Robert wrote:
Jozsi Vadkan wrote:
I want to put my server in a "server hotel".
But: I don't trust my "server hotel owner".
What can I do?
1)
Even if you encrypt the whole disk and you have a remote console
available (via serial port or KVM switch), you still will have to
trust your provider that he doesn't sniff that traffic.
2)
If you can't detect a reboot of your machine because the attacker has
"cleaned" the logs etc., then anybody with physical access can own the
machine. I'm not aware of any way to prevent this.
(see also "cold boot attack", or simply creating a disk image and
doing a brute force attack against the image)
3)
Your only chance might be to have a card in the machine (e.g. IBM RSA)
that allows remote control. But the traffic to it will have to be
encrypted (-> 1) and it has to detect if it was temporarily removed
from the machine during a physical attack, and even then it needs to
report this back to you. I don't know if there is any card out there
that can provide this level of protection...
If you are really paranoid and the hacker type, then I guess you can
hide a mobile phone inside the case, connect it via USB and have it
constantly report the status (power, light sensor, GPS etc.).
In the end it is as usual a question of cost vs benefit. If your
machine is *that* valuable then you shouldn't put it in an untrusted
environment in the first place.
In your case I guess you should encrypt your data and have the machine
email you if it reboots. Then you can login via SSH and enter the
crypto key and start the "stage 2" applications that need the
encrypted data.
You will have to trust your provider that he doesn't do any physical
attacks (e.g. replace OS files).
++
solution: if the security of the machine and its data are of sufficient
importance you cannot trust 3rd parties with it and must keep it
somewhere you feel confident that it is physically secure.
even if you have the boot partition(s) fully encrypted there is nothing
to stop someone from installing a fake boot prompt and yanking your
passphrase. in most situations where the machine is running you also
have to worry about someone freezing your RAM, powering the machine off
and pulling your disk crypto keys directly from RAM. 'secure' memory for
storing crypto keys is another option that is marginally better than RAM
but requires hardware and software support.
how worried you should be about this depends on your threat model.
kind regards,
Robert
