On 8/28/20 6:10 PM, Michael Orlitzky wrote:
I think I see where we're diverging: I'm assuming that the employees of the VPS provider can hop onto any running system with root privileges.
Perhaps I'm woefully ignorant, but my current working understanding is that no virtual machine hypervisor solution provides a way for someone at the hypervisor level to access a guest VM as if they were root. They still need to connect to a terminal (be it console or serial or ssh or other), log in (with credentials that they should not have) and access things that way.
I see little difference in the full (fat) VM compared to a stand alone server. Safe for the fact that there are ways to cross access memory. Though I think those types of things are decidedly atypical.
My mental security model probably completely fails for containers.
I suppose you can make that pretty annoying to do. If you're willing to encrypt everything, then you can even put /boot on the encrypted disk, unlocking it in (say) grub. The VPS provider can still replace grub with something that faxes them your password, but it's not totally trivial. (How are you accessing the console at boot time? Is it using software from the VPS provider? It's turtles all the way to hell.)
I'm actually not encrypting the full VM. I have an encrypted disk. The VM boots like normal, I log in, unlock the encrypted disk, mount it, and start services.
So, I feel like I've done the things that I reasonably can do to protect my email.
Or said another way, I'm not sure what else I could do that would not also apply to a co-lo server.
My VPS provider does offer the ability to access a console so I could use full encrypted system.
-- Grant. . . . unix || die
