Encryption, paranoia and virtual machines

Digimer linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Fri Nov 25 17:32:36 UTC 2011


On 11/25/2011 10:33 AM, Digimer wrote:
> On 11/25/2011 10:23 AM, Neil Watson wrote:
>> Greetings,
>>
>> A somewhat theoretical situation. You are considering renting a physical
>> host and rack space. The plan being to generate a few virtual machines
>> for internet services. Getting a reliable host in a reliable data centre
>> is attractive. However, you have never been comfortable with others
>> having such close physical access to your data.
>>
>> Whole disk encryption may be a solution. Does one encrypt the physical
>> host only or the virtual hosts or both? What are the options for
>> protecting your data?
>>
>> Sincerely,
>
> Some hosts, like us, rent 1/8th racks for customers who want private,
> locked space.
>
> Setting that aside; I've taken to creating unencrypted KVM VM hosts and
> then creating encrypted LVM LV's to create the servers I care about.
> This way, I can remote boot a host machine and get SSH access, then use
> that ssh access to enter the LV's passphrase.
>
> Alternatively, I leave the LVs as-is and do full disk encryption inside
> the VM.
>

If you do the encryption inside the VM (rather than the LV backing it), 
this should no longer be a concern.

-- 
Digimer
E-Mail:              digimer-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Freenode handle:     digimer
Papers and Projects: http://alteeve.com
Node Assassin:       http://nodeassassin.org
"omg my singularity battery is dead again.
stupid hawking radiation." - epitron
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list