Hey,

> 1) I have never used a VPS before. Can they be nearly as
> private/secure as a local machine?

No, you are trusting the hosting provider, when you rely on trust
within your security model it weakens it. You have to trust the hosting
provider to provide good physical security, and also digital security
too (for example, if their servers are vulnerable the isolation between
virtual machines could be compromised).

> For example, if I use full disk encryption and only ssh to
> communicate, is there any way the company can know what I'm
> doing/data?

Using full disk encryption on vps isn't that useful.

Hosting providers can take the FDE key directly from memory and decrypt
your data at rest.

> 2) I use FDE on my laptop, and after update, I have to type the
> password before I can boot. So how is this achieved on a VPS as ssh
> doesn't start before the OS does?

Usually you need a terminal server or KVM for physical servers, when
you collocate servers you are sometimes provided this.

For virtual servers (vps), most hosting providers will give you vnc
access to access the vm directly in case of network issues, or in this
case, to decrypt them, so yes it is possible. Does it improve security?
Seldom.

> 3) Even if I use FDE, the company can read the password during the
> initial setup right, and also temper the ISO? Can I install/setup ISO
> locally and then upload image to the vps, so I know the iso is
> genuine and they did not read my password during setup?

In order to decrypt the partition(s) FDE keys have to be loaded into
memory. Because the company controls the host, there is nothing
stopping them intercepting the key, and storing it to decrypt your
data later.

There is confidential computing, and there was a talk about it at
EuroBSDCon 2024 [1] and EuroBSDCon 2025 [2] (can't find
recording, sorry) which might interest you, however support for it is
limited unless you are using certain hosting providers, and if I
remember correctly, it usually costs a pretty penny.

> 4) Is openbsd a good server os for hosting websites and possibly
> E-mail?

Dumb question :)

OpenBSD base includes httpd [3], a small but powerful webserver built
for security, and also relayd [4] which can be used for proxying. Unlike
the norm on Linux, OpenBSD actually has different tools for different
jobs and doesn't heap it all into one giant daemon. It also includes
acme-client [5] which as the name implies, its an acme client, but
unlike the solutions often used on Linux (such as acme.sh, dehydrated,
certbot) its small, simple and just works.

As for email, OpenBSD base ships with smtpd (aka opensmtpd) [6] which
makes email simple, unlike postfix. smtpd delivers to local mailboxes,
which you can read over SSH, but if you want support for IMAP/POP, you
can use dovecot from the ports and set it up with opensmtpd.

Name another operating system in which almost your entire stack is
within the base install?

Take care,
-- 
Polarian
Jabber/XMPP: [email protected]

[1] https://www.youtube.com/watch?v=t6eQ1Wf0zd8
[2]
https://www.openbsd.org/papers/eurobsdcon2025-hshoexer-confidential-computing.pdf
[3] https://man.openbsd.org/httpd.8
[4] https://man.openbsd.org/relayd.8
[5] https://man.openbsd.org/acme-client.1
[6] https://man.openbsd.org/smtpd.8

Reply via email to