this post was submitted on 08 Jan 2025
31 points (97.0% liked)

Self Hosted - Self-hosting your services.

11699 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
31
How private is a vps? (lemmy.ml)
submitted 1 week ago by [email protected] to c/[email protected]
32 comments fedilink hide all child comments
 

Can the vps provider not read everything on your server, unless it's explicitly encrypted?

I'm asking because I'm interested in self-hosting mainly as a way to get privacy respecting services where good hosted ones don't exist. I'm not sure I really want to deal with running my own hardware

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 1 week ago (2 children)

If it is in the RAM, they can read it. Since it is a virtual server they can freeze and clone the current state and connect to that copy and read all data that is currently encrypted/opened without you even knowing.

[–] [email protected] 8 points 1 week ago (2 children)

Technically a lot of the newer chips used in datacenters support encrypted VMs which encrypts the RAM too, although you still have to trust that the hosting provider uses that feature.

[–] [email protected] 1 points 5 days ago

Irrelevant unless you own the key they are using for it

[–] [email protected] 0 points 1 week ago (1 children)

I'm assuming that would drive up costs, so not very many use it

[–] [email protected] 1 points 5 days ago

They will offer it as an optional service and charge you for it. So yes they use it.

[–] [email protected] -4 points 1 week ago (3 children)

While this is technically true, there is no provider on the planet that can freeze state of RAM in a way that would be useful for this.

It's technically feasible to recover data on a laptop's RAM, but not from a virtualized multi-tenant instance tied to a specific user.

[–] [email protected] 5 points 6 days ago (1 children)

there is no provider on the planet that can freeze state of RAM in a way that would be useful for this

You are very mistaken, this is a well-supported feature in most modern virtualization environments.

Here are XenServer docs for it. And here is VMWare's "high-frequency" snapshots page.

Sometimes, law enforcement authorities only need to contact cloud provider A when they have a warrant for (or, perhaps, no warrant but a mere request for) data about some user C who is indirectly using A via some cloud-hosted online service B.

A(mazon) will dutifully deliver to the authorities snapshots of all of B's VMs, and then it is up to them if they limit themselves to looking for data about C... while the staff of company B can honestly say they have not received any requests from law enforcement. (sorry my best source on this at the moment is sadly trust me bro; I've heard from an AWS employee that the above scenario really actually does happen.)

[–] [email protected] -2 points 6 days ago (1 children)

I'm not talking about snapshots. I'm talking about viewing the RAM of a running instance and having that be useful for anyone who managed to get it. And let me give you two simple reasons why it's not going to be useful:

  • Encryption extensions at the CPU
  • Hypervisor resource evictions

Unless you were to go and be on that instance at the exact moment something was happening (or shortly thereafter), that memory is going to be useless.

Now, if someone were absolutely stupid, disabled CPU security extensions at the Hypervisor, AND did something like make a RAM disk and stored something on that-which is really just going out your way to leave a trail-then yeah, maybe you'd get something.

The default of every hosting provider I'm familiar with is encryption by default on absolutely everything from the Hypervisor up except the disk, so I'm seriously doubting the claim of OP unless there is otherwise non-TMB information.

Disk snapshots are another story if unencrypted.

[–] [email protected] 3 points 6 days ago

Here's a snapshot of the memory of a running live cd of Ubuntu. I ran a script to load 0123456789abcdef over and over and it's clearly readable. Nothing special is required for this, as the Hypervisor has access to anything that the VM does. If the VM loads the encryption key for your disk into memory it will be available to the provider.

[–] [email protected] 1 points 6 days ago (1 children)

You don't need to freeze the state of the RAM, you freeze the whole virtual machine - including the virtual RAM.

[–] [email protected] 0 points 6 days ago (1 children)

Did you read the original comment???

[–] [email protected] 2 points 6 days ago

What do you think the “v” in “vps” stands for?

[–] [email protected] 4 points 1 week ago (1 children)

Dunno what rock you were hiding under but this is absolutely possible in a hosted environment. There's even ESXi documentation on how to do it. Taking a snapshot can be detected, but can't be prevented. These memory dumps can include encryption keys, private keys (such as SSL certificates) and other sensitive data.

Unless you can physically touch the drive with your data on it, I would not store any sensitive data on it, encrypted or not.