Encryption, paranoia and virtual machines
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Nov 25 17:35:38 UTC 2011
On Fri, Nov 25, 2011 at 10:23 AM, Neil Watson
<tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> Greetings,
>
> A somewhat theoretical situation. You are considering renting a physical
> host and rack space. The plan being to generate a few virtual machines
> for internet services. Getting a reliable host in a reliable data centre
> is attractive. However, you have never been comfortable with others
> having such close physical access to your data.
>
> Whole disk encryption may be a solution. Does one encrypt the physical
> host only or the virtual hosts or both? What are the options for
> protecting your data?
I'd think that neither is actually terribly useful.
A large portion of the data on your system isn't secret at all.
For instance, much of the contents of /usr and /bin represent stuff
installed as part of your Linux distribution, which isn't confidential
data, in the slightest. There might be some value in tripwire-like
rules where you do checksums on those files, so you have some hope of
detecting if they have been tampered with.
But the set of data that is *actually* confidential is rather smaller,
and perhaps doesn't even represent much of your data set.
http://www.wayner.org/node/46
"This new book, Translucent Databases, describes a different attitude
toward protecting the information. Most databases provide elaborate
control mechanisms for letting the right people in to see the right
records. These tools are well-designed and thoroughly tested, but they
can only provide so much support. If someone breaks into the operating
system itself, all of the data on the hard disk is unveiled. If a
clerk, a supervisor, or a system administrator decides to turn
traitor, there's nothing anyone can do.
Translucent databases provide better, deeper protection by scrambling
the data with encryption algorithms. The solutions use the minimal
amount of encryption to ensure that the database is still functional.
In the best applications, the personal and sensitive information is
protected but the database still delivers the information."
The approach that Wayner's book takes is that data that is supposed to
be secure is encrypted before it reaches the host, with the
consequence that encryption keys never need to be on that host, which
is essential to maintain trust when you *don't* trust the system
administrator.
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list