0

I'm currently working on a server. This server is meant to be converged, as in be my storage server and the place publicly accessible services run on. Services like some API's in docker or k8s and maybe an occasional game server.

There are a few hyper converged appliances available like Truenas Scale and Unraid. These offer great storage solutions and include KVM. Then there are the usual hypervisors like esxi and Proxmox etc.

So I have these 2 scenarios and wonder if one is more secure than the other.

A hypervisor (esxi/proxmox/xcpng) with:

  • A virtualized NAS OS like truenas
    • has PCIe passthrough so the VM has direct access to the sata controllers.
      • the drives are encrypted using ZFS encryption. Alternatively the drives can self encrypt.
    • has passed through nic.
  • A VM with docker or a k8s node
    • has passed through nic.

And this scenario: Install the NAS OS on baremetal.

  • Use it's KVM environment to launch a VM as a container host inside.
    • Has passed through nic.
  • The data drives for the NAS part are still encrypted using the same method. However they are now mounted directly to the host that is now also running KVM. Therefore in theory the VM once broken out of will have access to the data on the drives. No need to mount and decrypt the drives anymore.
Improve this question
2
  • @SteffenUllrich Maybe I'm phrasing it wrong. The question is, does passing through a sata controller, assuming the drives attached to it are encrypted increase my security if the virtualization host is compromised? In the case I use Truenas/Unraid the virtualization host has direct access to unencrypted data. whereas it will not if Truenas itself is virtualized. Commented Jul 2, 2023 at 12:48
  • @SteffenUllrich I have changed the question, you were right it did not give enough supplemental information Commented Jul 2, 2023 at 14:22

1 Answer 1

Reset to default
1

From my understanding you basically ask about these two options:

  1. Your own services and the NAS OS each virtualized and separated by an overarching virtualization layer
  2. Your own services within a virtualization layer provided by the NAS OS

In both cases the data are encrypted at the level of the NAS OS. The goal of the attacker is to get access to the data.

I assume that there is no security issue in the NAS OS which can be directly exploited from your separated services (like remote command execution in some exposed admin interface), because this would be a common problem for both scenarios. Instead just have a look at the separation provided by the virtualization.

In the first case the attacker must break out of the overarching virtualization layer. From there they might try to break into the VM of the NAS or access the memory etc of the NAS VM directly from the compromised virtualization layer. While this is kind of complicated to do it is usually feasibly once the VM host is exploited, unless additional protections are in place - see How can a VM handle a compromised host?.

In the second case the attacker needs only to break out of the virtualization and already has access to the data, no need to break into the NAS VM. But as I said, the latter is usually possible.

So at the end it depends on what security the host OS provides, i.e. the common hypervisor or the NAS OS providing virtualization. A pure hypervisor can be minimal and thus can achieve much less complexity than a full NAS OS with virtualization included. More complexity usually means more vulnerabilities and thus a larger attack surface. Thus in theory the approach with the common hypervisor can be more secure.

In practice it depends on the actual implementation though. Hypervisors might have lots of functionality you don't need - which adds again to complexity and decreases security. And it depends of course also on the inherent design of the system and how competent the developers are.

Improve this answer
1
  • This was exactly what I was looking for. Especially the additional protections. I will be going with the common hypervisor and look into the additional protections. Commented Jul 2, 2023 at 20:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.