Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • A few points. The goal is not "prevent(ing) someone ... from accessing any files within the OS". The files we want to protect are quite few, not everything. Only these are uploaded to the RAMDISK directory. Uploading will be done by SCP and files come from developer's machine. DoS attacks intervening with the upload is not an issue. On why rolling my own solution instead of using a standard one; well, the main reasons is lack of resources. As I said, we are limited to what's on offer at providers like Linode, DigitalOcean, Vultr and the like. Commented Jul 26, 2018 at 20:37
  • Since I named some businesses in the comment above, I think it is important to clarify that I am not accusing them of not being professional. So my question's opening should be read as while I do not distrust them, I do not know them enough to have a blind trust in them either. Commented Jul 26, 2018 at 20:44
  • So the ssh keys to your prod environment are sitting on a developer machine? You know what, I'm not gonna go there. My professional opinion is that turning on disk encryption in the server's kernel is both less effort and less error-prone than building your own solution. Commented Jul 26, 2018 at 21:48
  • I'm also gonna challenge the assumption that protecting /media/private means you don't need to protect everything else. Say a Linode admin mounts your disk image and adds a line to .bashrc to scp -R /media/private to the attacker's machine. Next time a dev logs in to a running system, you're hosed. Commented Jul 26, 2018 at 22:17
  • You're quite right. /media/private cannot be protected without minding all the public space on the server. And this empties the solution from what little value it still had to me. No security is better than illusion of security; Thanks. Commented Jul 27, 2018 at 0:05