Is it possible to have a 100% secure virtual private server?

Question

I am curious if it is possible to have a VPS that has data on it that is not readable by the hosting provider, but is still usable on the VPS.

Obviously there are some things that you could do to prevent them from reading anything...

1. You could change all the passwords, including root. But then, they could still use some alternate boot to reset the password, or they could just mount the disk another way.

2. So, you could encrypt the disk or at least some of the contents on the disk. But then it seems that if you decrypted the content, they could still "peer in" to see what you were doing at the console, because after all, the virtualization platform should allow this.

3. And even if you could stop that, it seems they could just read the RAM of the VPS directly.

Of course, the VPS can store data on it and as long as the key is not on the VPS and the data is never decrypted there, then the host cannot get the data.

But it seems to me that if any point the data on the VPS is decrypted...for use on the VPS...then the hosting provider can get the data.

So, my two questions are:

1. Is this correct? Is it true that there is no way to 100% secure data on a VPS from a host from seeing it, while keeping it accessable by the VPS?

2. If it is possible to make it 100% secure, then how? If it is not possible, then what is the closest you can get to hiding data from the web host?

Answer 1

The virtual machine host can see and defeat any security measure you mentioned, including encryption of the virtual disks or files within the virtual filesystem. It may not be trivial to do so, but it's much easier than most people think. Indeed, you alluded to the common methods of doing exactly that.

In the business world, this is generally dealt with via contracts and service level agreements, specifying compliance to legal and industry standards, and so is usually considered a non-issue as long as the host is actually compliant with the relevant standards.

If your use case requires security from the host, or more likely, from the host's government, then you should strongly consider obtaining your service in another country.

Answer 2

Your assumptions are correct. There is absolutely no way how you could secure a host if you cannot guarantee the physical security of the machine - someone with physical access to a host will be able to control it or read all of its data, provided he has the necessary equipment (e.g. a hot-pluggable PCI card could read the host's memory - including encryption keys and passphrases held there).

This is also true for virtual machines except that "physical" access is replaced by the ability to control the hypervisor. As the hypervisor executes (and is able to intercept) any instruction of the VM and holds all of the resources (including the RAM) on behalf of the VM, anybody with sufficient privileges on the hypervisor is able to exercise full control over a VM. Note that controlling the hypervisor spares the requirement for special equipment.

Aside from that, there has been a consensus in the security community for a really long time now, that "100%" security is impossible to achieve. The task of a security engineer is to evaluate possible attack vectors, the effort needed to exploit them and compare the predicted cost of the attack to the value of the assets affected by it to make sure there would be no financial incentive for the attack and the abilty to carry out an attack would be limited to a small (ideally 0-sized) circle of people or organizations not interested in the assets he is trying to protect. More on that topic: http://www.schneier.com/paper-attacktrees-ddj-ft.html

Answer 3

Yes.

If you have access to a secure host X, but you need to access to vast, but potentially insecure, computing resources at Y, you can use homomorphic encryption on the data.

In this way, computations can be carried out on Y, without ever leaking data from X.