Encryption, paranoia and virtual machines
Alex Volkov
avolkov-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Nov 25 16:11:07 UTC 2011
That seems kind of pointless, because the host can always read
encryption keys from shared memory. In theory it should be as easy as
# grep "search_term" /dev/mem
Then all you need to do is create a snapshot of a virtual machine's
logical volume and copy all data.
In the end you would have to either stop worrying about the company
that provides you with hosting service going after your data, or
you'll have to host your own hardware.
Encrypting logical volumes on shared host is snake oil.
Alex.
On Fri, Nov 25, 2011 at 10:33 AM, Digimer <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
> On 11/25/2011 10:23 AM, Neil Watson wrote:
>>
>> Greetings,
>>
>> A somewhat theoretical situation. You are considering renting a physical
>> host and rack space. The plan being to generate a few virtual machines
>> for internet services. Getting a reliable host in a reliable data centre
>> is attractive. However, you have never been comfortable with others
>> having such close physical access to your data.
>>
>> Whole disk encryption may be a solution. Does one encrypt the physical
>> host only or the virtual hosts or both? What are the options for
>> protecting your data?
>>
>> Sincerely,
>
> Some hosts, like us, rent 1/8th racks for customers who want private, locked
> space.
>
> Setting that aside; I've taken to creating unencrypted KVM VM hosts and then
> creating encrypted LVM LV's to create the servers I care about. This way, I
> can remote boot a host machine and get SSH access, then use that ssh access
> to enter the LV's passphrase.
>
> Alternatively, I leave the LVs as-is and do full disk encryption inside the
> VM.
>
> --
> Digimer
> E-Mail: digimer-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
> Freenode handle: digimer
> Papers and Projects: http://alteeve.com
> Node Assassin: http://nodeassassin.org
> "omg my singularity battery is dead again.
> stupid hawking radiation." - epitron
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list