-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/09/14 09:50, Stephan Alz wrote: [...snip...] > There isn't much point of encrypting the droplet's filesystem when > the key can easily be dumped out of memory. > > But to get to the point, that if I setup openvpn on my droplet and > let's say an evil admin sniffing my traffic for 3 months with > tcpdump then decides to decrypt that traffic what tools does he > have (if any to do this). At this point he has a pcap file and the > openvpn server certificates and keys. > > I only refer to the encrypted traffic between the droplet and my > computer. Obviously if I use this droplet to route all my traffic > through it then he can sniff all the outgoing un-encrypted traffic > to the internet. > > The reason why I ask this is because IPSec provides Perfect > Forward Secrecy which if it's turned on would make it impossible to > decrypt that sniffed traffic later, even if the attacker have all > the keys.
As long as a server admin can access your openvpn (or IPSec keys, for that matter), any traffic sniffed and saved can be compromised. There are no ways around that. Any server-admin can access your file systems outside of your VM if the disk isn't encrypted (libguestfs/guestfish, f.ex). And if the disk is encrypted, it is the RAM which is still possible to dump, but that will be harder to extract the keys from as the location of the keys isn't necessarily that obvious (but it is doable). PFS is a hard thing to accomplish, and it doesn't help when some vendors claim to have PFS which may in fact be a misguided statement. I'm not cryptologist, so I'm on thin ice here. But how I understand it, if OpenVPN is properly configured with unique certificates to all servers and clients, using your own securely setup CA, and with - --reneg-* and --tls-auth options enabled, then OpenVPN provides a fairly good level of PFS. But there are many pitfalls which is easy to fall into, which again may break PFS. Some might even call it PFS without --tls-auth, as well. If removing key re-negotiations will again break PFS. So it's not an easy yes/no answer, due to the flexibility of OpenVPN. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQifwEACgkQDC186MBRfrqShACffpda6Sh17eSad+T+3tcYZ7EP SmIAn3G+wi8KTaqUx/vfK6KUDDi1KzG5 =rlhH -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
