Hi Guus Can you recommend a good strategy in securely managing the config and hosts files please? <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> This email has been sent from a virus-free computer protected by Avast. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2> Regards Yazeed Fataar <yazeedfataar at hotmail.com> On Sun, Jan 24, 2016 at 11:50 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Sun, Jan 24, 2016 at 10:01:23AM +0300, Yazeed Fataar wrote: > > > I hope this was not asked before. What methods can be used to secure the > > "tinc" config files? If for example using a VPS provider like digital > ocean > > , how can one be sure that the local admins dont access your container > and > > read the contents of the tinc config files? Is there a better solution , > > should full drive encryption be used and dedicated servers? > > You should consider any VPS compromised from the very start. Even > full-drive encryption on a dedicated server won't help unless you can > somehow make absolutely sure that someone with physical access to the > machine cannot access the encryption key or just log in. That is harder > than it sounds. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160124/eeccf26a/attachment-0001.html>
On Sun, Jan 24, 2016 at 12:10:42PM +0300, Yazeed Fataar wrote:> Can you recommend a good strategy in securely managing the config and hosts > files please?The private keys (those files ending in .priv) should only be readable by root. When tinc generates the public/private keypairs, it already ensures the private key file is only reabable by root. The rest of the files in /etc/tinc can be public, there is no harm in having others read them. But if you don't want others to access them, you should do: sudo chmod go= /etc/tinc -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160124/1a9d3c5e/attachment.sig>
Thanks Guus.. So if someone had to gain access to my vm-disk. They would not be able to view the contents of the files in ""etc/tinc" if I do "sudo chmod go= /etc/tinc" .. My paranoia is around a VPS provider who had admin access to all containers. I know that I have to create a root password that will allow only myself root access , but im just worried about the disk contents if it were mounted on another system. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> This email has been sent from a virus-free computer protected by Avast. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2> Regards Yazeed Fataar <yazeedfataar at hotmail.com> On Sun, Jan 24, 2016 at 12:32 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Sun, Jan 24, 2016 at 12:10:42PM +0300, Yazeed Fataar wrote: > > > Can you recommend a good strategy in securely managing the config and > hosts > > files please? > > The private keys (those files ending in .priv) should only be readable > by root. When tinc generates the public/private keypairs, it already > ensures the private key file is only reabable by root. The rest of the > files in /etc/tinc can be public, there is no harm in having others read > them. But if you don't want others to access them, you should do: > > sudo chmod go= /etc/tinc > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160124/34f6e2ed/attachment.html>