Re: [vserver] Encrypted Vservers

From: Christian Thaeter <ct_at_pipapo.org>
Date: Wed 25 Mar 2015 - 17:54:02 GMT
Message-ID: <20150325185402.615e1c60@jupiter.pipapo.org>

On 2015-03-25 10:25, Laurens Vets wrote:

> I'll clarify my position a bit :)
>
> The machines are all remote (they do not all have serial connections)
> and I want to make sure that if a server is removed or stolen no data
> can be obtained from the guests. I also make the assumption here that
> in order to remove the server, power will be cut. I don't really care
> about the host itself.

the easiest thing is still to setup full disk encryption for the whole
machine (except some small initrd for booting). dmcrypt (at least under
debian) comes with the necessary infrastructure to unlock the disks
from within the initrd boot process over the network.

You just have to install dropbear and do some configuring this stuff
then it starts ssh on a prelimary configured network and waits for a
passphrase. I have a small helper script here to remotely unlock such
servers:

$cat /usr/local/bin/unlock_server
#!/bin/sh
ssh -o ControlMaster=no -t "root@$@" '/lib/cryptsetup/askpass "Password: " >/lib/cryptsetup/passfifo'

like I saied earlier: don't forget about swap, either use a swapfile on
the encrypted filesystem or setup a encrypted device for swap.

        Christian

>
> Laurens
>
> On 2015-03-25 08:00, Christian Thaeter wrote:
> > First and foremost you should define against what threats you want
> > to secure the vservers and then think which option would be the
> > best.
> >
> > For example when you 'only' need a secure data storage you may look
> > into
> > ecryptfs or tahoe-lafs.
> >
> > Don't forget that you need to encrypt swap storage if there is any,
> > else secret data might end up unencrypted in the swap storage.
> >
> > Also when you encrypt vservers independently you loose the ability
> > to unify/hashify the files to save storage (and memory).
> >
> > You also need some way to feed keys to unlock the vservers, which
> > will be always the weak link in such a setup.
> >
> > Bottomline: If in doubt, just encrypt the whole box, that has more
> > advantages, less maintenance, less problems and is a proven way. I
> > use that with dmcrypt'ed partitions and it works well since years.
> > If you have enough RAM then the performance impact is negligible as
> > frequent accessed stuff gets cached.
> >
> > Christian
> >
> >
> > On 2015-03-25 08:20, Ben Green wrote:
> >
> >> I have friends who run each guest on its own LVM partition,
> >> encrypted. The partition has to be mounted by the host of course,
> >> and is therefore accessible to that host. This strategy is to
> >> prevent any physical theft of servers resulting in compromised
> >> data.
> >>
> >> I guess it depends on your aims with the encryption.
> >>
> >> Cheers,
> >> Ben
> >>
> >> Quoting Oliver Welter <mail@oliwel.de>:
> >>
> >>> Hi,
> >>>
> >>> the question is what do you expect to be "encrypted"? You can put
> >>> the filesystem of the guest onto an encrypted device but AFAIK you
> >>> can not prevent the root host to enter/access the context of the
> >>> running guest. There is a "Guest Privacy" Flag in the vserver
> >>> config, but I am not aware of what exactly it prevents.
> >>>
> >>> My fastest approach would be to construct a kind of "locked down"
> >>> host without root access to prevent administrative staff from
> >>> accessing the guest.
> >>>
> >>> Oliver
> >>>
> >>> Am 25.03.2015 um 01:39 schrieb Laurens Vets:
> >>>> Hello list,
> >>>>
> >>>> I'm currently looking for a good way to encrypt Vservers.
> >>>>
> >>>> Basically what I want is that when I start a vserver, it asks
> >>>> for a passphrase before booting further. I do not want to
> >>>> encrypt the host itself, only the guests.
> >>>>
> >>>> What would be the best way of doing this and does anyone have any
> >>>> experience in this?
> >>>>
> >>>> Thanks!
> >>
> >>
> >>
Received on Wed Mar 25 17:54:09 2015

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 25 Mar 2015 - 17:54:09 GMT by hypermail 2.1.8