Every now and then, a customer asks me if I encrypt my data center hard drives. I don’t like to lie to customers, so I don’t tell them “But of course!”. I also don’t like the way they look at me like I’m stupid if I simply say “No”, so here goes my reasoning (I had to explain this more than once):
I believe that server-side encryption is both useless and dangerous. By server-side encryption I understand encrypted partitions that hold customer data. For example, a email provider might encrypt the mail spool on the MX servers, so that “nobody can read the client’s emails” (lol).
From a customer’s point of view, this seems like a good idea. But it’s not. This kind of encryption is completely useless. Why?
- Colocated servers are designed to run unattended. Reboot and upgrades are usually done remote. This means that the server must have the decryption key, or the data will be “locked” in case of a reboot. This makes the data vulnerable to hackers – if someone takes over the machine, they will have full access to the decrypted data.
- Encryption or not, anyone who has physical access to the machine can get the data. Yes, including the janitor who might be bribed.
- This also includes law enforcement agencies. Thay have this thing called warrants and the service provider will help them – they will give out the decryption keys and can easily modify the software on the server to send a decrypted copy of the data directly to the [insert favorite 3 letter acronyms here].
A reasonably paranoid customer must assume that any data stored on devices outside of his control is public data. The real danger with server side encryption is that you might actually believe your data is safe and no one can get it. You would be wrong.
Remember these simple rules:
- All sensible data must be encrypted/decrypted locally. By you, on your own computer, not by the service provider, on some remote server.
- Data stored on untrusted systems (you service provider’s servers are untrusted, please ignore the contract, it has no value) should be well encrypted.
- Use only audited, well-tested (old) open source software. You should assume that closed source software is backdoored or the proprietary encryption algorithms have bugs that makes cracking the key trivial (it’s been known to happen).
I hope that explains why I don’t encrypt the hard disks of my colocated servers. If not, I will repeat this post every few days 
Do you agree with me or do you have another opinion? Write a comment!
Image credit: Anonymous.
Related posts:
Some big warez topsites have been busted in recent times and nobody was caught because drives were encrypted. While it is theoretically possible to access data from a running server with encryption on, till now it was simply not done, so encryption provides stronger security even on remote servers.
@ddu, I think you are wrong. I can only suppose the servers were seized with the usual “let’s break down the door and throw the computers in the trunk” method that we love the police for.
What they should have done was to disconnect the computer from the networs, then either let the system running and kindly ask for the root password, which then would have allowed them access to all data. Alternatively, leave the computer connected to the Internet and place a network sniffer in front of the server and dump unencrypted traffic or force a man in the middle for all new encrypted connections. Or, if you want to be high tech, perform a cold boot attack on the server’s memory, recover the decryption keys…
The only way to secure your data is to have all-around-the-clock physical access to the systems that hold unencrypted copies or the decryption keys. This usually means only your computer or smartphone, not a server in a datacenter.
Yep, but it’s still pretty secure. Even if the main / os partition is not encrypted, you’d have to reboot (a reboot with no reason is strange) & add a keylogger to get the key. The keylogger can be detected easily. That’s the only way to get the key.
You can think of a better setup with two servers in front of each other checking files hash… – and a KVM over IP to access the first one from where you’d boot the second one. In that case you can encrypt everything, exept the /boot…
Anyway, once the server is off for a few minutes, the cold boot attack won’t work anymore…
So well, theoretically i think that server side encryption can work, but you have to be the only root, and it has to be a dedicated..
John, sure, we can find setups that are a little more secure than others. But none are 100% sure. Client-side encryption is 100% secure by design (well, 100% minus the fact that someone might hit you with a wrench until you tell them your passwords
). There is really no point in doing in server side.
As for the two attacks that you describe, hardware keyloggers are easy to install in a KVM/serial console setup – and undetectable. And for a cold boot attack, this tool works too well and too fast to make me sleep well at might thinking a cold boot attack is unfeasable (I tested it, it works well enough even at room temperature).
I agree to this discussion to find out how we can protect our data the best way. These days, there is an obsesion from companies and goverments, to know everything from everybody, the sickness from this behavior Freud even couldnt inmagion. The protection from the human rights for our countries is totaly undermind, and that is all justified when some one yells the words safety, danger, fear or terrorisem.
As i know a lot from the human rights and how they protect us as individuals, countries and whole continents and there economies i just can encourage all of you to find solutions to get privacy back to where it belongs.
You can say… yea but the police we must trust! well if there is a organisation that brings oure countries in danger by violating privacy, and spread it to anyone who want to get it, then it is the law enforcement from our countries. Corruption lives in every country, all over the world, mostly no one does something against corruption, for sure not on the corruption on the higher levels from departments. Some times i ask people ” Where do you base your trust on by the police?” on a law book? on there beautifull eyes? Mostly i dont get a reasonable answer. If i ask “Do you trust your pin code from your creditcard to a police officer?” The standard answer is no!. But when it is about privacy data, then many are running with the harddisks to the police station and yell “I got nothing to hide”. People dont realise how privacy data can change and distroy your live completly, they dont put enough value to there data. US asks for data? well we deliver! But that way we made oure countries very funarable, not only social but also economicly. We simply forget that the US is economicly the competition from the EU but also from Azia and the middle east. How do you want to fight your competition when THEY can look in your cards, but you CANT look in there cards?
Defending your privacy is primairy essential for every ones safety!