Using a VPS service, can I prevent my data from being accessible by the VPS host?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Using a provider like Digital Ocean, if I store private/sensitive information on the VPS, is there a way to protect that information (preventing the VPS host for gaining access) while still retaining SFTP and SSH access?
permissions ssh security sftp
add a comment |
Using a provider like Digital Ocean, if I store private/sensitive information on the VPS, is there a way to protect that information (preventing the VPS host for gaining access) while still retaining SFTP and SSH access?
permissions ssh security sftp
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05
add a comment |
Using a provider like Digital Ocean, if I store private/sensitive information on the VPS, is there a way to protect that information (preventing the VPS host for gaining access) while still retaining SFTP and SSH access?
permissions ssh security sftp
Using a provider like Digital Ocean, if I store private/sensitive information on the VPS, is there a way to protect that information (preventing the VPS host for gaining access) while still retaining SFTP and SSH access?
permissions ssh security sftp
permissions ssh security sftp
edited Sep 10 '17 at 21:55
David Alsh
asked Sep 10 '17 at 14:14
David AlshDavid Alsh
1274
1274
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05
add a comment |
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05
add a comment |
1 Answer
1
active
oldest
votes
Unfortunately it is not possible at all. Here you are few short explanations about this:
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did. (source)
Even if you're running a VPS with encrypted filesystems, all of the in-RAM data will be unencrypted, which the VPS host sysadmins would have access to, including the decryption passphrase. If you really have this stringent of security requirements, it sounds like you need to run your own physically-secured systems or find a dedicated server hosting company that specializes in this sort of thing. (source)
...bear in mind that anyone with access to the VPS image can potentially add bug your code to detect the pass phrase you use. (source)
[Encryption] makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it ... (source)
Physical access is root access, so if someone has physical access to the server, regardless on if it is on a VM or bare metal, they have root access. In the case of KVM the owner of the bare metal host can access the guest. You can always encrypt the data, but, that may be of limited benefit as the data will be decrypted when you access it.
Same with the network. The owner of the VM can see your network traffic. Again you can encrypt some of the traffic (https, ssh, etc). (source)
Here is a particular solution in case you want just to store some sensitive data on your VPS:
How to create and use encrypted directory via eCryptfs and mount it remotely
Pre-requirements
Install the packages ecryptfs-utils
and sshfs
and reboot the system:
sudo apt update && sudo apt -y install ecryptfs-utils sshfs
sudo apt update && sudo systemctl reboot
Standard Setup and Usage
Open a terminal window and run this command:
ecryptfs-setup-private
Then you will be asked to:
Enter your login passphrase [<user>]:
this passphrase must match with the current user's password and will be used to unlock (decrypt) your encrypted information.Enter your mount passphrase [leave blank ...]:
this passphrase will be used automatically when your encrypted data is mounting, but you need it in case there is an emergency situation and you must recovery your data, so write it down on a safe place.
The above command will create two directories:
~/.Private
where your encrypted data will be stored.
~/Private
where the directory~/.Private
will be mounted as decrypted.
While ~/.Private
is not mounted within the directory ~/Private
has two files with instructions.
When you login to the system via user's password (login passphrase
) the directory ~/.Private
will be automatically mounted to ~/Private
and you will be able to work there. When you logout
or exit
, the directory ~/.Private
will be unmounted. To achieve this manually you can use the commands: ecryptfs-mount-private
and ecryptfs-umount-private
. More about these options can be found in the article eCryptfs from ArchLinux Wiki. See also: how to use ecryptfs with a random directory.
If you authenticate your SSH/SFTP connection via password, the above shall works. But if you authenticate yourself via SSH key pair you need to use ecryptfs-mount-private
to mount ~/.Private
. In this case first you need to SSH to the system and run ecryptfs-mount-private
then you will be able to use SFTP to the directory ~/Private
. You can add the command ecryptfs-mount-private
to the bottom of ~/.bashrc
to automate this process:
echo -e "n# Mount my Private directorynecryptfs-mount-privaten" | tee -a ~/.bashrc
Mount a remote encrypted directory and unlock (decrypt) it locally
On the remote machine (VPS) and on the local machine execute the following command and enter identical data for login passphrase
and for mount passphrase
on both machines:
ecryptfs-setup-private --nopwcheck --noautomount
The option --nopwcheck
enables you to choose a passphrase different to the user login passphrase and the option --noautomount
is self-explanatory.
On the remote machine:
Run the command:
ecryptfs-mount-private
Note: While I testing this approach I had to perform the above command two times!
Create some simple content:
echo "Hello Word!" > ~/Private/hello.txt
Unmount
~/.Private
:
ecryptfs-umount-private
Further you can remove the directory
~/.ecryptfs
(from the VPS), where your decryption data is stored.
On the local machine:
Mount the remote encrypted folder
~/.Private
to the local folder~/.Private
viasshfs
, and masque the ownership to the files (replace<user>@<host_name_or_ip>
):
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private
To unmount, use the command:
fusermount -u ~/.Private
orsudo umount -l ~/.Private
.
Then mount (and decrypt) the local directory
~/.Private
to~/Private
ecryptfs-mount-private
Check if the file
hello.txt
is there:
$ cat ~/Private/hello.txt
Hello Word!
If you face a trouble with the command
ecryptfs-umount-private
(umount.ecryptfs_private
) you can unmount the local~/Private
directory by the commandsudo umount -l ~/Private
.eCryptfs has bugs and sometimes
ecryptfs-mount-private
andecryptfs-umount-private
don't work properly.
According to the above you can create two functions within
~/.bashrc
that will automate the entire (mount/unmount) process (replace<user>@<host_name_or_ip>
):
function ecryptfs-remote-mount {
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private > /dev/null 2>&1
sudo keyctl clear @u
sudo ecryptfs-insert-wrapped-passphrase-into-keyring $HOME/.ecryptfs/wrapped-passphrase
# Attempt to mount, and loop the function unless it is true - due to CLI usage bug
ecryptfs-mount-private && echo "Done!" || ecryptfs-remote-mount
}
function ecryptfs-remote-umount {
ecryptfs-umount-private > /dev/null 2>&1 || sudo umount -l $HOME/Private
fusermount -u $HOME/.Private > /dev/null 2>&1 || sudo umount -l $HOME/.Private
echo "Done!"
}
export -f ecryptfs-remote-mount ecryptfs-remote-umount
Then
source ~/.bashrc
and you will be able to useecryptfs-remote-mount
andecryptfs-remote-umount
as commands.
References and further reading
Create an encrypted archive file (tar), where your sensitive data is hiding:
- Encrypt tar.gz file on create
- How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux
- How to password protect gzip files on the command line?
How do I password protect a .tgz file with tar in Unix?.
Create an encrypted directory:
- Encrypted backup to an SFTP server (WebSpace) with ecryptfs
- Secure Encrypted Remote Volume How-to
- How to encrypt individual folders?
- How to Encrypt Directories with eCryptfs on Ubuntu 16.04
- YouTube: How to Encrypt Folder in Ubuntu
Use encryption of user's home directory:
Encrypted Home Folder- Encrypted Home Directory How-to
- HOW-TO encrypt your home directory
- Accessing your encrypted home directory in Ubuntu
- Migrating to an Encrypted Home Directory
- SSH message after login, then restrict the user from using account
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how tosshfs
encrypted folder and then decrypt it locally?
– pa4080
Sep 11 '17 at 9:52
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f954504%2fusing-a-vps-service-can-i-prevent-my-data-from-being-accessible-by-the-vps-host%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Unfortunately it is not possible at all. Here you are few short explanations about this:
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did. (source)
Even if you're running a VPS with encrypted filesystems, all of the in-RAM data will be unencrypted, which the VPS host sysadmins would have access to, including the decryption passphrase. If you really have this stringent of security requirements, it sounds like you need to run your own physically-secured systems or find a dedicated server hosting company that specializes in this sort of thing. (source)
...bear in mind that anyone with access to the VPS image can potentially add bug your code to detect the pass phrase you use. (source)
[Encryption] makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it ... (source)
Physical access is root access, so if someone has physical access to the server, regardless on if it is on a VM or bare metal, they have root access. In the case of KVM the owner of the bare metal host can access the guest. You can always encrypt the data, but, that may be of limited benefit as the data will be decrypted when you access it.
Same with the network. The owner of the VM can see your network traffic. Again you can encrypt some of the traffic (https, ssh, etc). (source)
Here is a particular solution in case you want just to store some sensitive data on your VPS:
How to create and use encrypted directory via eCryptfs and mount it remotely
Pre-requirements
Install the packages ecryptfs-utils
and sshfs
and reboot the system:
sudo apt update && sudo apt -y install ecryptfs-utils sshfs
sudo apt update && sudo systemctl reboot
Standard Setup and Usage
Open a terminal window and run this command:
ecryptfs-setup-private
Then you will be asked to:
Enter your login passphrase [<user>]:
this passphrase must match with the current user's password and will be used to unlock (decrypt) your encrypted information.Enter your mount passphrase [leave blank ...]:
this passphrase will be used automatically when your encrypted data is mounting, but you need it in case there is an emergency situation and you must recovery your data, so write it down on a safe place.
The above command will create two directories:
~/.Private
where your encrypted data will be stored.
~/Private
where the directory~/.Private
will be mounted as decrypted.
While ~/.Private
is not mounted within the directory ~/Private
has two files with instructions.
When you login to the system via user's password (login passphrase
) the directory ~/.Private
will be automatically mounted to ~/Private
and you will be able to work there. When you logout
or exit
, the directory ~/.Private
will be unmounted. To achieve this manually you can use the commands: ecryptfs-mount-private
and ecryptfs-umount-private
. More about these options can be found in the article eCryptfs from ArchLinux Wiki. See also: how to use ecryptfs with a random directory.
If you authenticate your SSH/SFTP connection via password, the above shall works. But if you authenticate yourself via SSH key pair you need to use ecryptfs-mount-private
to mount ~/.Private
. In this case first you need to SSH to the system and run ecryptfs-mount-private
then you will be able to use SFTP to the directory ~/Private
. You can add the command ecryptfs-mount-private
to the bottom of ~/.bashrc
to automate this process:
echo -e "n# Mount my Private directorynecryptfs-mount-privaten" | tee -a ~/.bashrc
Mount a remote encrypted directory and unlock (decrypt) it locally
On the remote machine (VPS) and on the local machine execute the following command and enter identical data for login passphrase
and for mount passphrase
on both machines:
ecryptfs-setup-private --nopwcheck --noautomount
The option --nopwcheck
enables you to choose a passphrase different to the user login passphrase and the option --noautomount
is self-explanatory.
On the remote machine:
Run the command:
ecryptfs-mount-private
Note: While I testing this approach I had to perform the above command two times!
Create some simple content:
echo "Hello Word!" > ~/Private/hello.txt
Unmount
~/.Private
:
ecryptfs-umount-private
Further you can remove the directory
~/.ecryptfs
(from the VPS), where your decryption data is stored.
On the local machine:
Mount the remote encrypted folder
~/.Private
to the local folder~/.Private
viasshfs
, and masque the ownership to the files (replace<user>@<host_name_or_ip>
):
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private
To unmount, use the command:
fusermount -u ~/.Private
orsudo umount -l ~/.Private
.
Then mount (and decrypt) the local directory
~/.Private
to~/Private
ecryptfs-mount-private
Check if the file
hello.txt
is there:
$ cat ~/Private/hello.txt
Hello Word!
If you face a trouble with the command
ecryptfs-umount-private
(umount.ecryptfs_private
) you can unmount the local~/Private
directory by the commandsudo umount -l ~/Private
.eCryptfs has bugs and sometimes
ecryptfs-mount-private
andecryptfs-umount-private
don't work properly.
According to the above you can create two functions within
~/.bashrc
that will automate the entire (mount/unmount) process (replace<user>@<host_name_or_ip>
):
function ecryptfs-remote-mount {
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private > /dev/null 2>&1
sudo keyctl clear @u
sudo ecryptfs-insert-wrapped-passphrase-into-keyring $HOME/.ecryptfs/wrapped-passphrase
# Attempt to mount, and loop the function unless it is true - due to CLI usage bug
ecryptfs-mount-private && echo "Done!" || ecryptfs-remote-mount
}
function ecryptfs-remote-umount {
ecryptfs-umount-private > /dev/null 2>&1 || sudo umount -l $HOME/Private
fusermount -u $HOME/.Private > /dev/null 2>&1 || sudo umount -l $HOME/.Private
echo "Done!"
}
export -f ecryptfs-remote-mount ecryptfs-remote-umount
Then
source ~/.bashrc
and you will be able to useecryptfs-remote-mount
andecryptfs-remote-umount
as commands.
References and further reading
Create an encrypted archive file (tar), where your sensitive data is hiding:
- Encrypt tar.gz file on create
- How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux
- How to password protect gzip files on the command line?
How do I password protect a .tgz file with tar in Unix?.
Create an encrypted directory:
- Encrypted backup to an SFTP server (WebSpace) with ecryptfs
- Secure Encrypted Remote Volume How-to
- How to encrypt individual folders?
- How to Encrypt Directories with eCryptfs on Ubuntu 16.04
- YouTube: How to Encrypt Folder in Ubuntu
Use encryption of user's home directory:
Encrypted Home Folder- Encrypted Home Directory How-to
- HOW-TO encrypt your home directory
- Accessing your encrypted home directory in Ubuntu
- Migrating to an Encrypted Home Directory
- SSH message after login, then restrict the user from using account
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how tosshfs
encrypted folder and then decrypt it locally?
– pa4080
Sep 11 '17 at 9:52
add a comment |
Unfortunately it is not possible at all. Here you are few short explanations about this:
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did. (source)
Even if you're running a VPS with encrypted filesystems, all of the in-RAM data will be unencrypted, which the VPS host sysadmins would have access to, including the decryption passphrase. If you really have this stringent of security requirements, it sounds like you need to run your own physically-secured systems or find a dedicated server hosting company that specializes in this sort of thing. (source)
...bear in mind that anyone with access to the VPS image can potentially add bug your code to detect the pass phrase you use. (source)
[Encryption] makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it ... (source)
Physical access is root access, so if someone has physical access to the server, regardless on if it is on a VM or bare metal, they have root access. In the case of KVM the owner of the bare metal host can access the guest. You can always encrypt the data, but, that may be of limited benefit as the data will be decrypted when you access it.
Same with the network. The owner of the VM can see your network traffic. Again you can encrypt some of the traffic (https, ssh, etc). (source)
Here is a particular solution in case you want just to store some sensitive data on your VPS:
How to create and use encrypted directory via eCryptfs and mount it remotely
Pre-requirements
Install the packages ecryptfs-utils
and sshfs
and reboot the system:
sudo apt update && sudo apt -y install ecryptfs-utils sshfs
sudo apt update && sudo systemctl reboot
Standard Setup and Usage
Open a terminal window and run this command:
ecryptfs-setup-private
Then you will be asked to:
Enter your login passphrase [<user>]:
this passphrase must match with the current user's password and will be used to unlock (decrypt) your encrypted information.Enter your mount passphrase [leave blank ...]:
this passphrase will be used automatically when your encrypted data is mounting, but you need it in case there is an emergency situation and you must recovery your data, so write it down on a safe place.
The above command will create two directories:
~/.Private
where your encrypted data will be stored.
~/Private
where the directory~/.Private
will be mounted as decrypted.
While ~/.Private
is not mounted within the directory ~/Private
has two files with instructions.
When you login to the system via user's password (login passphrase
) the directory ~/.Private
will be automatically mounted to ~/Private
and you will be able to work there. When you logout
or exit
, the directory ~/.Private
will be unmounted. To achieve this manually you can use the commands: ecryptfs-mount-private
and ecryptfs-umount-private
. More about these options can be found in the article eCryptfs from ArchLinux Wiki. See also: how to use ecryptfs with a random directory.
If you authenticate your SSH/SFTP connection via password, the above shall works. But if you authenticate yourself via SSH key pair you need to use ecryptfs-mount-private
to mount ~/.Private
. In this case first you need to SSH to the system and run ecryptfs-mount-private
then you will be able to use SFTP to the directory ~/Private
. You can add the command ecryptfs-mount-private
to the bottom of ~/.bashrc
to automate this process:
echo -e "n# Mount my Private directorynecryptfs-mount-privaten" | tee -a ~/.bashrc
Mount a remote encrypted directory and unlock (decrypt) it locally
On the remote machine (VPS) and on the local machine execute the following command and enter identical data for login passphrase
and for mount passphrase
on both machines:
ecryptfs-setup-private --nopwcheck --noautomount
The option --nopwcheck
enables you to choose a passphrase different to the user login passphrase and the option --noautomount
is self-explanatory.
On the remote machine:
Run the command:
ecryptfs-mount-private
Note: While I testing this approach I had to perform the above command two times!
Create some simple content:
echo "Hello Word!" > ~/Private/hello.txt
Unmount
~/.Private
:
ecryptfs-umount-private
Further you can remove the directory
~/.ecryptfs
(from the VPS), where your decryption data is stored.
On the local machine:
Mount the remote encrypted folder
~/.Private
to the local folder~/.Private
viasshfs
, and masque the ownership to the files (replace<user>@<host_name_or_ip>
):
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private
To unmount, use the command:
fusermount -u ~/.Private
orsudo umount -l ~/.Private
.
Then mount (and decrypt) the local directory
~/.Private
to~/Private
ecryptfs-mount-private
Check if the file
hello.txt
is there:
$ cat ~/Private/hello.txt
Hello Word!
If you face a trouble with the command
ecryptfs-umount-private
(umount.ecryptfs_private
) you can unmount the local~/Private
directory by the commandsudo umount -l ~/Private
.eCryptfs has bugs and sometimes
ecryptfs-mount-private
andecryptfs-umount-private
don't work properly.
According to the above you can create two functions within
~/.bashrc
that will automate the entire (mount/unmount) process (replace<user>@<host_name_or_ip>
):
function ecryptfs-remote-mount {
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private > /dev/null 2>&1
sudo keyctl clear @u
sudo ecryptfs-insert-wrapped-passphrase-into-keyring $HOME/.ecryptfs/wrapped-passphrase
# Attempt to mount, and loop the function unless it is true - due to CLI usage bug
ecryptfs-mount-private && echo "Done!" || ecryptfs-remote-mount
}
function ecryptfs-remote-umount {
ecryptfs-umount-private > /dev/null 2>&1 || sudo umount -l $HOME/Private
fusermount -u $HOME/.Private > /dev/null 2>&1 || sudo umount -l $HOME/.Private
echo "Done!"
}
export -f ecryptfs-remote-mount ecryptfs-remote-umount
Then
source ~/.bashrc
and you will be able to useecryptfs-remote-mount
andecryptfs-remote-umount
as commands.
References and further reading
Create an encrypted archive file (tar), where your sensitive data is hiding:
- Encrypt tar.gz file on create
- How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux
- How to password protect gzip files on the command line?
How do I password protect a .tgz file with tar in Unix?.
Create an encrypted directory:
- Encrypted backup to an SFTP server (WebSpace) with ecryptfs
- Secure Encrypted Remote Volume How-to
- How to encrypt individual folders?
- How to Encrypt Directories with eCryptfs on Ubuntu 16.04
- YouTube: How to Encrypt Folder in Ubuntu
Use encryption of user's home directory:
Encrypted Home Folder- Encrypted Home Directory How-to
- HOW-TO encrypt your home directory
- Accessing your encrypted home directory in Ubuntu
- Migrating to an Encrypted Home Directory
- SSH message after login, then restrict the user from using account
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how tosshfs
encrypted folder and then decrypt it locally?
– pa4080
Sep 11 '17 at 9:52
add a comment |
Unfortunately it is not possible at all. Here you are few short explanations about this:
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did. (source)
Even if you're running a VPS with encrypted filesystems, all of the in-RAM data will be unencrypted, which the VPS host sysadmins would have access to, including the decryption passphrase. If you really have this stringent of security requirements, it sounds like you need to run your own physically-secured systems or find a dedicated server hosting company that specializes in this sort of thing. (source)
...bear in mind that anyone with access to the VPS image can potentially add bug your code to detect the pass phrase you use. (source)
[Encryption] makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it ... (source)
Physical access is root access, so if someone has physical access to the server, regardless on if it is on a VM or bare metal, they have root access. In the case of KVM the owner of the bare metal host can access the guest. You can always encrypt the data, but, that may be of limited benefit as the data will be decrypted when you access it.
Same with the network. The owner of the VM can see your network traffic. Again you can encrypt some of the traffic (https, ssh, etc). (source)
Here is a particular solution in case you want just to store some sensitive data on your VPS:
How to create and use encrypted directory via eCryptfs and mount it remotely
Pre-requirements
Install the packages ecryptfs-utils
and sshfs
and reboot the system:
sudo apt update && sudo apt -y install ecryptfs-utils sshfs
sudo apt update && sudo systemctl reboot
Standard Setup and Usage
Open a terminal window and run this command:
ecryptfs-setup-private
Then you will be asked to:
Enter your login passphrase [<user>]:
this passphrase must match with the current user's password and will be used to unlock (decrypt) your encrypted information.Enter your mount passphrase [leave blank ...]:
this passphrase will be used automatically when your encrypted data is mounting, but you need it in case there is an emergency situation and you must recovery your data, so write it down on a safe place.
The above command will create two directories:
~/.Private
where your encrypted data will be stored.
~/Private
where the directory~/.Private
will be mounted as decrypted.
While ~/.Private
is not mounted within the directory ~/Private
has two files with instructions.
When you login to the system via user's password (login passphrase
) the directory ~/.Private
will be automatically mounted to ~/Private
and you will be able to work there. When you logout
or exit
, the directory ~/.Private
will be unmounted. To achieve this manually you can use the commands: ecryptfs-mount-private
and ecryptfs-umount-private
. More about these options can be found in the article eCryptfs from ArchLinux Wiki. See also: how to use ecryptfs with a random directory.
If you authenticate your SSH/SFTP connection via password, the above shall works. But if you authenticate yourself via SSH key pair you need to use ecryptfs-mount-private
to mount ~/.Private
. In this case first you need to SSH to the system and run ecryptfs-mount-private
then you will be able to use SFTP to the directory ~/Private
. You can add the command ecryptfs-mount-private
to the bottom of ~/.bashrc
to automate this process:
echo -e "n# Mount my Private directorynecryptfs-mount-privaten" | tee -a ~/.bashrc
Mount a remote encrypted directory and unlock (decrypt) it locally
On the remote machine (VPS) and on the local machine execute the following command and enter identical data for login passphrase
and for mount passphrase
on both machines:
ecryptfs-setup-private --nopwcheck --noautomount
The option --nopwcheck
enables you to choose a passphrase different to the user login passphrase and the option --noautomount
is self-explanatory.
On the remote machine:
Run the command:
ecryptfs-mount-private
Note: While I testing this approach I had to perform the above command two times!
Create some simple content:
echo "Hello Word!" > ~/Private/hello.txt
Unmount
~/.Private
:
ecryptfs-umount-private
Further you can remove the directory
~/.ecryptfs
(from the VPS), where your decryption data is stored.
On the local machine:
Mount the remote encrypted folder
~/.Private
to the local folder~/.Private
viasshfs
, and masque the ownership to the files (replace<user>@<host_name_or_ip>
):
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private
To unmount, use the command:
fusermount -u ~/.Private
orsudo umount -l ~/.Private
.
Then mount (and decrypt) the local directory
~/.Private
to~/Private
ecryptfs-mount-private
Check if the file
hello.txt
is there:
$ cat ~/Private/hello.txt
Hello Word!
If you face a trouble with the command
ecryptfs-umount-private
(umount.ecryptfs_private
) you can unmount the local~/Private
directory by the commandsudo umount -l ~/Private
.eCryptfs has bugs and sometimes
ecryptfs-mount-private
andecryptfs-umount-private
don't work properly.
According to the above you can create two functions within
~/.bashrc
that will automate the entire (mount/unmount) process (replace<user>@<host_name_or_ip>
):
function ecryptfs-remote-mount {
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private > /dev/null 2>&1
sudo keyctl clear @u
sudo ecryptfs-insert-wrapped-passphrase-into-keyring $HOME/.ecryptfs/wrapped-passphrase
# Attempt to mount, and loop the function unless it is true - due to CLI usage bug
ecryptfs-mount-private && echo "Done!" || ecryptfs-remote-mount
}
function ecryptfs-remote-umount {
ecryptfs-umount-private > /dev/null 2>&1 || sudo umount -l $HOME/Private
fusermount -u $HOME/.Private > /dev/null 2>&1 || sudo umount -l $HOME/.Private
echo "Done!"
}
export -f ecryptfs-remote-mount ecryptfs-remote-umount
Then
source ~/.bashrc
and you will be able to useecryptfs-remote-mount
andecryptfs-remote-umount
as commands.
References and further reading
Create an encrypted archive file (tar), where your sensitive data is hiding:
- Encrypt tar.gz file on create
- How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux
- How to password protect gzip files on the command line?
How do I password protect a .tgz file with tar in Unix?.
Create an encrypted directory:
- Encrypted backup to an SFTP server (WebSpace) with ecryptfs
- Secure Encrypted Remote Volume How-to
- How to encrypt individual folders?
- How to Encrypt Directories with eCryptfs on Ubuntu 16.04
- YouTube: How to Encrypt Folder in Ubuntu
Use encryption of user's home directory:
Encrypted Home Folder- Encrypted Home Directory How-to
- HOW-TO encrypt your home directory
- Accessing your encrypted home directory in Ubuntu
- Migrating to an Encrypted Home Directory
- SSH message after login, then restrict the user from using account
Unfortunately it is not possible at all. Here you are few short explanations about this:
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did. (source)
Even if you're running a VPS with encrypted filesystems, all of the in-RAM data will be unencrypted, which the VPS host sysadmins would have access to, including the decryption passphrase. If you really have this stringent of security requirements, it sounds like you need to run your own physically-secured systems or find a dedicated server hosting company that specializes in this sort of thing. (source)
...bear in mind that anyone with access to the VPS image can potentially add bug your code to detect the pass phrase you use. (source)
[Encryption] makes some sense if you have control over the hardware; when someone else controls the hardware there's little point in it unless you trust that the host doesn't really want to look at it ... (source)
Physical access is root access, so if someone has physical access to the server, regardless on if it is on a VM or bare metal, they have root access. In the case of KVM the owner of the bare metal host can access the guest. You can always encrypt the data, but, that may be of limited benefit as the data will be decrypted when you access it.
Same with the network. The owner of the VM can see your network traffic. Again you can encrypt some of the traffic (https, ssh, etc). (source)
Here is a particular solution in case you want just to store some sensitive data on your VPS:
How to create and use encrypted directory via eCryptfs and mount it remotely
Pre-requirements
Install the packages ecryptfs-utils
and sshfs
and reboot the system:
sudo apt update && sudo apt -y install ecryptfs-utils sshfs
sudo apt update && sudo systemctl reboot
Standard Setup and Usage
Open a terminal window and run this command:
ecryptfs-setup-private
Then you will be asked to:
Enter your login passphrase [<user>]:
this passphrase must match with the current user's password and will be used to unlock (decrypt) your encrypted information.Enter your mount passphrase [leave blank ...]:
this passphrase will be used automatically when your encrypted data is mounting, but you need it in case there is an emergency situation and you must recovery your data, so write it down on a safe place.
The above command will create two directories:
~/.Private
where your encrypted data will be stored.
~/Private
where the directory~/.Private
will be mounted as decrypted.
While ~/.Private
is not mounted within the directory ~/Private
has two files with instructions.
When you login to the system via user's password (login passphrase
) the directory ~/.Private
will be automatically mounted to ~/Private
and you will be able to work there. When you logout
or exit
, the directory ~/.Private
will be unmounted. To achieve this manually you can use the commands: ecryptfs-mount-private
and ecryptfs-umount-private
. More about these options can be found in the article eCryptfs from ArchLinux Wiki. See also: how to use ecryptfs with a random directory.
If you authenticate your SSH/SFTP connection via password, the above shall works. But if you authenticate yourself via SSH key pair you need to use ecryptfs-mount-private
to mount ~/.Private
. In this case first you need to SSH to the system and run ecryptfs-mount-private
then you will be able to use SFTP to the directory ~/Private
. You can add the command ecryptfs-mount-private
to the bottom of ~/.bashrc
to automate this process:
echo -e "n# Mount my Private directorynecryptfs-mount-privaten" | tee -a ~/.bashrc
Mount a remote encrypted directory and unlock (decrypt) it locally
On the remote machine (VPS) and on the local machine execute the following command and enter identical data for login passphrase
and for mount passphrase
on both machines:
ecryptfs-setup-private --nopwcheck --noautomount
The option --nopwcheck
enables you to choose a passphrase different to the user login passphrase and the option --noautomount
is self-explanatory.
On the remote machine:
Run the command:
ecryptfs-mount-private
Note: While I testing this approach I had to perform the above command two times!
Create some simple content:
echo "Hello Word!" > ~/Private/hello.txt
Unmount
~/.Private
:
ecryptfs-umount-private
Further you can remove the directory
~/.ecryptfs
(from the VPS), where your decryption data is stored.
On the local machine:
Mount the remote encrypted folder
~/.Private
to the local folder~/.Private
viasshfs
, and masque the ownership to the files (replace<user>@<host_name_or_ip>
):
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private
To unmount, use the command:
fusermount -u ~/.Private
orsudo umount -l ~/.Private
.
Then mount (and decrypt) the local directory
~/.Private
to~/Private
ecryptfs-mount-private
Check if the file
hello.txt
is there:
$ cat ~/Private/hello.txt
Hello Word!
If you face a trouble with the command
ecryptfs-umount-private
(umount.ecryptfs_private
) you can unmount the local~/Private
directory by the commandsudo umount -l ~/Private
.eCryptfs has bugs and sometimes
ecryptfs-mount-private
andecryptfs-umount-private
don't work properly.
According to the above you can create two functions within
~/.bashrc
that will automate the entire (mount/unmount) process (replace<user>@<host_name_or_ip>
):
function ecryptfs-remote-mount {
sshfs -o idmap=user,uid=$(id -u),gid=$(id -g) <user>@<host_name_or_ip>:.Private ~/.Private > /dev/null 2>&1
sudo keyctl clear @u
sudo ecryptfs-insert-wrapped-passphrase-into-keyring $HOME/.ecryptfs/wrapped-passphrase
# Attempt to mount, and loop the function unless it is true - due to CLI usage bug
ecryptfs-mount-private && echo "Done!" || ecryptfs-remote-mount
}
function ecryptfs-remote-umount {
ecryptfs-umount-private > /dev/null 2>&1 || sudo umount -l $HOME/Private
fusermount -u $HOME/.Private > /dev/null 2>&1 || sudo umount -l $HOME/.Private
echo "Done!"
}
export -f ecryptfs-remote-mount ecryptfs-remote-umount
Then
source ~/.bashrc
and you will be able to useecryptfs-remote-mount
andecryptfs-remote-umount
as commands.
References and further reading
Create an encrypted archive file (tar), where your sensitive data is hiding:
- Encrypt tar.gz file on create
- How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux
- How to password protect gzip files on the command line?
How do I password protect a .tgz file with tar in Unix?.
Create an encrypted directory:
- Encrypted backup to an SFTP server (WebSpace) with ecryptfs
- Secure Encrypted Remote Volume How-to
- How to encrypt individual folders?
- How to Encrypt Directories with eCryptfs on Ubuntu 16.04
- YouTube: How to Encrypt Folder in Ubuntu
Use encryption of user's home directory:
Encrypted Home Folder- Encrypted Home Directory How-to
- HOW-TO encrypt your home directory
- Accessing your encrypted home directory in Ubuntu
- Migrating to an Encrypted Home Directory
- SSH message after login, then restrict the user from using account
edited Sep 16 '17 at 14:52
answered Sep 11 '17 at 9:35
pa4080pa4080
14.9k52873
14.9k52873
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how tosshfs
encrypted folder and then decrypt it locally?
– pa4080
Sep 11 '17 at 9:52
add a comment |
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how tosshfs
encrypted folder and then decrypt it locally?
– pa4080
Sep 11 '17 at 9:52
1
1
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Even with encryption, the provider could snapshot the current state of memory and disk and clone a new instance to get as much access you did.
– muru
Sep 11 '17 at 9:40
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how to
sshfs
encrypted folder and then decrypt it locally?– pa4080
Sep 11 '17 at 9:52
Hi @muru, I thought about that, but while the data is encrypted they can't gain access to them, they could do that while the user is logged in and the data is unencrypted, am I right? In this case maybe I should rewrite the answer in a way how to
sshfs
encrypted folder and then decrypt it locally?– pa4080
Sep 11 '17 at 9:52
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f954504%2fusing-a-vps-service-can-i-prevent-my-data-from-being-accessible-by-the-vps-host%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As far as I know, only you have root access to your VPS, at least for DigitalOcean. However, the VPS provider has your name and credit card information, so you can't hide all private and sensitive information from them.
– edwinksl
Sep 10 '17 at 22:05