[aklug] Re: My virtual server on Amazon

Somebody somewhere has a funny saying about "Better than nothing".
Just remember that your encryption key is in memory on a box somewhere
that's out of your control.. And cryptsetup needs to be validated
against your package repository before being used. Virtual server
environments are fun because of all the security problems they impose.

When storing data to an offsite backup system I always back up the
result of an encrypted block device, file, or stream. Like when using
ecryptfs or encfs, you back up the encrypted directory using tools like
rsync since you'll never be able to decypher the names using, say, tab
completion. You just have to back up the entire thing.

When using duplicity you pipe the output of their stream archive format
through GPG running on a local host. This way you control everything
assuming you are in control of your own box.

Anyways.. it doesn't need to be this tight if the data doesn't require
it. But encryption is next to useless if you're doing the processing on
a virtual machine on top of a host that you have no control over.

Shane

Damien Hull wrote:
> This is true. Couple of things to remember...
> 1. This is all web data...
> 2. No different then a real server in some far off data center
>
> There are exceptions...
> 1. Email
> 2. Groupware applications that allow users to upload files etc...
>
> I'm looking at encrypting my data. That doesn't include /etc... Amazon has a service called the "Elastic Bloc Service" or EBS for short. Luks Format for block level data encryption... If the EBS block device is mounted my data is wide open. However, snapshots would be encrypted...
>
> It's better then nothing...
>
>
> ----- Original Message -----
> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
> To: "Damien Hull" <damien@linuxninjas.tv>
> Cc: aklug@aklug.org
> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
> Subject: Re: [aklug] My virtual server on Amazon
>
> On Mon, 11 May 2009, Damien Hull wrote:
>
>> I think this is the wave of the future. I don't have to worry about hardware... Or fast Internet connections. Very cool!
>
> :-) It sounds interesting, but remember, all things within reason.
> Remember, now someone other than you has direct access to any private data
> you put on that cloud, whether it be private SSL or SSH keys, your shadow
> file, etc.
>
> Something to think about before you use the same passwords as you do on your
> own systems.
>
> --Arthur Corliss
> Live Free or Die
>

-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoQj9QACgkQXK/vGhypreJNIgCgjxY4FqyscXpF4/SDADzrD0o8
9SEAoIEW3i+r8B/wfz30pAhVfemFsvL9
=IKnl
-----END PGP SIGNATURE-----

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun May 17 14:29:59 2009