<div dir="ltr">Thanks Guus<div><br></div><div>So based of this , having your central tinc server in VPS Provider , will allow potentially the provider to replicate your config files and thus exposing all your remote sites connected. My situation I face is all my remote sites have dynamic addresses ,and in order for me to create a connection point between the sites is to have a central server in cloud with public address. Therefor the VPS seems like the cheapest option and it works well.. its the security part I have concerns with. </div><div><br></div><div>There was a option I was thinking of using is creating a encrypted partition that I will need to manually decrypt once the server is booted. This partition will contain the "/etc/tinc" directory. In this case the if someone had to compromise my server they would first need to decrypt my encrypted partition . I will not allow decrypt key files to lie on the server directory , I will have to store them elsewhere. The only downside is that should my server reboot , i would need manual intervention to bring up the partition and tinc... Please let me know what you think about this?</div></div><div id="DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><table style="border-top:1px solid #aaabb6;margin-top:30px">
<tr>
<td style="width:105px;padding-top:15px">
<a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img src="https://ipmcdn.avast.com/images/logo-avast-v1.png" style="width: 90px; height:33px;"></a>
</td>
<td style="width:470px;padding-top:20px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">This email has been sent from a virus-free computer protected by Avast. <br><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:#4453ea">www.avast.com</a>
</td>
</tr>
</table><a href="#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Regards<br>Yazeed Fataar<br></div><a href="mailto:yazeedfataar@hotmail.com" target="_blank"></a></div></div></div></div></div>
<br><div class="gmail_quote">On Sun, Jan 24, 2016 at 1:44 PM, Guus Sliepen <span dir="ltr"><<a href="mailto:guus@tinc-vpn.org" target="_blank">guus@tinc-vpn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, Jan 24, 2016 at 12:48:13PM +0300, Yazeed Fataar wrote:<br>
<br>
> Thanks Guus.. So if someone had to gain access to my vm-disk. They<br>
> would not be able to view the contents of the files in ""etc/tinc" if<br>
> I do "sudo chmod go= /etc/tinc" .. My paranoia is around a VPS<br>
> provider who had admin access to all containers. I know that I have<br>
> to create a root password that will allow only myself root access ,<br>
> but im just worried about the disk contents if it were mounted on<br>
> another system.<br>
<br>
</span>A VPS provider has access to *everything* on your virtual machines,<br>
regardless of what password you set or whether you use full-disk<br>
encryption or not. There is nothing you can do about it, except for not<br>
using a VPS provider.<br>
<br>
The only thing that is secure is when you have a physical machine that<br>
only you have physical access and root access to. The only exception is<br>
perhaps a colocated physical machine on which you yourself configured<br>
TPM in such a way that it only boots from a trusted OS image.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Met vriendelijke groet / with kind regards,<br>
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>
</div></div></blockquote></div><br></div>