How secure is a KVM vps with an encrypted LVM installation with LUKS passphrase entry over a VNC console and ssh on a random high port with disabled root and only keyfile login.
What are the methods by which a host can access/snoop the data on this vps and what are the possible solutions to prevent this.
I can already think of two such methods:
Keylog the VNC console - which can be tackled by using dropbear ssh: http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ but dropbear ssh has it's own issues.
Take a memory dump of the virtual machine and search it for encryption keys and passphrases.
How difficult is it for the hosting providers to implement the above methods? Can this be pulled off without customers being suspicious of anything?
Similar threads:
http://serverfault.com/questions/484707/is-it-possible-to-have-a-100-secure-virtual-private-server
I would like to take it from where they left.
Please note:
I am asking only about KVM vps and not about OpenVZ. I am not paranoid nor do I have any sensitive information to protect or something to hide. I trust my hosting providers and I know that they have no interest in customers data and have much better things to do than to snoop on their customers vps. I also know that I am not someone special out of hundreds or thousands of clients that my host will be interested in my data. I know that I should get a dedicated server (colo my own server, host it at my home, disconnect it from the internet, wipe out the hard disks, turn off the server) if I am so concerned about security. And I am also aware that there is nothing like 100% security.
All this aside, I want to know if it's possible to stop/make it difficult for hosts to access the data on the vps.
Please avoid Comments like:
"What do you have to hide"
"Don't use OpenVZ, use KVM vps"
"Don't use a vps, get a dedicated server"
"What makes you think you are so special that the hosts will be interested in you"
"Don't connect it to the internet, cut the ethernet cable"
"Don't be so paranoid and get a life"
"Remove your tinfoil hat"
"Turn off the vps, erase the hard drive"
"Host it at your home, protect your server with a gun"
"There is nothing like 100% security"
"Get a reliable host, trust your hosting provider"
"Colo your own hardware"
"Hosts have got better things to do than to look at your VPS"
"if someone else has physical access to a machine, then there is no security/privacy"
etc, etc ......
Any relevant and specific comments are appreciated.
Additional references:
http://lowendtalk.com/discussion/12381/openvz-vs-other-virtualization-offers-ratio
http://lowendtalk.com/discussion/9910/kvm-xen-privacy
http://lowendtalk.com/discussion/15222/what-do-you-think-of-vps-security
http://lowendtalk.com/discussion/2253/building-the-ultimately-secure-vps-add-to-this-list
http://lowendtalk.com/discussion/12942/avoid-openvz-snooping