Securing tinc config files

Yazeed Fataar yazeedfataar at gmail.com
Sun Jan 24 12:40:53 CET 2016 

Hi Guus

Yeah I kinda thought of that only once I hit the "Send" button .... I guess
I have two options ,

1. Manage my own server with public ip address
2. Trust my VPS provider LOL....

I read this from digitalocean "Privacy Policy"

Server Data

*DigitalOcean does not have access to its users’ server data. The backend
is locked away from the users’ support staff and only engineering staff has
access to the physical servers where users’ virtual machines reside.
DigitalOcean does not store users’ passwords or private SSH keys.
DigitalOcean also does not request user login information to their servers.
DigitalOcean does not review or audit any user data.*

*https://www.digitalocean.com/legal/privacy/
<https://www.digitalocean.com/legal/privacy/>*
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
This
email has been sent from a virus-free computer protected by Avast.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Regards
Yazeed Fataar
<yazeedfataar at hotmail.com>

On Sun, Jan 24, 2016 at 2:36 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:

> On Sun, Jan 24, 2016 at 01:59:19PM +0300, Yazeed Fataar wrote:
>
> > So based of this , having your central tinc server in VPS Provider , will
> > allow potentially the provider to replicate your config files and thus
> > exposing all your remote sites connected. My situation I face is all my
> > remote sites have dynamic addresses ,and in order for me to create a
> > connection point between the sites is to have a central server in cloud
> > with public address. Therefor the VPS seems like the cheapest option and
> it
> > works well.. its the security part I have concerns with.
>
> Tinc can work with dynamic addresses as well, as long as you have one
> node with a fixed domain name, that is fine. Maybe a dynamic DNS service
> can work for you?
>
> > There was a option I was thinking of using is creating a encrypted
> > partition that I will need to manually decrypt once the server is booted.
> > This partition will contain the "/etc/tinc" directory. In this case the
> if
> > someone had to compromise my server they would first need to decrypt my
> > encrypted partition.
>
> That is only the case when the server is down. If they compromise it
> while it is running, you will already have unlocked the encrypted
> partition and they can still read it.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160124/ea12e838/attachment.html>

More information about the tinc mailing list