On 02/24/2020 05:02 PM, Valeri Galtsev wrote: > > > On 2020-02-24 15:57, H wrote: >> On 02/24/2020 12:42 PM, Roberto Ragusa wrote: >>> On 2020-02-24 14:37, lejeczek via CentOS wrote: >>>> >>>> >>>> On 24/02/2020 10:26, Roberto Ragusa wrote: >>>>> On 2020-02-24 10:51, lejeczek via CentOS wrote: >>>>>> g) remember!! still at least (depending how you mount it) >>>>>> the 'root' will have access to that data while mounted, >>>>>> obviously! >>>>> >>>>> More than that: the root user will be able to access data >>>>> in the future too, since it can steal the key >>>>> while the data is mounted. >>>>> >>>>> Regards. >>>>> >>>> With a passphare only? >>> >>> Attackers don't need the passphrase, they can use the >>> real key used for encryption (dmsetup table). >>> >>> Regards. >>> >> So the final word seems to be that even if I create this LUKS-encrypted loop-back file and only mount it when needed, immediately un-mount when no longer needed, a root user can access this encrypted file system while it is mounted, and perhaps more importantly, even when it is not mounted since they can get the key as described above? >> >> My reputable VPS hosting provider in Europe of course outsources some of the support to other countries. While I have no immediate suspicion that they access files on my VPS, I also have no way of finding out, nor of protecting myself - apart from not putting "sensitive" files on the VPS or encrypting files before uploading them. >> >> If I upgrade to a dedicated server I expect that I will be the root user but will the hosting company still have access to my server? >> > > Whoever has physical access to the machine can have everything. In the past I was phrasing it "nothing can stop the guy with the screwdriver". Do not take the screwdriver literally, of course. > > Valeri > Well, the scenario with a screw driver I can live with but not other types of access...