Should I encrypt my VPS' harddrive? [closed]
Is it feasible to remotely encrypt the hard drive of a virtual server (VPS, cloud server like EC2)? This would help to protect the contents of the hard drive from snooping by the host or as a result of a security hole, but has some issues:
- The password has to be entered on startup. Remotely, is this even possible?
- Could the host simply snoop on the password as it is entered?
- Do VPSes provide block-level access to the machine, or just file-level? Is encryption even possible?
- The host (or a judge/policeman/man-with-a-gun telling them what to do) is ultimately in control of the hardware; could they simply examine the memory as the machine runs (similar to a cold boot attack without powering off the machine)?
With these concerns in mind, is encrypting a server with sensitive data simply security theatre, or can it provide real security over an unencrypted drive?
Solution 1:
The password has to be entered on startup. Remotely, is this even possible?
Sure, if you have some sort of console over IP (e.g. Linode's console).
Could the host simply snoop on the password as it is entered?
Well, yes.
Do VPSes provide block-level access to the machine, or just file-level? Is encryption even possible?
The OS requires block-level access, even if it's only virtualized.
The host (or a judge/policeman/man-with-a-gun telling them what to do) is ultimately in control of the hardware; could they simply examine the memory as the machine runs (similar to a cold boot attack without powering off the machine)?
Sure. It's very feasible to suspend a guest to disk and then pick through it with a hex editor afterwards.
With these concerns in mind, is encrypting a server with sensitive data simply security theatre, or can it provide real security over an unencrypted drive?
It makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it (since they could easily buy the proper expertise if they really wanted to).