I have a small VPS running a few scripts and some personal projects without any private information (just the keys for the services needed).
I want to expand it to selfhost more stuff like Google photos alternative, knowledge DB, git, etc., but I’m not sure how is my data protected inside a VPS.
There was a post mentioning everything is visible to the provider via the hypervisor, so I was wondering if an encrypted volume would make no difference for protecting any data uploaded there.
Am I being too paranoid? Or should I be investing in a small physical server?
If you don’t trust your VPS host then you shouldn’t use them. They have physical access to the hardware so it’s impossible to prevent them from accessing your stuff if they really wanted to (realistically they probably don’t want to).
I was wondering if an encrypted volume would make no difference for protecting any data uploaded there.
This is known as “encryption at rest” (as opposed to “encryption in transit”). In order for an application to use the content then it has to be decrypted using the private key (decryption key). Where are you storing the private key? If it’s on the VPS they have access to it. If you transmit it to the VPS at runtime they can access it via network monitoring. If you kept the private key only on your end-user devices (phone, desktp computer, etc) and then decrypted the content locally, then encrypted it before it was uploaded to the VPS then the provider would have no way of accessing that.
I’m not sure how is my data protected inside a VPS.
Ask your provider. The larger ones have a lot of security certifications and periodic audits showing that they’re in compliance with best practices for securing the clients’ data, including from their own employees. If what you find isn’t satisfactory then pick another provider.
Am I being too paranoid? Or should I be investing in a small physical server?
IMO yes but you need to determine how sensitive the data you’re storing actually is. Chances are that no one really cares about your personal photos or private git stuff. If you want to store the passwords for all of your email accounts and banking then I’d be more concerned - though I think that’s still fine to store on a VPS if you trust the provider.
Any VPS provider worth their salt will have corporate clients with data far more valuable than a random person’s vacation photos. So they probably don’t want anything to do with that data unless it brings them legal trouble. Plus, not knowing can help shield them from all sorts of liabilities.
Also worth mentioning that modern CPUs support VM-level encryption, so that even the host can’t see what’s inside the VM at all. The RAM is transparently encrypted by the CPU, so unless the provider goes to some pretty extreme (and expensive) length to extract the keys from the PSP for a regular random nobody, it’s barely worth thinking about. See: https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
As long as you don’t get into legal troubles the provider has better things to do than ruin their reputation with big corporate customers.
Encryption at rest never hurts however. But the runtime may also be encrypted and really private. Lemmy is very public anyway, I wouldn’t worry much.
The above, not much you can do
