Is your data in the cloud or on a provider’s servers, or even your own server, safe from snooping?
Sad to say, probably not.
If you’re running an international smuggling cartel, fighting for freedom in Latveria, or trying to keep your proprietary AES-decrypting algorithm a secret, you may wish to know what protections you have at different levels of hosting.
Before we go there, don’t freak out and assume that every junior sysadmin is rifling through your files.
First, they’re probably not that interested. Second, there’s a strong privacy ethos in the IT community and barging into someone’s private data would be very distasteful to your typical sysadmin. Third, providers know that bad reputations travel at the speed of sound: the moment someone is caught engaging in this behavior, the news will be blasted across the Internet and the provider’s reputation will be ruined. And finally, the provider is taking a legal risk when doing this, which is another deterrent.
Of course, if it’s a government agency coming in and doing this with a warrant, that’s a different situation. Providers are legally required to comply and if they refuse, they can be compelled to comply.
Let’s take a look at practicalities. One exception to everything below is data that you encrypted off site, not on the server and then copied to the server. That data is as good as the encryption.
Shared Hosting (cPanel, DirectAdmin, etc.)
There’s no protection here whatsoever. Providers need only to login to the server and change directory to your account and they can see everything, regardless of any permissions you set.
OpenVZ VPS
All a provider has to do is type
vzctl enter <your container ID>
and they’re in your VM as root. At that point they can see everything you’ve got.
KVM VPS
There’s no “immediately enter as root” command, but there’s still no real protection. A provider could clone your VPS, boot it, reset the root password and then login.
You can use encryption (e.g., LUKS) to encrypt a partition but because the provider controls the hypervisor, they can extract the encryption keys from the memory of your VM and decrypt it easily.
Dedicated Servers
You’re a little safer here. However, keep in mind that you don’t control the BIOS, the firmware, the ISOs presented to the server, the console, etc. Now putting in custom BIOS, creating a fake console session to steal your login, etc. is a lot more work, so you’re safe from the “bored junior sysadmin at 2am” problem, but not from three-letter security agencies.
What It Comes Down To
If you have data you need to store/exchange online, encrypt it before it leaves your control. Otherwise, have no illusions that things you store in the cloud are safe from prying eyes. A dedicated server can get you to the “only really have to worry about governments” stage. Anything better is impossible.
Discuss more in this LowEndTalk thread!
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- Crunchbits Discontinuing Popular Annual Plans – The Community Mourns! - November 20, 2024
- RackNerd’s Black Friday 2024: Bigger, Better, and Now in Dublin! - November 19, 2024
- It’s the Season of Giving and CharityHost Has Deals for You! - November 18, 2024
Leave a Reply