B
B
by_EL2021-12-13 23:38:46
System administration
by_EL, 2021-12-13 23:38:46

How to protect information on a virtual machine located on the cloud?

There is a virtual machine on the cloud that I want to use as file storage, how can I more or less protect the information, what are your recommendations? (for example, recommend as an option, for example, luks or something like that?
Thank you!

Answer the question

In order to leave comments, you need to log in

5 answer(s)
D
Dmitry Shitskov, 2021-12-13
@Zarom

file storage

Nextcloud with end-to-end encryption

R
rPman, 2021-12-14
@rPman

Absolute protection is still impossible to obtain.
The root of the problem lies in the bootloader, if it can be changed, then everything else can be pulled out through passwords to encrypted partitions.
The second problem is the hoster's ability to get the contents of RAM at any time (almost a regular feature of virtual machines).
In practice, you can make the task of stealing data so expensive that they won’t do it en masse (that is, automatically for all clients) until you really get interested.
The solution lies in the creation of a non-standard bootloader, the task of which is to control the environment (through the analysis of performance and the contents of RAM) in order to protect against spoofing and make it possible to remotely enter the partition encryption password.
The cost of gaining access to RAM can be significantly increased if you take pure hardware and not a virtual machine, and to make life even more difficult for a thief-hoster, run your own hypervisor and your own virtual machines on it (cascaded virtualization is very limited in typical configurations, but of course not impossible).
Of course, the software (operating system) must be completely controlled by the user ( no utilities from the hoster, no ready-made pre-installed images, etc.), everything, starting with the bootloader and the OS kernel, should be yours (or at least publicly reliable, i.e. official, but here the question is what and from whom exactly you protect the data). Not worth mentioning that apart from open source linux there are not many options, while in the worst case it can be your own build from source (based on some gentoo)
I give an example of a simple and cheap solution for the layman - any hosting, even lxc / openvz, (that is, giving absolute control over files to the hoster), and running inside a virtual machine, for example, based on user mode linux, this is literally the linux kernel in the form of a binary (does not require anything, neither kernel modules nor virtualization support, and at the same time does not slow down the work), into which you can sew startup commands (where to get the bootloader, where is the disk image, encryption settings, etc.), the password is entered in the ssh console bootloader (initramfs of the guest machine). All launched binaries should not be hosted on the server, but loaded from a reliable client that controls the launch. Also, for kvm there were patches for online encryption of RAM, but at the cost of a very low speed, but the cost of hacking such a machine becomes prohibitive.
-------------------------------------------------- ------------
The correct way, which gives very high guarantees - to enter the password in the data center to turn on the machine, a special reliable person rides, who carries with him a piece of equipment (console and disk with a loader) and conducts a minimal visual control to track the opening and replacement of hardware (seals, safes and independent online access monitoring systems, i.e. literally webcams and tampering sensors with their own channel to the Internet and a power source), of course, server hardware here should not be from the host but from the client .
And data centers provide such services.
ps such actions are not needed for all servers, but only for application servers, and for example nas can store already encrypted data, no special requirements are needed for them

P
pfg21, 2021-12-14
@pfg21

https://ru.wikipedia.org/wiki/EncFS
transparently encrypts files and stores them in some directory.
in this directory you mount a place from the cloud or you synchronize files from this directory to the cloud.
there are encrypted files in the cloud, you have encfs decrypts them

A
Alexander Chernykh, 2021-12-15
@sashkets

Is the game worth the candle? Who are we protecting ourselves from? In the words of M. Zhvanetsky

There will be an order, you won’t be saved anyway, but there is no order, read what you want

R
rrambo, 2021-12-22
@rrambo

You can flash it with the command rm -rf /
:)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question