I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
----- On Feb 16, 2020, at 5:18 PM, H agents@meddatainc.com wrote:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS?
Yes. You can create LUKS-container on CentOS VPS.
I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 16.02.20 um 16:46 schrieb Subscriber:
----- On Feb 16, 2020, at 5:18 PM, H agents@meddatainc.com wrote:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS?
Yes. You can create LUKS-container on CentOS VPS.
I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
The threat does not change while using an open "LUKS-container". So, this does not address your threat model. Something that is only "open" on the client side will be more appropriate ... what is your usage scenario?
-- Leon
On February 16, 2020 11:17:06 AM EST, Leon Fauster via CentOS centos@centos.org wrote:
Am 16.02.20 um 16:46 schrieb Subscriber:
----- On Feb 16, 2020, at 5:18 PM, H agents@meddatainc.com wrote:
I wonder if it is possible to set up an encrypted "file container"
on a CentOS
VPS?
Yes. You can create LUKS-container on CentOS VPS.
I am the root user of the VPS but the hosting company also has
access to
the VPS and thus all files. Is it possible to create a
LUKS-container on the
VPS and those files only be accessible by me? IOW, most of the file
system on
the VPS would be regular file system but the container could be used
by me as
needed. This would allow the VPS to reboot normally, I could ssh in
normally
etc etc. I would rsync files as needed to this LUKS-container
though.
The threat does not change while using an open "LUKS-container". So, this does not address your threat model. Something that is only "open" on the client side will be more appropriate ... what is your usage scenario?
-- Leon
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Ok, understood. I am just paranoid at a "normal" level.
Am 16.02.2020 um 16:18 schrieb H:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
Sounds like you want a transparent client-side encryption solution. For instance
https://cryptomator.org/ https://github.com/cryptomator/cryptomator
Alexander
On February 16, 2020 12:13:59 PM EST, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 16.02.2020 um 16:18 schrieb H:
I wonder if it is possible to set up an encrypted "file container" on
a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
Sounds like you want a transparent client-side encryption solution. For
instance
https://cryptomator.org/ https://github.com/cryptomator/cryptomator
Alexander
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Interesting. I looked at the website and it talks about working various cloud solutions but does not explicitly mention a VPS. Is anyone on this list using it?
On 16/02/2020 15:18, H wrote:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
How about a loop way? It would be a file which you can luks-enrypt, decrypt, u/mount on demand, keep a small filesystem on it.
On 02/17/2020 05:03 AM, lejeczek via CentOS wrote:
On 16/02/2020 15:18, H wrote:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
How about a loop way? It would be a file which you can luks-enrypt, decrypt, u/mount on demand, keep a small filesystem on it.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
What is a "loop way"? I googled it together with Linux and file and did not find anything. Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access? If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?
What is a "loop way"? I googled it together with Linux and file and did not find anything.
The proper term is "loopback filesystem".
Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access?
Yes, it's a filesystem in a file that you mount with '-o loop'.
If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?
You provide the decryption password when you mount it. Once the filesystem is mounted anyone with the appropriate permissions can read it. You can reduce the opportunity of someone accessing it by only mounting it when you need it and unmounting it as soon as possible.
TBH, if you don't trust the root user of a system, then there's not much you can do - there are just so many ways a privileged user can get access to things, both "legitimately" because of their absolute access or "covertly" using trojans and so on that you would never know about. If you have legitimate concerns about the hosting company, then find a different one.
P.
On Feb 24, 2020, at 3:41 AM, Pete Biggs pete@biggs.org.uk wrote:
What is a "loop way"? I googled it together with Linux and file and did not find anything.
The proper term is "loopback filesystem".
This HOWTO I used some 15+ years ago:
http://www.tldp.org/HOWTO/archived/Loopback-Encrypted-Filesystem-HOWTO/Loopb...
Search (not “google”, duckduckgo for me ;-) for "encrypted loopback filesystem howto”...
Valeri
Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access?
Yes, it's a filesystem in a file that you mount with '-o loop'.
If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?
You provide the decryption password when you mount it. Once the filesystem is mounted anyone with the appropriate permissions can read it. You can reduce the opportunity of someone accessing it by only mounting it when you need it and unmounting it as soon as possible.
TBH, if you don't trust the root user of a system, then there's not much you can do - there are just so many ways a privileged user can get access to things, both "legitimately" because of their absolute access or "covertly" using trojans and so on that you would never know about. If you have legitimate concerns about the hosting company, then find a different one.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 23/02/2020 19:06, H wrote:
On 02/17/2020 05:03 AM, lejeczek via CentOS wrote:
On 16/02/2020 15:18, H wrote:
I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
How about a loop way? It would be a file which you can luks-enrypt, decrypt, u/mount on demand, keep a small filesystem on it.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
What is a "loop way"? I googled it together with Linux and file and did not find anything. Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access? If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?
That's that precisely, very easy. a) use dd to create a a file, eg.: dd if=/dev/zero of=gor.loop bs=1M count=2000 b) luks encrypt it: cryptsetup luksFormat gor.loop c) dev mapper mount it: cryptsetup luksOpen gor.loop luks-gor.loop d) fs it: mkfs.ext4 /dev/mapper/luks-gor.loop e) mount it: mount /dev/mapper/luks-gor.loop $PWD/gor.rootfs.encrypted f) use it (to simplify I'd put cryptOpen + mount + unmount + luksClose into a script) g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
On 02/24/2020 12:42 PM, Roberto Ragusa wrote:
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
So the final word seems to be that even if I create this LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above?
My reputable VPS hosting provider in Europe of course outsources some of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them.
If I upgrade to a dedicated server I expect that I will be the root user but will the hosting company still have access to my server?
On 2020-02-24 15:57, H wrote:
On 02/24/2020 12:42 PM, Roberto Ragusa wrote:
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
So the final word seems to be that even if I create this LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above?
My reputable VPS hosting provider in Europe of course outsources some of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them.
If I upgrade to a dedicated server I expect that I will be the root user but will the hosting company still have access to my server?
Whoever has physical access to the machine can have everything. In the past I was phrasing it "nothing can stop the guy with the screwdriver". Do not take the screwdriver literally, of course.
Valeri
On 02/24/2020 05:02 PM, Valeri Galtsev wrote:
On 2020-02-24 15:57, H wrote:
On 02/24/2020 12:42 PM, Roberto Ragusa wrote:
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote:
g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!
More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
So the final word seems to be that even if I create this LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above?
My reputable VPS hosting provider in Europe of course outsources some of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them.
If I upgrade to a dedicated server I expect that I will be the root user but will the hosting company still have access to my server?
Whoever has physical access to the machine can have everything. In the past I was phrasing it "nothing can stop the guy with the screwdriver". Do not take the screwdriver literally, of course.
Valeri
Well, the scenario with a screw driver I can live with but not other types of access...
On 02/25/2020 12:44 AM, H wrote:
On 02/24/2020 05:02 PM, Valeri Galtsev wrote:
On 2020-02-24 15:57, H wrote:
On 02/24/2020 12:42 PM, Roberto Ragusa wrote:
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote:
On 2020-02-24 10:51, lejeczek via CentOS wrote: > g) remember!! still at least (depending how you mount it) > the 'root' will have access to that data while mounted, > obviously! More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted.
Regards.
With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
So the final word seems to be that even if I create this LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above?
My reputable VPS hosting provider in Europe of course outsources some of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them.
If I upgrade to a dedicated server I expect that I will be the root user but will the hosting company still have access to my server?
Whoever has physical access to the machine can have everything. In the past I was phrasing it "nothing can stop the guy with the screwdriver". Do not take the screwdriver literally, of course.
Valeri
Well, the scenario with a screw driver I can live with but not other types of access...
I spoke with my hosting company where I also have a Hosted VMWare server running CentOS 7.
The person I spoke with said that if I change the root password, this would prevent any support person from logging in. I, as the root, would be the only one (assuming, of course, they have not created any other users). Were I to need support in the future, I would have to give it to them since they would otherwise not be able to log in. I presume I can already look at the logs to seen when and from where the root user have logged in.
They also claimed, which I have yet to understand what she meant, that even if they have the root password I can protect directories and their contents. I did not understand what she meant and she could not give me any further information.
Does anyone understand what she might refer to?
On Sat, 29 Feb 2020 at 13:22, H agents@meddatainc.com wrote:
On 02/25/2020 12:44 AM, H wrote:
On 02/24/2020 05:02 PM, Valeri Galtsev wrote:
On 2020-02-24 15:57, H wrote:
On 02/24/2020 12:42 PM, Roberto Ragusa wrote:
On 2020-02-24 14:37, lejeczek via CentOS wrote:
On 24/02/2020 10:26, Roberto Ragusa wrote: > On 2020-02-24 10:51, lejeczek via CentOS wrote: >> g) remember!! still at least (depending how you mount it) >> the 'root' will have access to that data while mounted, >> obviously! > More than that: the root user will be able to access data > in the future too, since it can steal the key > while the data is mounted. > > Regards. > With a passphare only?
Attackers don't need the passphrase, they can use the real key used for encryption (dmsetup table).
Regards.
So the final word seems to be that even if I create this
LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above?
My reputable VPS hosting provider in Europe of course outsources some
of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them.
If I upgrade to a dedicated server I expect that I will be the root
user but will the hosting company still have access to my server?
Whoever has physical access to the machine can have everything. In the
past I was phrasing it "nothing can stop the guy with the screwdriver". Do not take the screwdriver literally, of course.
Valeri
Well, the scenario with a screw driver I can live with but not other
types of access...
I spoke with my hosting company where I also have a Hosted VMWare server running CentOS 7.
The person I spoke with said that if I change the root password, this would prevent any support person from logging in. I, as the root, would be the only one (assuming, of course, they have not created any other users). Were I to need support in the future, I would have to give it to them since they would otherwise not be able to log in. I presume I can already look at the logs to seen when and from where the root user have logged in.
They also claimed, which I have yet to understand what she meant, that even if they have the root password I can protect directories and their contents. I did not understand what she meant and she could not give me any further information.
Does anyone understand what she might refer to?
It really depends on a lot of definitions of 'protect' and other things. If you were to encrypt a partition and only allow it to be unencrypted with your typing a password then it would be protected from them viewing it while it is 'resting'. However you would need to encrypt/unencrypt whenever you needed it to make sure that the window they could see it was small.
In the end, the more layers that a provider is giving you, the more you are having to implicitly trust them. At the lowest layer, if you have a physical server, you are trusting them to not physically mess with the hardware while you aren't in control of it. You also have to trust them at the network layer to a certain extent (they aren't putting in bogon routes, etc etc). The next layer is where you rent the hardware from them. They gain more control to fix things, but you have to trust that the hardware is sound. Next comes the cloud layers where you are going to have to trust that they aren't mounting your partitions or messing with the ring -1 layer to see what you are doing. Finally you have the 'container' level where you have to trust them on everything from the 10k other containers they have to what those containers can see.
The issue will come in on how much money you are willing to save for that cost.. and where the vendor is going to try and make extra money by snooping in on things. They might just do it with DNS mining on their network dns that they hand off to some data-vendor. They might do it in other places. If you are getting too much for too cheap.. you have become the product somewhere.
What is the use-case here? Are you concerned that the host may change the data or just read it? Would re-creating the file anew for each use be practical? What about using the file in an encrypted form? I'm thinking of the case of records on people. Separate "cyphers" for first names, last names and other names would go a long way toward hiding whatever needs to be hidden.
Keeping the host from reading the data might not be a solvable problem. Keeping the host from quietly changing the data might be expensive. If all else fails you might keep copies of the data on separate hosts and compare their md5sums. I expect that doing it on your own host has already been deemed a failure.
On 02/24/2020 05:01 PM, Michael Hennebry wrote:
What is the use-case here? Are you concerned that the host may change the data or just read it? Would re-creating the file anew for each use be practical? What about using the file in an encrypted form? I'm thinking of the case of records on people. Separate "cyphers" for first names, last names and other names would go a long way toward hiding whatever needs to be hidden.
Keeping the host from reading the data might not be a solvable problem. Keeping the host from quietly changing the data might be expensive. If all else fails you might keep copies of the data on separate hosts and compare their md5sums. I expect that doing it on your own host has already been deemed a failure.
General prudence as to someone accessing my files.
-
Alexander Dalloz -
H -
lejeczek -
Leon Fauster -
Michael Hennebry -
Pete Biggs -
Roberto Ragusa -
Stephen John Smoogen -
Subscriber -
Valeri Galtsev