On 02/24/2020 05:02 PM, Valeri Galtsev wrote: > > > On 2020-02-24 15:57, H wrote: >> On 02/24/2020 12:42 PM, Roberto Ragusa wrote: >>> On 2020-02-24 14:37, lejeczek via CentOS wrote: >>>> >>>> >>>> On 24/02/2020 10:26, Roberto Ragusa wrote: >>>>> On 2020-02-24 10:51, lejeczek via CentOS wrote: >>>>>> g) remember!! still at least (depending how you mount it) >>>>>> the 'root' will have access to that data while mounted, >>>>>> obviously! >>>>> >>>>> More than that: the root user will be able to access data >>>>> in the future too, since it can steal the key >>>>> while the data is mounted. >>>>> >>>>> Regards. >>>>> >>>> With a passphare only? >>> >>> Attackers don't need the passphrase, they can use the >>> real key used for encryption (dmsetup table). >>> >>> Regards. >>> >> So the final word seems to be that even if I create this LUKS-encrypted >> loop-back file and only mount it when needed, immediately un-mount when no >> longer needed, a root user can access this encrypted file system while it is >> mounted, and perhaps more importantly, even when it is not mounted since >> they can get the key as described above? >> >> My reputable VPS hosting provider in Europe of course outsources some of the >> support to other countries. While I have no immediate suspicion that they >> access files on my VPS, I also have no way of finding out, nor of protecting >> myself - apart from not putting "sensitive" files on the VPS or encrypting >> files before uploading them. >> >> If I upgrade to a dedicated server I expect that I will be the root user but >> will the hosting company still have access to my server? >> > > Whoever has physical access to the machine can have everything. In the past I > was phrasing it "nothing can stop the guy with the screwdriver". Do not take > the screwdriver literally, of course. > > Valeri > Well, the scenario with a screw driver I can live with but not other types of access...
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
