Re: crypt question/server hotel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Apr 17, 2010 at 10:49:29 +0200,
  Jozsi Vadkan <jozsi.avadkan@xxxxxxxxx> wrote:
> I want to put my server in a "server hotel".
> 
> But: I don't trust my "server hotel owner".

These requirements seem to conflict.

> What can I do?
> 
> I can crypt my partition/hdd's that contains the data. Ok.
> But: then my operating system will not be encrypted. Not Ok.

That depends on your threat model. You will at least get a chance to notice
the reboot used to try to get access to your data by capturing your
password as you enter it. I don't think you have good choices there if
you are really worried about this. This condition also applies at service
start up and your choice is to enter the password which might get snooped
or not use the service. (Note if you are are worried about this, you
typically also need to worry about the keys being pulled from memory while
the system is running, typically using firewire for access, but other
ways exist.)

> If I crypt my operating system too, then when a reboot comes,
> I have to type a password to decrypt. But my server will be at 
> a "server hotel" I can't directly use a keyboard [no service cpu]. 

This is really the same case as above. The kernel executable is unencrypted
on the boot partition for Fedora.

> What can I do [on technical side] to ensure a little more security 
> to my server [e.g: crypt my partition/slice/whatever, that has the 
> operating system, but without the "type password" ""problem""]

You really can't. The technical answer is to pay more to host the server
in a secure facility.

You might consider legal protection via your support contract, depending on
what you are protecting. (If you are working for organized crime, legal
protection isn't going to help, and you should advise your boss to shell
out some more money to host servers under physical control of his trusted
employees.)
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux