considerations.rst 3.61 KB
Newer Older
1
2
3
Considerations
==============

Arie Peterson's avatar
Arie Peterson committed
4
5
6
7
8
9
10
CryptOps is a tool that can be used to raise the level of security in some
particular aspects. It does not provide all-round security of your VPS.

CryptOps can be used as a part of an overall security strategy and should never
be used as definitive security solution.

Possible reasons to use CryptOps
11
12
13
--------------------------------

* You want to make it harder for the hoster's employees to casually view your
Arie Peterson's avatar
Arie Peterson committed
14
  data on disk.
15
16
17
* You trust your hoster now, but you want to have an easy way to cut off their
  access to your data – maybe when they change owners, or when you anticipate
  that they are forced by some authority to grant access to your data.
Arie Peterson's avatar
Arie Peterson committed
18
19
20
* You want your data to be safe in case the hosters disks get confiscated,
  stolen, or discarded without shredding.
* You want your data to be encrypted at rest.
21

Arie Peterson's avatar
Arie Peterson committed
22
Invalid reasons to use CryptOps
23
24
25
26
27
28
-------------------------------

* You don't trust your hoster, or you fear that they may be forced to grant
  access to your data without a timely warning. If your hoster or a powerful
  third party really wants to view your data, they could

Arie Peterson's avatar
Arie Peterson committed
29
    * install a modified version of CryptOps that doesn't really encrypt;
30
31
    * man-in-the-middle your first ssh connection to the server running in the
      initrd, capturing your encryption password when you first enter it;
32
    * access your decrypted data in memory while your VPS is active;
Arie Peterson's avatar
Arie Peterson committed
33
    * various other methods.
34

Arie Peterson's avatar
Arie Peterson committed
35
It is very hard to prevent someone who has access (physical or via network) to
36
the host running your VPS from reading your data, and CryptOps does not pretend
Arie Peterson's avatar
Arie Peterson committed
37
to do so.
38

Arie Peterson's avatar
Arie Peterson committed
39
Possible reasons to not use CryptOps
40
41
42
------------------------------------

* It increases the chance of data loss: if you forget or lose your encryption
43
  password, a single reboot of your VPS (for whatever reason) renders your data
44
  irrecoverably lost.
45
* It can increase downtime of your VPS: whenever your VPS reboots, you need to
46
  become aware of this (though we have a customisable hook to notify you of this
47
48
49
50
51
  situation), connect to the VPS, and enter your encryption password; only then
  can the boot process of the VPS continue. All this time the service provided
  by your VPS is not running.
* You may not need full disk encryption of your VPS: depending on the software
  running on your VPS, it could be easier to encrypt only some data directories.
52
53
54
  On the other hand, it is easy to overlook some sensitive data stored in
  configuration, cache files, temporary files, etc.

55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
What is *not* encrypted
-----------------------

The default CryptOps setup includes a small partition that contains unencrypted
data needed by the CryptOps initrd. This data contains the SSH public keys that
are used to authorise users logging into the Dropbear shell.

Note that these can be coupled to private keys on your computer, so in a sense
can be seen as identifying material. To be secure, at least always:

* Keep your private keys private! This is *very* important. They are essential
  for the security of your VPS
* Think about what you enter as an identifier for your public key. The public
  key is formatted as follows: ``<key-type> <public-key> <identifier>``. The
  identifier will often default to your (user)name, but can be anything. If you
  want to maximise anonymity, use something that you can use to identify the
  key, but does not directly identify *you*.

Boot partition
++++++++++++++

Other than some laptops with full disk encryption, CryptOps does not offer an
encrypted boot partition. This is because booting a virtual machine is slightly
different from booting a laptop. Often the initrd and kernel will be provided by
the hosting provider.