Is your data in the cloud or on a provider’s servers, or even your own server, safe from snooping?

Sad to say, probably not.

If you’re running an international smuggling cartel, fighting for freedom in Latveria, or trying to keep your proprietary AES-decrypting algorithm a secret, you may wish to know what protections you have at different levels of hosting.

Before we go there, don’t freak out and assume that every junior sysadmin is rifling through your files.

First, they’re probably not that interested.  Second, there’s a strong privacy ethos in the IT community and barging into someone’s private data would be very distasteful to your typical sysadmin.  Third, providers know that bad reputations travel at the speed of sound: the moment someone is caught engaging in this behavior, the news will be blasted across the Internet and the provider’s reputation will be ruined.  And finally, the provider is taking a legal risk when doing this, which is another deterrent.

Of course, if it’s a government agency coming in and doing this with a warrant, that’s a different situation.  Providers are legally required to comply and if they refuse, they can be compelled to comply.

Let’s take a look at practicalities.  One exception to everything below is data that you encrypted off site, not on the server and then copied to the server.  That data is as good as the encryption.

Shared Hosting (cPanel, DirectAdmin, etc.)

There’s no protection here whatsoever.  Providers need only to login to the server and change directory to your account and they can see everything, regardless of any permissions you set.

OpenVZ VPS

All a provider has to do is type

vzctl enter <your container ID>

and they’re in your VM as root.  At that point they can see everything you’ve got.

KVM VPS

There’s no “immediately enter as root” command, but there’s still no real protection.  A provider could clone your VPS, boot it, reset the root password and then login.

You can use encryption (e.g., LUKS) to encrypt a partition but because the provider controls the hypervisor, they can extract the encryption keys from the memory of your VM and decrypt it easily.

Dedicated Servers

You’re a little safer here.  However, keep in mind that you don’t control the BIOS, the firmware, the ISOs presented to the server, the console, etc.  Now putting in custom BIOS, creating a fake console session to steal your login, etc. is a lot more work, so you’re safe from the “bored junior sysadmin at 2am” problem, but not from three-letter security agencies.

What It Comes Down To

If you have data you need to store/exchange online, encrypt it before it leaves your control.  Otherwise, have no illusions that things you store in the cloud are safe from prying eyes.  A dedicated server can get you to the “only really have to worry about governments” stage.  Anything better is impossible.

Discuss more in this LowEndTalk thread!

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Dropbear in 2025: Still the LowEnd SSH Server of Choice? - January 20, 2025
• “OMG! I Never Knew That!”: The Simply Linux Tip That Has Got Me More Thanks Than Anything I’ve Ever Shared in 30+ Years - January 19, 2025
• Bluesky has Flopped: How Mashable is Lying To You - January 18, 2025