[aklug] Re: My virtual server on Amazon

True... However, so much of what we do is in the cloud. Email and shopping =
are good examples. There's encryption for email but people don't use it. Ou=
r credit card info is encrypted during the transaction process but it's sit=
ting on a server somewhere. That's how the bad guys get it.

I think it depends on what kind of data we're talking about. What I post on=
 my blog doesn't need to be encrypted. Documentation about server settings =
is another story. I might want to keep that safe...=20

Data security will be come a big issue as more and more people use web base=
d applications. Google docs is a good example. How safe are ones doc's on G=
oogle?=20

There's no simple answer. I'll watch what I put in the cloud but I'm not ta=
king the paranoid approach.=20

NOTE
My Ubuntu server image on Amazon is encrypted. It can't be started with out=
 my X.509 cert.=20

----- Original Message -----
From: "Shane R. Spencer" <shane@bogomip.com>
To: "Damien Hull" <damien@linuxninjas.tv>
Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
Sent: Sunday, May 17, 2009 2:29:38 PM GMT -09:00 Alaska
Subject: Re: [aklug] Re: My virtual server on Amazon

Somebody somewhere has a funny saying about "Better than nothing".

Just remember that your encryption key is in memory on a box somewhere
that's out of your control.. And cryptsetup needs to be validated
against your package repository before being used. =C2=A0Virtual server
environments are fun because of all the security problems they impose.

When storing data to an offsite backup system I always back up the
result of an encrypted block device, file, or stream. =C2=A0Like when using
ecryptfs or encfs, you back up the encrypted directory using tools like
rsync since you'll never be able to decypher the names using, say, tab
completion. =C2=A0You just have to back up the entire thing.

When using duplicity you pipe the output of their stream archive format
through GPG running on a local host. =C2=A0This way you control everything
assuming you are in control of your own box.

Anyways.. it doesn't need to be this tight if the data doesn't require
it. =C2=A0But encryption is next to useless if you're doing the processing =
on
a virtual machine on top of a host that you have no control over.

Shane

Damien Hull wrote:
> This is true. Couple of things to remember...=20
> 1. This is all web data...=20
> 2. No different then a real server in some far off data center
>=20
> There are exceptions...=20
> 1. Email
> 2. Groupware applications that allow users to upload files etc...
>=20
> I'm looking at encrypting my data. That doesn't include /etc... Amazon ha=
s a service called the "Elastic Bloc Service" or EBS for short. Luks Format=
 for block level data encryption... If the EBS block device is mounted my d=
ata is wide open. However, snapshots would be encrypted...=20
>=20
> It's better then nothing...=20
>=20
>=20
> ----- Original Message -----
> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
> To: "Damien Hull" <damien@linuxninjas.tv>
> Cc: aklug@aklug.org
> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
> Subject: Re: [aklug] My virtual server on Amazon
>=20
> On Mon, 11 May 2009, Damien Hull wrote:
>=20
>> I think this is the wave of the future. I don't have to worry about hard=
ware... Or fast Internet connections. Very cool!
>=20
> :-) It sounds interesting, but remember, all things within reason.
> Remember, now someone other than you has direct access to any private dat=
a
> you put on that cloud, whether it be private SSL or SSH keys, your shadow
> file, etc.
>=20
> Something to think about before you use the same passwords as you do on y=
our
> own systems.
>=20
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0--Arthur Corliss
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0Live Free or=
 Die
>=20

--=20
Damien Hull
Linux Ninja
Open Source Assassin

http://linuxninjas.tv
http://elite.linuxninjas.tv
http://www.digital-overload.net

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun May 17 15:03:55 2009