Should I encrypt my VPS' harddrive? [closed]

encryption vps

Is it feasible to remotely encrypt the hard drive of a virtual server (VPS, cloud server like EC2)? This would help to protect the contents of the hard drive from snooping by the host or as a result of a security hole, but has some issues:

  • The password has to be entered on startup. Remotely, is this even possible?
  • Could the host simply snoop on the password as it is entered?
  • Do VPSes provide block-level access to the machine, or just file-level? Is encryption even possible?
  • The host (or a judge/policeman/man-with-a-gun telling them what to do) is ultimately in control of the hardware; could they simply examine the memory as the machine runs (similar to a cold boot attack without powering off the machine)?

With these concerns in mind, is encrypting a server with sensitive data simply security theatre, or can it provide real security over an unencrypted drive?


Solution 1:

The password has to be entered on startup. Remotely, is this even possible?

Sure, if you have some sort of console over IP (e.g. Linode's console).

Could the host simply snoop on the password as it is entered?

Well, yes.

Do VPSes provide block-level access to the machine, or just file-level? Is encryption even possible?

The OS requires block-level access, even if it's only virtualized.

The host (or a judge/policeman/man-with-a-gun telling them what to do) is ultimately in control of the hardware; could they simply examine the memory as the machine runs (similar to a cold boot attack without powering off the machine)?

Sure. It's very feasible to suspend a guest to disk and then pick through it with a hex editor afterwards.

With these concerns in mind, is encrypting a server with sensitive data simply security theatre, or can it provide real security over an unencrypted drive?

It makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it (since they could easily buy the proper expertise if they really wanted to).

Related

Syslog produces hundreds of lines
Do I need child domains in AD?
ZFS on top of iSCSI
Is there today any reason to have multiple domains in one forest
Small store infrastructure - where to begin? [closed]
nginx connection reset
How to count unique visitors in an nginx access.log?
What is the ZFS ACL limit?
Reduce the I/O priority of Windows Backup (Windows Server 2008 R2)
Nginx + PHP-FPM = 502 Bad Gateway
How do I get a SMTP session log in Exim?
Postfix - how to block emails sending out to a particular domain