Full Encryption on VPS

Need help with your Linux distro? All questions are good - not all answers are -but we try

Moderator: jkerr82508

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Full Encryption on VPS

Postby Snorkasaurus » 13 Oct 2015, 21:13

I picked up a small cheap Linux (Wheezy) based VPS recently to screw around with, and to be honest... it ain't so bad. The bandwidth is better than my home connection can supply and it seems as stable as I would expect. However, I don't see a way to encrypt it. There are plenty of tutorials on encrypting a home directory in an existing install, but it appears (oddly) that people are not interested in encrypting the rest of their drives. Perhaps it is because I do not use servers as workstations/desktops, but I have plenty of crap that lives in /var and /etc (and elsewhere) that I want encrypted.

It seems to me that the only way to provide system encryption in Linux (all but /boot) is to do so during install... but this VPS hosting company (and I have to assume many others) do not allow ISO image access to reinstall my OS. It does not seem that there is a way to encrypt my /etc and /var (and whatever else) on this box. Does anybody know of a way to do this?

s.

User avatar
viking60
Über-Berserk
Posts: 9281
Joined: 14 Mar 2010, 16:34

Re: Full Encryption on VPS

Postby viking60 » 13 Oct 2015, 22:30

I don't think it is possible without controlling the security of the machine yourself.
The "traditional" way is to use LVM on LUKS + dm-crypt.
Takes a bit of setting up and needs access.
https://wiki.archlinux.org/index.php/Dm ... VM_on_LUKS
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Full Encryption on VPS

Postby Snorkasaurus » 14 Oct 2015, 00:25

viking60 wrote:I don't think it is possible without controlling the security of the machine yourself.
The "traditional" way is to use LVM on LUKS + dm-crypt.
Takes a bit of setting up and needs access.
https://wiki.archlinux.org/index.php/Dm ... VM_on_LUKS

I'm not sure what you mean by "controlling the security of the machine yourself"... what exactly do I need control of? I can restart the VPS, and get in to the [VMWare] BIOS, I have full access to the machine's console as it boots, and full ssh access once it has booted. What I can't do is mount a CD/DVD, install my own OS, and encrypt my drive in the process. I can setup LUKS/dm-crypt on a physical machine, and have done so a number of times, just not on a VPS. I think LUKS/dm-crypt is a cumbersome design that lacks configurability as mentioned here, but it is workable. I should also note that of the encrypted drives I have run, I have only had two fail, both of which were LUKS drives, both of which were less than 1 year old, and within two months of each other (on different hardware and at different physical locations).

As near as I can tell, the linked Arch documentation is written from the perspective of someone who has just booted from the Arch installation media (which has utilities such as cryptsetup, mount, and mkfs available for use). I can't boot from such media (or at least I don't think I can)... I have one virtual drive which comes pre loaded with an OS. My impression is that I can install encryption utilities in my VPS, but that I can't use them because they will destroy the only hard drive my VPS has available to it. My impression is also that I can't mount an ISO image remotely across the Internet on my VPS with 512MB of memory, to do an OS install. Does this mean there is no way to encrypt the drive? :-(

s.

User avatar
viking60
Über-Berserk
Posts: 9281
Joined: 14 Mar 2010, 16:34

Re: Full Encryption on VPS

Postby viking60 » 14 Oct 2015, 09:38

Encryption in some form should be possible like one big LUKS-encrypted volume. There are people that have root access to the hardware that control the VPS (something like IPX with pre-installable images/isos?) and it could be possible to make a memory dump of the VM and search for keys - not easy but possible if mem is not encrypted (not very likely though).

Mem encryption besides swap would traditionally need the HW to play along I think. There is Cryptkeeper though that will address this.
Also a fully encrypted system needs the unencrypted /boot - something has to start first to start the encryption. This can be handled by a removable (boot on a USB or disk in some form) - that is not easy if you cannot hit the HW with a hammer - you are only in a position to curse at it.

There are rules and restrictions if I understand you correctly ("cannot install my own iso") this indicates that the final word on the OS is somewhere else.
:A
http://serverfault.com/questions/521252 ... n-on-a-vps
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Full Encryption on VPS

Postby Snorkasaurus » 14 Oct 2015, 14:38

Oh I am aware that /boot can't be encrypted, and I don't care. I don't keep any data of any consequence in there.

I also realize that it could be possible for a hosting provider to dump and search through the memory of the VM, but I don't think they will. They have hundreds or thousands of VM's, and as far as I can tell, essentially none of them are encrypted. The hosting provider will also have no idea that my VM is encrypted until they need to look at the contents of it. They are not going to go to the trouble of preparing to read memory from encrypted VM's if they do not even know that any of them are encrypted.

I had seen that serverfault link before, as well as a number of other similar posts... it seems that nobody at any of the links I could find have ever successfully encrypted a filesystem on a VPS, and the people who say that it is impossible do not have any concrete reasons why.

I wonder if I could shrink the existing partition, add new partition(s), encrypt one of the new partitions, copy the contents of the drive over to the encrypted partition, then delete the unencrypted partition and start booting from the encrypted one... though I have no experience with such a ridiculous procedure. :-(

s.

User avatar
viking60
Über-Berserk
Posts: 9281
Joined: 14 Mar 2010, 16:34

Re: Full Encryption on VPS

Postby viking60 » 14 Oct 2015, 14:59

I am drawing blanks too :confused
So I guess we have to research it.

What you suggest should be possible with Encfs where you only have to mount your partitions to the new encrypted volume.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Full Encryption on VPS

Postby Snorkasaurus » 14 Oct 2015, 15:24

Will Encfs allow me to encrypt /etc, /var, and /root?
s.

User avatar
viking60
Über-Berserk
Posts: 9281
Joined: 14 Mar 2010, 16:34

Re: Full Encryption on VPS

Postby viking60 » 14 Oct 2015, 15:53

Yes that should be possible.
I am a bit unsure how to do it in one lump with only one key though.

Code: Select all

encfs ~/.etc ~/etc
should do it for /etc but the problem is that /var is on the same level and if you mount / then you would catch boot too....
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"


Return to “Help”