0

I am running Ubuntu (14.04) server and I saw this question:

How do I reset a lost administrative password?

I wondered, because my server virtual machine is on the ESXi server, I don't know if anybody having access to them can backup my VM and restore it somewhere and try to access the data stored.

I have no choices for moving VM to a safe server, because my agents forced me to this job.

As I do not trust people who have access to this server, I need to create a shell script and put in /etc/init.d/my_script to remove my data if unauthorized physical access is detected.

  • Please see if this gives you the answer http://security.stackexchange.com/questions/10354/methods-for-protecting-computer-systems-from-physical-attacks – Krishna Pandey Nov 27 '15 at 15:48
  • If you don't trust the physical device, you can't trust data on it. If you can copy a VM, you can attempt to access the data - having a script delete data does't work, since an attacker can have as many copies as they like. They could run them from read-only media, preventing deletion. Drive encryption won't help - it would have to be decrypted for use, and could be copied at that point. You need to trust the physical machine. See https://technet.microsoft.com/library/cc722487.aspx - it all still applies – Matthew Nov 27 '15 at 16:02

2 Answers2

2

I need to create a shell script and put in /etc/init.d/my_script to remove my data if unauthorized physical access is detected.

In general, "Having a VM self-destruct if unauthorized physical access is detected on the host system" is almost impossible. Are there other details about your situation, beyond what's already in the question, that would make this problem easier (ie remotely possible)?

In fact, there is a set of industry standards that specifically address the problem of wiping data if physical access is detected. This is the FIPS 140-2 standards which apply to Hardware Security Modules (HSM). In particular, FIPS 140-2 Level 3 and Level 4 deal with detecting intrusion. Devices that meet this spec are purpose-built with specialized hardware to detect intrusion, you will not be able to do this on an arbitrary ESX VM.

Your best bet is A) to buy an HSM (they start at $500 and go up to tens of thousands of dollars) then B) use keys stored on the HSM to encrypt the sensitive data on the VM so that even if someone clones the VM they will not be able to access the data without the HSM being plugged in. As pointed out by @Neil Smithline, even this is defeated by cloning a running VM since the decryption keys and/or the decrypted data will be in memory.

If you really want a simple script-based solution there are some things you can do which will deter casual attackers. But I will not recommend any because they are basically pure security theater and will not stop anybody with even a little bit of hacking training.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • Hi @Mike Ounsworth, Thanks for your help. These people aren't professional, But I am worried. Now the server collocated in the safe data center. May one day due to relocation to another data center, could access to server. Also access to ESXi. – mahyarss Nov 27 '15 at 16:46
  • According to they are not professional. I was thinking for a trick. If i create a shell script, and this script detect something like unknown username. For example: I just connect to my vm via ssh with public key from putty with username 'xuser'. And If someday my vm cloned and login directly with another user then script delete my data. (This people don't know about path and type of my data, and i can put a fake data in partition of vm, after script delete my real data, They only find fake data and happy for this.) – mahyarss Nov 27 '15 at 17:06
  • You *could* do something like that, but I will not tell you that it's ok because this won't protect you at all if you are ever attacked by real hackers. – Mike Ounsworth Nov 27 '15 at 17:31
  • Does the HSM help if the VM is cloned while running with keys in memory? – Neil Smithline Nov 27 '15 at 17:34
  • @NeilSmithline Fair, I hadn't considered cloning a running VM. That introduces more problems. Though I wouldn't have keys in memory anyway but rather get the HSM to do the decryption for you. Then you have decrypted data in memory so same problem. – Mike Ounsworth Nov 27 '15 at 17:36
  • Already on it ;) – Mike Ounsworth Nov 27 '15 at 17:44
1

You're trying to solve a fundamentally unsolvable problem. It'd be trivial to clone the machine and you'd never be able to detect it since it's happening outside of the VM. The best you could do is encrypt the partition with your secret data, and manually type in the password each time the server boots. If the password is simply stored on the machine somewhere, obtaining it is as easy as mounting the partition elsewhere and reading the file.

This still won't protect you however if someone has physical access. Since they have physical access to the server as well as VMWare level access, they could simply just scan the memory for the password, clone the machine, and enter the password they obtained from memory scanning.

This would take a little more technical expertise on the attackers part, and would only protect you from anyone that lacks this expertise.

Steve Sether
  • 21,530
  • 8
  • 50
  • 76