|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] domU security
Well, you can encrypt traffic to the domU (e.g. use SSL / SSH) that you consider to be sensitive. The dom0 will be able to intercept all network traffic. You can encrypt what's on disk. The dom0 will be able to read the raw bytes of the disk but not decrypt without your keys. Crypto keys and data that reside in memory will be readable by the dom0, and there's nothing you can really do about it. Think of dom0 as "root" for the Xen host, it doesn't have a root account on your system but it's equivalent. This means it implies a little more trust in your provider than renting a dedicated box or colocating your own server, since having a physically separtea machine makes it rather harder for the provider to poke around in it. However, even in those cases, they could be intercepting your network / disk traffic quite easily. It's even possible they could be pretending you have a dedicated box, whilst really running you in a virtual machine ;-) (although that'd be easy to check). Obviously, other domUs shouldn't be able to read your memory / disk, although it's worth assuming that the virtual ethernet may leak information, rather like a real ethernet does. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |