[Remops] Encrypting Remailer filesystem
Grant Taylor
gtaylor at tnetconsulting.net
Mon May 27 19:32:12 BST 2019
On 5/27/19 11:35 AM, SEC3 wrote:
> I have never really tried encryption partitions on my servers. In the
> end I realize that I am on a VPS server. the VPS company keeps regular,
> live snapshots of my VPS. They archive those snapshots for god-knows
> how long. This reality would seem to make futile any attempts my me
> to hide my sensitive remailer files from that particular third party.
I'm sort of surprised that your VPS provider is taking live snapshots of
a running VPS and storing them indefinitely. The economics of doing
such are not in their favor. At least not unless they are charging for
that service.
> But Christian's set up that you wish to mimic would solve this?
I don't think so.
LUKS encrypted block devices are decrypted on the fly and present as an
additional unencrypted block device, which has a standard file system on
top of it. This means that anything running in the system can access
the files pursuant to standard file system permissions.
The thing that LUKS provides is protection against someone being able to
access the block device (disk) that's not unlocked. As if the server
was powered off or a clone of the disk. You actually have to have a
copy of what's in memory (or the passphrase / key) to be able to decrypt
and access block device.
Seeing as how everything discussed thus far in this thread has been this
type of encryption, be it transient or persistent keys, the files are
accessible from the running system.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mixmin.net/pipermail/remops/attachments/20190527/a7b7b950/attachment-0001.bin>
More information about the Remops
mailing list