this post was submitted on 15 Sep 2024
63 points (97.0% liked)

Linux

47949 readers
1629 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

How would you protect files of a VPS (Virtual Private Server) from snooping by the service provider?

top 35 comments
sorted by: hot top controversial new old
[–] schizo@forum.uncomfortable.business 77 points 1 month ago (2 children)

Depends on your threat model and actual realistic concerns.

Ultimately, if it comes down to it, there's very little you can do that's failsafe and 100% guaranteed: the provider has access to your disk, all data in your instances RAM (including encryption keys), and can watch your processes execute in real time and see even the specific instructions your vCPU is executing.

Don't put illegal shit on hardware you do not physically own and have physical control over, and encrypt everything else but like, if the value of your shit is high enough, you're fucked if you're using someone else's computer.

[–] trollblox_@programming.dev 17 points 1 month ago

I like this answer

[–] delirious_owl@discuss.online 7 points 1 month ago* (last edited 1 month ago)

I mean, I'd you're doing to do illegal shit (eg journalism), it is best done on a VPS. This is what basically every military and cyber mercenary orgs do.

Just make sure you only log into the box over Tor, and configure it to only pass data out over Tor. Use it as a jump box. Even if they compromise it, it should tell them nothing about you useful for attribution

[–] nobleshift@lemmy.world 34 points 1 month ago (2 children)

A hacker group in Seattle (GHI) years ago attempted to build secure systems on top of compromised hardware. Although different levels of security could be achieved, the overall outcome was No. You cannot build a fully secured system on top of compromised hardware.

A VPS for this exercise counts as 'compromised' hardware.

[–] Lemmchen@feddit.org 2 points 1 month ago* (last edited 1 month ago) (1 children)
[–] nobleshift@lemmy.world 1 points 1 month ago (1 children)

No link, we didn't publish the work.

[–] Quail4789@lemmy.ml 7 points 1 month ago (1 children)

I mean, assuming you're telling the truth about there being a competent group seriously attempting this, it's still "trust us bro" to conclusively claim it can't be achieved without providing a shred of evidence. This makes your original comment irrelevant and worthless.

[–] possiblylinux127@lemmy.zip 2 points 1 month ago* (last edited 1 month ago)

Intel is pushing there "encrypted enclave" which supposedly protects the host from being able to read or write guest memory. However, I have serious doubt as it is a black box system. It also is very problematic when a security issue (or backdoor) is found as your data is basically exposed

Ultimately you are right about this which is sad. I wonder if at some point there could be a zero knowledge cache for https. Maybe double encrypt it and have the client decrypt it fully.

[–] possiblylinux127@lemmy.zip 27 points 1 month ago

You don't really. Treat it as totally untrusted

[–] Bitrot@lemmy.sdf.org 17 points 1 month ago

Encrypt them before they’re ever put there. One example I can think of is in resilio sync, which has the option for sharing a folder to an encrypted peer. Other peers encrypt it before sending anything, that peer doesn’t have the decryption keys at all.

[–] notabot@lemm.ee 16 points 1 month ago

It depends what you want to do with it. If it's just for storing files/backups then encrypt them before uploading and make sure the key never goes anywhere near the VPS. If it's for serving up something like a simple website, you probably care more about data integrity than exfiltration, so make sure you have the security, including selinux or equivalent, locked down, and regularly run integrity checks. If it's for running something interactive, or where data will be generated or downloaded to the machine, you're out of luck, there's no even theoretical way of securing that against an adversary with that much access.

[–] SirEDCaLot@lemmy.today 14 points 1 month ago

The only way you can do this, is if the only service you use the provider for is storage. Encrypt the data before you send it to the provider and then they don't know what they're storing.

If they have to do any processing on it at all, then conceptually they need a plain text copy of it to feed into the CPU. And if they have that, there is nothing you can do to stop them from stealing it or using it.

There has been some research in this field, the concept is called homomorphic encryption. That is where you encrypt something in a way that allows a third party to manipulate the data without possessing a key. It is still very limited, and likely always will be due to the extreme difficulty of the question.

[–] hperrin@lemmy.world 7 points 1 month ago

Ultimately, you can’t. Even if everything you’re doing is encrypted, they have access to the RAM that’s holding your encryption keys.

[–] oldfart@lemm.ee 6 points 1 month ago* (last edited 1 month ago) (1 children)

Syncthing has a concept of untrusted node, which only gets to store files, not see them

[–] ouch@lemmy.world 1 points 1 month ago
[–] rowanthorpe@lemmy.ml 6 points 1 month ago* (last edited 1 month ago)

If you're only talking about Storage (data at rest) or Network (data in transit) then encrypt/decrypt offsite and never let symmetric keys (or asymmetric private keys) near the VPS, or for in-transit you could similarly setup encrypted tunnels (symmetric/private keys offsite only) where neither end of the tunnel terminates at the VPS. If you're talking about Compute then whatever does the processing inherently needs access to decrypted data (in RAM, cache, etc) to do anything meaningful. Although there are lots of methods for delegating, compartmentalising, obfuscating, etc (like enclaves, TPM/vTPM...) the unavoidable truth is that you must trust whomever owns the base-infra ultimately processing your data. The one vaguely useful way to use "other people's computers" trustlessly is with SMPC (secure multi-party computation) spread sufficiently widely across multiple independent (preferably competing - or even adversarial!) virtual-computation providers, with an "N-of-M keys" policy that avoids any single provider being able to attain a meaningful level of access to your data independently, or being able to view tangible portions of your data while providing functionality during SMPC. That stuff gets super-niche though.

[–] yaMatt@lemmy.world 5 points 1 month ago

I've done a lot of thinking about this over the years.

Ultimately the answer is you cannot, at least with certainty. If you don't own the host, you cannot trust anything that runs on the machine.

A few people have said similar, and that for me is the right answer here. I'll expand on how I used to run my servers, but eventually decided it wasn't worth the effort.

Having said that, there are some things you can do to protect yourself, although it depends on how much you care about your data Vs how much effort you want to put in.

For example, you can disguise your data on disk, by creating an encrypted file on Linux that you mount as a filesystem. Everything you care about runs from there. The ideal solution is you have an encryption key that you store somewhere trusted, that you use to decrypt the volume.

But then of course you have to insert that key each time your machine reboots, such as a kernel update.

You also have to manage and protect that key yourself, otherwise 💥 your data is gone.

Another thing to consider is, is your key in memory or on disk at any time. You need to decrypt the disk without the key ending up on the machine. I passed it over SSH and I assume the LUKS folks know what they're doing about disguising the key in memory, but I don't know for certain. I never looked.

My expectation was that I was doing something outside the norms of how these tools were designed to function, so expect unexpected results.

This isn't to say you cannot trust any provider, it really depends how much you want to trust them.

[–] gian@lemmy.grys.it 4 points 1 month ago

Only real option is to crypt them before putting them on the VPS, but at this point a VPS is pretty useless.

[–] Findmysec@infosec.pub 2 points 1 month ago

Clevis and Tang but even that can only really do so much.

Just encrypt storage on-site

[–] Wispy2891@lemmy.world 1 points 1 month ago

not a technical but you can't just do full disk encryption and put the password manually at every single boot?

It seems very unlikely that a reputable hosting company would snoop even in that case

If we're talking about 3 letter agencies, for the dedicated servers they'll directly seize the disks...

[–] ouch@lemmy.world 1 points 1 month ago* (last edited 1 month ago) (1 children)

Thanks for the comments. I agree on the general consensus, that once an encryption key enters the VPS, the encryption is compromised.

However, I'm thinking more in practical terms, eg. the service provider doing just casual scanning across all disks of VPS instances. Some examples could be: cloud authentication keys, torrc files, specific installed software, SSH private keys, TLS certificates.

[–] Lemmchen@feddit.org 5 points 1 month ago* (last edited 1 month ago) (1 children)

Modern CPUs have some RAM encryption features, but ultimately you're running on hardware outside your control. Personally, I use full disk encryption (except for /boot) and unlock remotely via SSH, but that only helps against automatic scanning of the storage.

[–] ouch@lemmy.world 1 points 1 month ago (1 children)

Do you use dropbear and manually input the password to unlock the LUKS partition, or have you scripted something to automate that?

[–] Lemmchen@feddit.org 2 points 1 month ago* (last edited 1 month ago)

Dropbear + manual input, but I guess you could do that as a single command somehow. I rarely restart this machine, so copying the PW from my PW manager is acceptable for me.

[–] NegativeLookBehind@lemmy.world -3 points 1 month ago (2 children)

LUKS

VPN

Encrypt sensitive files

[–] possiblylinux127@lemmy.zip 5 points 1 month ago

That only works if the decryption is happening on hardware you control. You can not trust any part of the VPS including the memory and CPU

[–] boredsquirrel@slrpnk.net 3 points 1 month ago (3 children)

So how do you decrypt the LUKS vault when you have no sshd running as that thing is not up yet?

[–] fuzzy_feeling@programming.dev 4 points 1 month ago (1 children)

you can but an ssh server in your initramfs.
dropbear-initramfs i guess was the name in debian.

[–] boredsquirrel@slrpnk.net 1 points 1 month ago* (last edited 1 month ago)

Pretty cool!

Android and ChromeOS both also just use fuse for userspace (and user-files) encryption. This could totally be used too.

But of course, if something is not on your RAM it is not safe

[–] JubilantJaguar@lemmy.world 1 points 1 month ago

Another option: encrypt a sparse file rather than a disk volume. Mount the file to local filesystem and open and close it there.

[–] NegativeLookBehind@lemmy.world 1 points 1 month ago (2 children)

Do VPSs typical give you LOM? Honest question. Maybe LUKs isn’t good if you can’t console in.

[–] Zikeji@programming.dev 5 points 1 month ago (1 children)

LUKS, or anything that relies on the server encrypting, is highly vulnerable (see schizo@forum.uncomfortable.business's response).

Your best bet would be encrypting client side before it arrives on the server using a solution like rclone, restic, borg, etc.

[–] boredsquirrel@slrpnk.net 2 points 1 month ago

Yes. No proof their LUKS prompt isnt tampered with

[–] lud@lemm.ee 1 points 1 month ago

Yeah, at least the ones I used have some kind of console/terminal you can use and often you can access BIOS and reinstall the OS if you want.