LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

How Private is Your Hosted Data, Really? Even That Encrypted Stuff...

Spy SnoopingIs your data in the cloud or on a provider’s servers, or even your own server, safe from snooping?

Sad to say, probably not.

If you’re running an international smuggling cartel, fighting for freedom in Latveria, or trying to keep your proprietary AES-decrypting algorithm a secret, you may wish to know what protections you have at different levels of hosting.

Before we go there, don’t freak out and assume that every junior sysadmin is rifling through your files.

First, they’re probably not that interested.  Second, there’s a strong privacy ethos in the IT community and barging into someone’s private data would be very distasteful to your typical sysadmin.  Third, providers know that bad reputations travel at the speed of sound: the moment someone is caught engaging in this behavior, the news will be blasted across the Internet and the provider’s reputation will be ruined.  And finally, the provider is taking a legal risk when doing this, which is another deterrent.

Of course, if it’s a government agency coming in and doing this with a warrant, that’s a different situation.  Providers are legally required to comply and if they refuse, they can be compelled to comply.

Let’s take a look at practicalities.  One exception to everything below is data that you encrypted off site, not on the server and then copied to the server.  That data is as good as the encryption.

Shared Hosting (cPanel, DirectAdmin, etc.)

There’s no protection here whatsoever.  Providers need only to login to the server and change directory to your account and they can see everything, regardless of any permissions you set.


All a provider has to do is type

vzctl enter <your container ID>

and they’re in your VM as root.  At that point they can see everything you’ve got.


There’s no “immediately enter as root” command, but there’s still no real protection.  A provider could clone your VPS, boot it, reset the root password and then login.

You can use encryption (e.g., LUKS) to encrypt a partition but because the provider controls the hypervisor, they can extract the encryption keys from the memory of your VM and decrypt it easily.

Dedicated Servers

You’re a little safer here.  However, keep in mind that you don’t control the BIOS, the firmware, the ISOs presented to the server, the console, etc.  Now putting in custom BIOS, creating a fake console session to steal your login, etc. is a lot more work, so you’re safe from the “bored junior sysadmin at 2am” problem, but not from three-letter security agencies.

What It Comes Down To

If you have data you need to store/exchange online, encrypt it before it leaves your control.  Otherwise, have no illusions that things you store in the cloud are safe from prying eyes.  A dedicated server can get you to the “only really have to worry about governments” stage.  Anything better is impossible.

Discuss more in this LowEndTalk thread!








No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *