On 02/17/2020 05:03 AM, lejeczek via CentOS wrote:> On 16/02/2020 15:18, H wrote: >> I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > How about a loop way? It would be a file which you can luks-enrypt, > decrypt, u/mount on demand, keep a small filesystem on it. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosWhat is a "loop way"? I googled it together with Linux and file and did not find anything. Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access? If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?
> > What is a "loop way"? I googled it together with Linux and file and > did not find anything.The proper term is "loopback filesystem".> Is this simply like a separate file that is LUKS-encrypted and I > would then mount it for remote access?Yes, it's a filesystem in a file that you mount with '-o loop'.> If so, what would prevent the hosting company - which I presume is > the root user - from also accessing it?You provide the decryption password when you mount it. Once the filesystem is mounted anyone with the appropriate permissions can read it. You can reduce the opportunity of someone accessing it by only mounting it when you need it and unmounting it as soon as possible. TBH, if you don't trust the root user of a system, then there's not much you can do - there are just so many ways a privileged user can get access to things, both "legitimately" because of their absolute access or "covertly" using trojans and so on that you would never know about. If you have legitimate concerns about the hosting company, then find a different one. P.
On 23/02/2020 19:06, H wrote:> On 02/17/2020 05:03 AM, lejeczek via CentOS wrote: >> On 16/02/2020 15:18, H wrote: >>> I wonder if it is possible to set up an encrypted "file container" on a CentOS VPS? I am the root user of the VPS but the hosting company also has access to the VPS and thus all files. Is it possible to create a LUKS-container on the VPS and those files only be accessible by me? IOW, most of the file system on the VPS would be regular file system but the container could be used by me as needed. This would allow the VPS to reboot normally, I could ssh in normally etc etc. I would rsync files as needed to this LUKS-container though. >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> How about a loop way? It would be a file which you can luks-enrypt, >> decrypt, u/mount on demand, keep a small filesystem on it. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > What is a "loop way"? I googled it together with Linux and file and did not find anything. Is this simply like a separate file that is LUKS-encrypted and I would then mount it for remote access? If so, what would prevent the hosting company - which I presume is the root user - from also accessing it?That's that precisely, very easy. a) use dd to create a a file, eg.: dd if=/dev/zero of=gor.loop bs=1M count=2000 b) luks encrypt it: cryptsetup luksFormat gor.loop c) dev mapper mount it: cryptsetup luksOpen gor.loop luks-gor.loop d) fs it: mkfs.ext4 /dev/mapper/luks-gor.loop e) mount it:? mount /dev/mapper/luks-gor.loop $PWD/gor.rootfs.encrypted f) use it (to simplify I'd put cryptOpen + mount + unmount + luksClose into a script) g) remember!! still at least (depending how you mount it) the 'root' will have access to that data while mounted, obviously!> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 2020-02-24 10:51, lejeczek via CentOS wrote:> g) remember!! still at least (depending how you mount it) > the 'root' will have access to that data while mounted, > obviously!More than that: the root user will be able to access data in the future too, since it can steal the key while the data is mounted. Regards. -- Roberto Ragusa mail at robertoragusa.it
> On Feb 24, 2020, at 3:41 AM, Pete Biggs <pete at biggs.org.uk> wrote: > > >> >> What is a "loop way"? I googled it together with Linux and file and >> did not find anything. > > The proper term is "loopback filesystem". >This HOWTO I used some 15+ years ago: http://www.tldp.org/HOWTO/archived/Loopback-Encrypted-Filesystem-HOWTO/Loopback-Encrypted-Filesystem-HOWTO-3.html Search (not ?google?, duckduckgo for me ;-) for "encrypted loopback filesystem howto?... Valeri>> Is this simply like a separate file that is LUKS-encrypted and I >> would then mount it for remote access? > > Yes, it's a filesystem in a file that you mount with '-o loop'. > >> If so, what would prevent the hosting company - which I presume is >> the root user - from also accessing it? > > You provide the decryption password when you mount it. Once the > filesystem is mounted anyone with the appropriate permissions can read > it. You can reduce the opportunity of someone accessing it by only > mounting it when you need it and unmounting it as soon as possible. > > TBH, if you don't trust the root user of a system, then there's not > much you can do - there are just so many ways a privileged user can get > access to things, both "legitimately" because of their absolute access > or "covertly" using trojans and so on that you would never know about. > If you have legitimate concerns about the hosting company, then find a > different one. > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++