Comment on Notes on full disk encryption on a Hetzner cloud VPS
i_am_not_a_robot@discuss.tchncs.de 21 hours ago
Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple. I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console, or else if you fix your keyboard you could at least type a URL to download the public key from the internet. You may want to look into cloud-init instead of manually installing and configuring your VMs.
LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.
Why full disk encryption is important: what happens when you switch servers or providers: can you be sure the disk gets wiped properly?
Or when your disk dies and gets replaced, what happens to the old disk? Will they physically destroy it or just throw it in the bin?
When encrypted, it doesn’t matter; no one will get data off of them. That’s why you encrypt servers.
It’s worth going through the provider’s policies.
For example, here’s how Hetzner handles deletion of your data
Encryption will prevent mistakes, but if you can’t trust the provider’s policies you shouldn’t trust them to run your infrastructure at all.
Security is always applied in layers. The more the better. There’s a reason “encryption at rest” is a requirement in many audits.
Agreed. I was going to argue more against encryption, but you can see me somewhat changing my mind in the second half of my comment.
For me personally, I don’t want the hassle of encryption on my VPS and have decided I’m fine with the remaining risk.
LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.
This is a little oversimplified. Hardware vendors have done a lot of work in the last 10-20 years to make it hard to impossible to obtain data this way. AMD-SEV for example.
There are other more realistic attacks like simply etrackt the ssh server signature and MITM the ssh connection and extract the LUKS password.
versionc@lemmy.world 21 hours ago
Noted, thank you!
Pasting generates garbled text, with letters and symbols being replaced or simply missing. I haven’t found a way to upload a file, nor have I found a solution to the issues in general. I found a few threads on Reddit complaining about the same thing, but no one had found a solution. It just seems to be an issue with the way Hetzner has set up their KVM console.
There is a way to upload custom ISO files, but it’s quite annoying as you have to open a ticket with a direct link to the ISO and wait for the staff to upload it for you to the UI.
Thank you! I’ll check it out.
That’s true. It’s mostly just to prevent data recovery should the VPS be recycled for services that don’t support E2EE, like Immich. I thought it would be better than nothing.