CryptOps: Moving to a world with encrypted VPSs only¶
Full disk encryption on Virtual Private Servers¶
These days, data storage using the “cloud” or virtual private servers (VPSs) on the Internet is extremely flexible and easy to setup. Anyone can boot a new VPS within seconds and start storing information on it. However, the “cloud” is just someone else’s hard drive, which comes with certain security risks. Infrastructure providers can access “your” data stored on the cloud with extreme ease. But as managing your own infrastructure can be a nightmare for some, it comes with no surprise that virtual private servers have gained immense popularity over the last several years.
Is it possible to use virtual systems and still make sure that all your data is stored encrypted, so only the user has access to the data and not the service provider? Existing solutions often rely on encryption keys being managed by the service providers themselves or the data being encrypted at the application level.
CryptOps is a new, provider agnostic approach which makes full disk encryption at the Virtual Machine layer more accessible and secure for the average user. Users can encrypt their VPSs by logging into a Dropbear SSH shell that runs in the initrd. In this environment, the user is allowed to type commands into the “CryptOps Client”, which communicates with the local “CryptOps API” to encrypt and unlock disks. This open source tool currently supports encrypting and decrypting new and already existing VPSs. It also allows the user to manage their SSH and LUKS encryption keys. The CryptOps framework has been designed to be open & extensible, allowing it to support external client applications in the future.
Please read the security considerations to learn exactly what CryptOps does and doesn’t protect against.
Find the code at https://open.greenhost.net/greenhost/cryptops and an example initrd at https://open.greenhost.net/greenhost/cryptops-initrd