Post AXHOQK4qk50WFdzdmS by vorlon@mastodon.social
(DIR) More posts by vorlon@mastodon.social
(DIR) Post #AXHOQJKPWjrPvcGYOe by vorlon@mastodon.social
2023-07-01T18:37:51Z
0 likes, 0 repeats
A lot of people seem to be upset about the kolektiva.social database compromise because the data was unencrypted on a disk. I think this displays a failure to understand how little *effective* encryption of data happens on servers.The admin should have been using encryption on their local drives. They also shouldn't have had the data local where it could be caught up by an unrelated warrant.But if the warrant had been for kolektiva.social itself, served against a cloud provider?
(DIR) Post #AXHOQK4qk50WFdzdmS by vorlon@mastodon.social
2023-07-01T18:41:23Z
0 likes, 0 repeats
Servers are meant to provide services. The bane of an admin's existence is a service outage that they have to be online to resolve. So do you think service admins design their services so that they have to be at a console at boot time before the data can be accessed and the service brought online? Do *you* design your services this way?Ok so you have your data on an encrypted volume in the cloud. Good first start. Where are the encryption keys used to decrypt it when the instance boots?
(DIR) Post #AXHOQKjyHBtuJBETsO by vorlon@mastodon.social
2023-07-01T18:45:55Z
0 likes, 0 repeats
Are the decryption keys on the unencrypted part of the instance's root disk? Ok, so both the root disk and the encrypted volume are made available under the same warrant served to the same entity. You don't even have to be told about it (and the hosting provider may be forbidden to tell you).Are you fancy and you know about trusted boot and virtual TPMs, and the encrypted volume is encrypted with keys only released to the VM if it sends the right measurements at boot?
(DIR) Post #AXHOQLfkoM7bCOGcwS by vorlon@mastodon.social
2023-07-01T18:46:18Z
0 likes, 0 repeats
Oh, the vTPM is provided to you by the cloud provider? Same answer.
(DIR) Post #AXHOQMJ6S3b5AQg3H6 by vorlon@mastodon.social
2023-07-01T18:53:51Z
0 likes, 0 repeats
The solution for all of this is remote attestation. Your admin doesn't have to be at console at boot time, but your instance when booting DOES have to prove to a remote service, which you control, that it hasn't been tampered with; only then does it get access to those decryption keys which are not stored anywhere at rest in the cloud (or at minimum, not in a cloud owned by the same vendor as your data!)Haven't heard of remote attestation? Heard about it but don't know where to start? Yep!
(DIR) Post #AXHOQNAzDihNrXt5GK by vorlon@mastodon.social
2023-07-01T18:59:53Z
0 likes, 0 repeats
If there is an off-the-shelf solution for remote attestation accessible to anyone without a full-time professional IT security team, I haven't heard about it.And the cloud providers want there to be. They WANT to be able to assure customers that their data is safe, even from state actors, so that they get the business.In the meantime, if your data is hosted in the cloud, remember the trade-off you're making.
(DIR) Post #AXHOQNteXeQa64mksq by RAOF@toot.cat
2023-07-02T09:21:17Z
0 likes, 0 repeats
@vorlon the various @mjg59 threads in which he shouts at terrible software while trying to do this suggest to me that the answer is “no, there's not a working of-the shelf solution” for this.
(DIR) Post #AXHOQO5hoq4KhSQNfc by vorlon@mastodon.social
2023-07-01T19:32:20Z
0 likes, 0 repeats
Anyway, long story short:- Assume that anything you put out in public on the Internet can be traced back to you by the government, provided they have sufficient interest; and- assume that if you put it on the Internet it's public, unless using end-to-end encryption (eee, e2ee).
(DIR) Post #AXHOQOZq0oAiCuWRdY by mjg59@nondeterministic.computer
2023-07-02T09:23:46Z
0 likes, 0 repeats
@RAOF @vorlon Device Health Attestation is available for Windows as both a local or hosted solution, but otherwise yup it's bad