How to prevent a hosting company from accessing a VM's encryption keys?tyeCc Tt LpxFlwKk123 Yync
I want to prevent potential theft of my web application (source code + database) by my local hosting company, that I don't fully trust for some reason (but have no other choice but to use as they give, by far, the best latency over here).
I'm planning to encrypt a partition with cryptsetup, and store the web directory + database files there.
The only issue is that I'll have to unlock the partition on every reboot (even uncontrolled ones), before I can start the web & database servers; but I guess I'm ready to live with that for now.
However, as far as I can read all over the web, encryption keys are stored as is in memory, and can be read given physical access to the machine, even from a dedicated machine using cold boot attacks. On a VM, I guess this is even simpler, as the hypervisor can take a snapshot of the whole server state (storage + RAM).
So as far as I can tell, it should be pretty easy to take a memory dump, and locate the encryption key at any time.
Is there any way to prevent this?
I know that controlling the hypervisor gives a huge advantage to someone attempting to steal data, and as such I'm not looking for a perfect solution here; but I'm rather trying to make it as hard as possible to get access to the data, so that it would not be economically viable to spend time & resources to get them.
I'm not really optimistic here, as encryption keys must be stored in some form in memory for decrypting, but I hope I missed something.
Edit - clarification
From my comment below:
I'm sure the hosting company's hypervisors are not modified in any way to perform any malicious operation; their business is hosting, not stealing things, and the company is relatively trustworthy. What I'm trying to protected against is someone bribing an employee to sell them a snapshot of the data. As long as the encryption key cannot be recovered from any snapshot the stock hypervisor can do, I consider the solution good enough for my use case.
-
If homomorphic encryption ever becomes viable I'm sure some hosting company will offer secure VM hosting. – user 1 hour ago
4 Answers
You can't, plain and simple. If you don't trust the hosting company, you don't host with them. This is law #3 from 10 immutable law of security:
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
The hypervisor always have privileged position over your virtualised machine, you can't protect yourself from rogue hypervisor.
One way you can do to benefit from their network location but still keeping your code secure is to do a colocation hosting. In a colocation hosting, you bring your own machine that you put in someone else's datacenter.
Basic colocation itself should discourage most opportunistic attackers, but a targeted/determined attacker might connect into your machine anyway. If this is a concern for you, you should put your machine in a tamper-evident/tamper-proof server casing, so that the only unlocked port to the outside world is the power cable and network cable, and you encrypt all network traffic going into/out of the machine. This way you can put your machine in their network and benefit from the network's low latency, and they won't be able to steal data from your server unless they break the server's chassis.
If protecting your data is very important, you would also want to do a regular audit that the case hasn't been tampered with. If you have infinite budget, it may also be possible to design tamper proof chassis that have various sensors that can raise an alarm and initiate shutdown (discarding all sensitive/encryption keys) if they detect that the chassis had been tampered with, but of course these gets expensive really quickly.
-
...and the next step up, of course, is to set up your own hosting facility, complete with whatever physical (locks, doors, ...), electronic (alarm systems, surveillance cameras, ...) and human (guards, receptionists, ...) security elements are needed to ensure a proper level of security. Of course, that gets expensive real quick, but hey, what's the price for a good night's sleep anyway? – a CVn 9 hours ago
-
I'm on a budget, so I'm looking for a "good enough" solution that will just make it not economically viable to attempt to decrypt the data. What about TRESOR, which seems to keep the encryption key in CPU registers and not in RAM? – Benjamin 9 hours ago
-
1@Benjamin: TRESOR assumes that the hypervisor is trustworthy. A rogue hypervisor can fake it so that your program thinks it's running code on the CPU, but turns out your instructions are actually running on an emulated CPU whose behaviour and debug registers is fully controlled by the attacker. – Lie Ryan 9 hours ago
-
@LieRyan I could live with that. I'm sure their hypervisors are not modified in any way to do these kind of things, as their business is not stealing things, and the company is relatively trustworthy. What I'm trying to protected against is someone bribing an employee to sell them a snapshot of the data. As long as the encryption key cannot be recovered from any snapshot the stock hypervisor can do, it's good enough for me. – Benjamin 9 hours ago
-
1@Benjamin: the host machine is privileged over the guest machine. It's pretty simple for the hypervisor running on the host machine to read the debug registers of the guest vcpu. This isn't even difficult as many hypervisor supports guest debugging API that includes reading debug registers among other things. Even in real hardware, the attacker can attach a JTAG debugger to read out the debug registers. These type of attacks sit well outside TRESOR's threat model, but will be relevant to yours. – Lie Ryan 6 hours ago
In theory, you should be able to use the trusted hardware features of modern CPUs to run your disk encryption, or even your entire VM, inside a tamper-resistant part of the CPU, having all the data on disk and in memory encrypted with keys that are only accessible inside that tamper-resistant trusted enclave.
While exposing Intel's SGX trusted computing system to VMs doesn't appear to be possible on stock hypervisors, AMD has a feature called Secure Encrypted Virtualization, or SEV, which sounds like exactly what you are looking for: you can set up your VM in such a way that it is protected from the hypervisor with keys known only to AMD or someone who is willing and able to disassemble the host CPU.
Unfortunately, it's unlikely that the particular hosting company that you need to use provides AMD SEV-supporting hosts or makes the feature available to their clients.
I don't fully trust for some reason
Trust them in what way? Do you believe they may be incompetent or do you think they may be malicious?
If merely incompetent, you'll probably get reasonable protection from the encryption you've described. It is of course possible that their host machine gets compromised and the attacker finds a way to grab the current encryption keys from RAM, but in typical web host compromises the attackers won't go that far. They'll just find an easy place to dump their malware or easy to grab passwords.
But if they are actively malicious, you cannot protect the data on the VM. At best, you could configure it as a proxy server, which could give you the latency benefits without exposing your database and source code.
Microsoft has a possible solution for this called Shielded VMs, these are specifically intended for the attack vector that some malicious actor has administrative access to the hypervisor. An example of this would be machines deployed either in the cloud or in a colo.
The downside is that you will need to maintain a Guardian Server under your physical control. That may be overkill for your needs.
-
1Even more overkill is IBM Secure Service Container. It runs on a LinuxONE machine (cost starts around 100k, If I recall correctly)... – ThoriumBR 21 mins ago
