[Remops] Encrypting Remailer filesystem

Grant Taylor gtaylor at tnetconsulting.net
Mon May 27 19:32:12 BST 2019

On 5/27/19 11:35 AM, SEC3 wrote:
> I have never really tried encryption partitions on my servers.  In the 
> end I realize that I am on a VPS server. the VPS company keeps regular, 
> live snapshots of my VPS. They archive those snapshots for god-knows 
> how long. This reality would seem to make futile any attempts my me 
> to hide my sensitive remailer files from that particular third party.

I'm sort of surprised that your VPS provider is taking live snapshots of 
a running VPS and storing them indefinitely.  The economics of doing 
such are not in their favor.  At least not unless they are charging for 
that service.

> But Christian's set up that you wish to mimic would solve this?

I don't think so.

LUKS encrypted block devices are decrypted on the fly and present as an 
additional unencrypted block device, which has a standard file system on 
top of it.  This means that anything running in the system can access 
the files pursuant to standard file system permissions.

The thing that LUKS provides is protection against someone being able to 
access the block device (disk) that's not unlocked.  As if the server 
was powered off or a clone of the disk.  You actually have to have a 
copy of what's in memory (or the passphrase / key) to be able to decrypt 
and access block device.

Seeing as how everything discussed thus far in this thread has been this 
type of encryption, be it transient or persistent keys, the files are 
accessible from the running system.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mixmin.net/pipermail/remops/attachments/20190527/a7b7b950/attachment-0001.bin>

More information about the Remops mailing list