Re: crypt question/server hotel
Osamu Aoki wrote: Hi, On Sat, Apr 17, 2010 at 10:49:20AM +0200, Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I am no expert on this issue but this is my common sense. Do not use such untrusted servers for the sensitive data. You can put measures to remote break-in etc. But whoever have local hysical access can get tou your data on the system. (I do not quite understand what kind of server arrangement ... virtualized or rack moiunted dedicated server... either way, it is the same thing.) I can crypt my partition/hdd's that contains the data. Ok. But: then my operating system will not be encrypted. Not Ok. Well, once booted, and if they have some kind of hardware access before you boot into your system, you are doomed. Because they can have backdoor access. If I crypt my operating system too, then when a reboot comes, I have to type a password to decrypt. But my server will be at a server hotel I can't directly use a keyboard [no service cpu]. All these methods protect against casual break-in but if system is run under some super-server like xen etc., your security measure stopps there. What can I do [on technical side] to ensure a little more security to my server [e.g: crypt my partition/slice/whatever, that has the operating system, but without the type password problem] If they have monitoring system pre-installed, ... even with this protection is no good. Thank you for any tips/help. Keep sensitive data where you have full trust. The remote untrusted servers are good for web gateway only. But even for that, you should have some trust to them. Osamu you may be interested in this: Unlocking a LUKS encrypted root partition via ssh http://www.debian-administration.org/articles/579 smime.p7s Description: S/MIME Cryptographic Signature
crypt question/server hotel
I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I can crypt my partition/hdd's that contains the data. Ok. But: then my operating system will not be encrypted. Not Ok. If I crypt my operating system too, then when a reboot comes, I have to type a password to decrypt. But my server will be at a server hotel I can't directly use a keyboard [no service cpu]. What can I do [on technical side] to ensure a little more security to my server [e.g: crypt my partition/slice/whatever, that has the operating system, but without the type password problem] Thank you for any tips/help. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1271494160.4881.22.ca...@localhost
Re: crypt question/server hotel
Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I can crypt my partition/hdd's that contains the data. Ok. But: then my operating system will not be encrypted. Not Ok. If I crypt my operating system too, then when a reboot comes, I have to type a password to decrypt. But my server will be at a server hotel I can't directly use a keyboard [no service cpu]. What can I do [on technical side] to ensure a little more security to my server [e.g: crypt my partition/slice/whatever, that has the operating system, but without the type password problem] Thank you for any tips/help. Servers usually have the option of some sort of remote access controller, which allows you to do things to the server as if you were sitting at the console, such as power off, power on, and to see a remote console to do things like make BIOS changes, or in your case, to enter a password to decrypt the disk. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4bc9846a.8050...@familyross.net
Re: crypt question/server hotel
Hi, On Sat, Apr 17, 2010 at 10:49:20AM +0200, Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I am no expert on this issue but this is my common sense. Do not use such untrusted servers for the sensitive data. You can put measures to remote break-in etc. But whoever have local hysical access can get tou your data on the system. (I do not quite understand what kind of server arrangement ... virtualized or rack moiunted dedicated server... either way, it is the same thing.) I can crypt my partition/hdd's that contains the data. Ok. But: then my operating system will not be encrypted. Not Ok. Well, once booted, and if they have some kind of hardware access before you boot into your system, you are doomed. Because they can have backdoor access. If I crypt my operating system too, then when a reboot comes, I have to type a password to decrypt. But my server will be at a server hotel I can't directly use a keyboard [no service cpu]. All these methods protect against casual break-in but if system is run under some super-server like xen etc., your security measure stopps there. What can I do [on technical side] to ensure a little more security to my server [e.g: crypt my partition/slice/whatever, that has the operating system, but without the type password problem] If they have monitoring system pre-installed, ... even with this protection is no good. Thank you for any tips/help. Keep sensitive data where you have full trust. The remote untrusted servers are good for web gateway only. But even for that, you should have some trust to them. Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100417100334.ga19...@osamu.debian.net
