Re: [vserver] Encrypted Vservers

From: Christian Thaeter <ct_at_pipapo.org>
Date: Wed 25 Mar 2015 - 15:00:12 GMT
Message-ID: <20150325160012.6d7fa0af@jupiter.pipapo.org>

First and foremost you should define against what threats you want to
secure the vservers and then think which option would be the best.

For example when you 'only' need a secure data storage you may look into
ecryptfs or tahoe-lafs.

Don't forget that you need to encrypt swap storage if there is any,
else secret data might end up unencrypted in the swap storage.

Also when you encrypt vservers independently you loose the ability to
unify/hashify the files to save storage (and memory).

You also need some way to feed keys to unlock the vservers, which will
be always the weak link in such a setup.

Bottomline: If in doubt, just encrypt the whole box, that has more
advantages, less maintenance, less problems and is a proven way. I use
that with dmcrypt'ed partitions and it works well since years. If you
have enough RAM then the performance impact is negligible as frequent
accessed stuff gets cached.

        Christian

On 2015-03-25 08:20, Ben Green wrote:

> I have friends who run each guest on its own LVM partition,
> encrypted. The partition has to be mounted by the host of course, and
> is therefore accessible to that host. This strategy is to prevent
> any physical theft of servers resulting in compromised data.
>
> I guess it depends on your aims with the encryption.
>
> Cheers,
> Ben
>
> Quoting Oliver Welter <mail@oliwel.de>:
>
> > Hi,
> >
> > the question is what do you expect to be "encrypted"? You can put
> > the filesystem of the guest onto an encrypted device but AFAIK you
> > can not prevent the root host to enter/access the context of the
> > running guest. There is a "Guest Privacy" Flag in the vserver
> > config, but I am not aware of what exactly it prevents.
> >
> > My fastest approach would be to construct a kind of "locked down"
> > host without root access to prevent administrative staff from
> > accessing the guest.
> >
> > Oliver
> >
> > Am 25.03.2015 um 01:39 schrieb Laurens Vets:
> >> Hello list,
> >>
> >> I'm currently looking for a good way to encrypt Vservers.
> >>
> >> Basically what I want is that when I start a vserver, it asks for a
> >> passphrase before booting further. I do not want to encrypt the
> >> host itself, only the guests.
> >>
> >> What would be the best way of doing this and does anyone have any
> >> experience in this?
> >>
> >> Thanks!
>
>
>
Received on Wed Mar 25 15:00:23 2015

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 25 Mar 2015 - 15:00:23 GMT by hypermail 2.1.8