FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-17-2010, 08:49 AM
Jozsi Vadkan
 
Default crypt question/server hotel

I want to put my server in a "server hotel".

But: I don't trust my "server hotel owner".

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at
a "server hotel" I can't directly use a keyboard [no service cpu].



What can I do [on technical side] to ensure a little more security
to my server [e.g: crypt my partition/slice/whatever, that has the
operating system, but without the "type password" ""problem""]

Thank you for any tips/help.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-17-2010, 08:49 AM
Jozsi Vadkan
 
Default crypt question/server hotel

I want to put my server in a "server hotel".

But: I don't trust my "server hotel owner".

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at
a "server hotel" I can't directly use a keyboard [no service cpu].



What can I do [on technical side] to ensure a little more security
to my server [e.g: crypt my partition/slice/whatever, that has the
operating system, but without the "type password" ""problem""]

Thank you for any tips/help.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1271494160.4881.22.camel@localhost">http://lists.debian.org/1271494160.4881.22.camel@localhost
 
Old 04-17-2010, 08:49 AM
Jozsi Vadkan
 
Default crypt question/server hotel

I want to put my server in a "server hotel".

But: I don't trust my "server hotel owner".

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at
a "server hotel" I can't directly use a keyboard [no service cpu].



What can I do [on technical side] to ensure a little more security
to my server [e.g: crypt my partition/slice/whatever, that has the
operating system, but without the "type password" ""problem""]

Thank you for any tips/help.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-17-2010, 08:49 AM
Jozsi Vadkan
 
Default crypt question/server hotel

I want to put my server in a "server hotel".

But: I don't trust my "server hotel owner".

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at
a "server hotel" I can't directly use a keyboard [no service cpu].



What can I do [on technical side] to ensure a little more security
to my server [e.g: crypt my partition/slice/whatever, that has the
operating system, but without the "type password" ""problem""]

Thank you for any tips/help.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-17-2010, 09:50 AM
Kevin Ross
 
Default crypt question/server hotel

Jozsi Vadkan wrote:

I want to put my server in a "server hotel".

But: I don't trust my "server hotel owner".

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at
a "server hotel" I can't directly use a keyboard [no service cpu].




What can I do [on technical side] to ensure a little more security
to my server [e.g: crypt my partition/slice/whatever, that has the
operating system, but without the "type password" ""problem""]


Thank you for any tips/help.


Servers usually have the option of some sort of remote access
controller, which allows you to do things to the server as if you were
sitting at the console, such as power off, power on, and to see a remote
console to do things like make BIOS changes, or in your case, to enter a
password to decrypt the disk.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4BC9846A.8050707@familyross.net">http://lists.debian.org/4BC9846A.8050707@familyross.net
 
Old 04-17-2010, 10:03 AM
Osamu Aoki
 
Default crypt question/server hotel

Hi,

On Sat, Apr 17, 2010 at 10:49:20AM +0200, Jozsi Vadkan wrote:
> I want to put my server in a "server hotel".
>
> But: I don't trust my "server hotel owner".
>
> What can I do?

I am no expert on this issue but this is my common sense.

Do not use such untrusted servers for the sensitive data.

You can put measures to remote break-in etc. But whoever have local
hysical access can get tou your data on the system.

(I do not quite understand what kind of server arrangement ...
virtualized or rack moiunted dedicated server... either way, it is the
same thing.)

> I can crypt my partition/hdd's that contains the data. Ok.
> But: then my operating system will not be encrypted. Not Ok.

Well, once booted, and if they have some kind of hardware access before
you boot into your system, you are doomed. Because they can have
backdoor access.

> If I crypt my operating system too, then when a reboot comes,
> I have to type a password to decrypt. But my server will be at
> a "server hotel" I can't directly use a keyboard [no service cpu].

All these methods protect against casual break-in but if system is run
under some super-server like xen etc., your security measure stopps
there.

> What can I do [on technical side] to ensure a little more security
> to my server [e.g: crypt my partition/slice/whatever, that has the
> operating system, but without the "type password" ""problem""]

If they have monitoring system pre-installed, ... even with this
protection is no good.

> Thank you for any tips/help.

Keep sensitive data where you have full trust. The remote untrusted
servers are good for web gateway only. But even for that, you should
have some trust to them.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100417100334.GA19732@osamu.debian.net">http://lists.debian.org/20100417100334.GA19732@osamu.debian.net
 
Old 04-17-2010, 01:12 PM
Brian McKee
 
Default crypt question/server hotel

On Sat, Apr 17, 2010 at 4:49 AM, Jozsi Vadkan <jozsi.avadkan@gmail.com> wrote:

I want to put my server in a "server hotel".
But: I don't trust my "server hotel owner".


I don't think this problem is solvable, really.

Anything you could do, they could just 'pretend' to do - once it's unencrypted once, they've got it if they want it. As long as the OS isn't in your control, you're possibly hosed.

Go watch the Matrix again :-)

--
Hey, it's your computer.... isn't it?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-17-2010, 01:42 PM
Bruno Wolff III
 
Default crypt question/server hotel

On Sat, Apr 17, 2010 at 10:49:29 +0200,
Jozsi Vadkan <jozsi.avadkan@gmail.com> wrote:
> I want to put my server in a "server hotel".
>
> But: I don't trust my "server hotel owner".

These requirements seem to conflict.

> What can I do?
>
> I can crypt my partition/hdd's that contains the data. Ok.
> But: then my operating system will not be encrypted. Not Ok.

That depends on your threat model. You will at least get a chance to notice
the reboot used to try to get access to your data by capturing your
password as you enter it. I don't think you have good choices there if
you are really worried about this. This condition also applies at service
start up and your choice is to enter the password which might get snooped
or not use the service. (Note if you are are worried about this, you
typically also need to worry about the keys being pulled from memory while
the system is running, typically using firewire for access, but other
ways exist.)

> If I crypt my operating system too, then when a reboot comes,
> I have to type a password to decrypt. But my server will be at
> a "server hotel" I can't directly use a keyboard [no service cpu].

This is really the same case as above. The kernel executable is unencrypted
on the boot partition for Fedora.

> What can I do [on technical side] to ensure a little more security
> to my server [e.g: crypt my partition/slice/whatever, that has the
> operating system, but without the "type password" ""problem""]

You really can't. The technical answer is to pay more to host the server
in a secure facility.

You might consider legal protection via your support contract, depending on
what you are protecting. (If you are working for organized crime, legal
protection isn't going to help, and you should advise your boss to shell
out some more money to host servers under physical control of his trusted
employees.)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-17-2010, 06:57 PM
 
Default crypt question/server hotel

Bruno Wolff III <bruno@wolff.to> writes:
> You might consider legal protection via your support contract, depending on
> what you are protecting. (If you are working for organized crime, legal
> protection isn't going to help, and you should advise your boss to shell
> out some more money to host servers under physical control of his trusted
> employees.)

Or run the computer inside a tamperproof box with only the power line
and ethernet cat5 exiting.

-wolfgang
--
Wolfgang S. Rupprecht
If the airwaves belong to the public why does the public only get 3
non-overlapping WIFI channels?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-19-2010, 01:40 PM
"Maxime Alarie"
 
Default crypt question/server hotel

This might sound ridiculous, or maybe I drank too much coffee im not sure..

Maybe you could Use a Linux Live CD .. Install what you need, setup a good backup including a list of all the installed packages, and every night send your data over Secured ftp or use rsync to synchronize with a remote host. If there is a reboot. No security would be "compromised". Data would be gone! (Linux Live). The bcrypt program will encrypt your data too.

After the reboot.. you just apt-get install < list_of_packages.txt and a little rsync remote_machine to local and you are good to go..

Or....
host your server somewhere else..

Damn I should write books.


-----Original Message-----
From: ubuntu-users-bounces@lists.ubuntu.com [mailto:ubuntu-users-bounces@lists.ubuntu.com] On Behalf Of Brian McKee
Sent: Saturday, April 17, 2010 9:13 AM
To: Ubuntu user technical support,not for general discussions
Subject: Re: crypt question/server hotel

On Sat, Apr 17, 2010 at 4:49 AM, Jozsi Vadkan <jozsi.avadkan@gmail.com> wrote:
> I want to put my server in a "server hotel".
> But: I don't trust my "server hotel owner".

I don't think this problem is solvable, really.

Anything you could do, they could just 'pretend' to do - once it's unencrypted once, they've got it if they want it. As long as the OS isn't in your control, you're possibly hosed.

Go watch the Matrix again :-)

--
Hey, it's your computer.... isn't it?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 07:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org