Securing tinc config files

Yazeed Fataar yazeedfataar at gmail.com
Sun Jan 24 11:59:19 CET 2016 

Thanks Guus

So based of this , having your central tinc server in VPS Provider , will
allow potentially the provider to replicate your config files and thus
exposing all your remote sites connected. My situation I face is all my
remote sites have dynamic addresses ,and in order for me to create a
connection point between the sites is to have a central server in cloud
with public address. Therefor the VPS seems like the cheapest option and it
works well.. its the security part I have concerns with.

There was a option I was thinking of using is creating a encrypted
partition that I will need to manually decrypt once the server is booted.
This partition will contain the "/etc/tinc" directory. In this case the if
someone had to compromise my server they would first need to decrypt my
encrypted partition . I will not allow decrypt key files to lie on the
server directory , I will have to store them elsewhere. The only downside
is that should my server reboot , i would need manual intervention to bring
up the partition and tinc... Please let me know what you think about this?
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
This
email has been sent from a virus-free computer protected by Avast.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Regards
Yazeed Fataar
<yazeedfataar at hotmail.com>

On Sun, Jan 24, 2016 at 1:44 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:

> On Sun, Jan 24, 2016 at 12:48:13PM +0300, Yazeed Fataar wrote:
>
> > Thanks Guus.. So if someone had to gain access to my vm-disk. They
> > would not be able to view the contents of the files in ""etc/tinc" if
> > I do "sudo chmod go= /etc/tinc" .. My paranoia is around a VPS
> > provider who had admin access to all containers.  I know that I have
> > to create a root password that will allow only myself root access ,
> > but im just worried about the disk contents if it were mounted on
> > another system.
>
> A VPS provider has access to *everything* on your virtual machines,
> regardless of what password you set or whether you use full-disk
> encryption or not. There is nothing you can do about it, except for not
> using a VPS provider.
>
> The only thing that is secure is when you have a physical machine that
> only you have physical access and root access to. The only exception is
> perhaps a colocated physical machine on which you yourself configured
> TPM in such a way that it only boots from a trusted OS image.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160124/6c581287/attachment.html>

More information about the tinc mailing list