[tor-talk] Tor hidden service 'in cloud'

[Andrea Shepard]

On Wed, Oct 17, 2012 at 11:18:02AM +0100, tor at lists.grepular.com wrote:
> >  This seems like a good strategy for hidden service. Maybe it is OT
> > a little, but how can I have encrypted VM for my hidden service
> > where boot password is securely typed? Some cloud service gives
> > virtual console where I can type boot password on some encrypted
> > volume, but I think this could be logged.
> > 
> > Does anyone know the best way to do it?
> 
> The problem with using VMs is that the physical host it is running on
> can silently read the VMs entire memory, allowing it to easily read
> the VMs disk encryption keys at any point after the VM has booted up.

Seconded; you can't trust VMs on hardware you don't control for anything
that needs to stay private - at least not until we get Turing-complete
emulated processors implemented in homomorphic cryptography.  At minimum you
need a real machine in a colo, which means you need to figure out how to
pay for it anonymously [1], and if you want a second line of defense you
want to harden your server against intrusions too; doing your disk crypto
in tamper-proof hardware would probably be a good idea [2], as would making
sure you can trust your BIOS [3].

[1] prq.se claims they work with anonymous clients on their web site,
but all the methods of payment they mention are identity leak hazards.

[2] I don't think the kernel supports this, though :/

[3] I kinda want to find a server motherboard I can use with coreboot
and add SSL support on the serial console, and then a challenge-response
authentication to boot...

-- 
Andrea Shepard
<andrea at torproject.org>
PGP fingerprint: 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20121017/b877cda4/attachment.pgp>