physical access is out of my direct control.
 
Top