Super cheap VPS that's reasonably safe
I'm looking for a cheap (good if I can get it to the $7-10/yr mark) VPS which is in a non-US/EU location.
Minimal specs: IPv4 (NAT OK), 512MB RAM, 5GB storage, no particular CPU or network requirements. Prefer KVM, and must be stable - nothing that is offline for days at a time. Can't pay crypto.
I'll use it for a "key server". I've got encrypted LUKS keys which get retrieved at boot. So it runs a web server/SQLite which gets about 3 hits per week. Most of the drives being unlocked are in the US/EU so I like to keep the key server somewhere else.
I've got an $8/yr VPS doing the job at the moment, but have run into a very strange problem where a particular IP range can't reach it.
Comments
I don't really know "super exotic" providers that are cheap.
For about $6 a month you got some small VPS plan in local datacenter in Mauritius(some island on Indian ocean, close to South Africa). https://cloud.mu/linux-virtual-servers/
Even more expensive but you got access to locations such as Abkhazia("pseudo" country in Georgia), Lebanon or Iran.
https://exservers.net/, around $30 a month. Operated by "notorious" Batterflyai Media ltd.
Eventually something in Russia, a hour or two by car from North Korea, legendary Media Land LLC.
https://ml.cloud/en/vds starting at $5.
I'm out of ideas on this pricepoint.
Friend is cooking something up in Georgia, so he may be able to provide something "cheap" there, but no promises.
If you want to keep the "key server" hidden, just route this bitch over Tor and host wherever you want. You could include Tor binary in whatever pre-boot software you have. I2P works great in such deployments as well, but takes some time to bootstrap.
It all depends on your threat model, who is your "opponent". Nobody will want to fuck with feds for such money, even US/EU ones.
freevps in Tokyo for $5 one time payment maybe
WebHorizon sells NATs in Chile. Maybe that would work?
Putting it behind something like that is not a bad idea! Thanks for sharing that thought.
Thanks everyone for the other suggestions too.
Where do you see this?
Sorry, their sister company. Can never remember which one: natvps.net? Think that's it.
Which provider are you currently using at $8/yr?
As a fellow encryption-at-rest enthusiast, can you expand on this topic? I've been adding dropbear to initrd and SSH in to provide the passphrase, but your solution sounds so much cooler.
edit: Is this what you use? https://github.com/johndoe31415/luksrku Incidentally, I also found this interesting project: https://github.com/grazzolini/chkboot
It's pronounced hacker.
We have almost 13 location in NAT please let me know which one you need
Openvz node
Taiwan (1gbps)
Hongkong (10gbps)
Japan(10gbps)
Singapore (10gbps)
Netherland (1gbps)
Germany(2gbps)
Sweden(10gbps)
Pakistan (1gbps)
Kvm nodes
Turkey (1gbps)
India(1gbps)
Usa(10gbps)
Canada(100mbps up 1gbps/down)
Uk(1gbps)
KhanWebHost Cheap Shared Hosting | Cheap KVM VPS (DE,UK,US,FR) | KVM Sale - LES Offers
I'm not sure what he's using but clevis/tang is one of the more popular ones. Most distro have support.
Mine is nothing that complicated. What I do is install alpine (sometimes but rarely RHEL) on a small (1-2GB) partition and use it as a "thin" hypervisor. Everything runs in LXC containers (could use docker instead, I suppose). So in
/etc/fstab,And then a script (openrc for alpine, systemd otherwise) for unlocking/mounting the partition at boot time. That script reads a uuid from a config file and contacts a web server for the LUKS key. This works fine for a low-spec KVM, down to 256MB and 5GB disk. It's about 70 lines but the essence is:
From the encryption perspective, this is not intended to stop someone serious about getting your stuff who can image RAM or whatever. The main scenarios are (a) if a provider goes bust and their unwiped disks end up somewhere like eBay, or (b) if an provider's entire server gets seized due to a neighbor and your stuff is on the same disk [this happened to me with a Hetzner reseller] and you're uncomfortable with people poking through your stuff for no reason. With this approach, basically all they get is a vanilla alpine partition.
The main function of the backend server is to return the LUKS key, i.e. disabling the VPS is done by deleting the key. Beyond that, it also does some "integrity checking" to see if the VPS has been moved, it handles provisioning of new VPSes, and you can flag a partition to be re-keyed on the next boot. The hypervisor monitors network connectivity and if it is lost forces a reboot to refresh the key.
Encryption aside, I find this is pretty good for HA. Containers are imaged and full/incremental backups sent to a MinIO cluster.
There's an internal network (tinc) inside each container so the container can be restored to pretty much any VPS anywhere if a provider goes down. I route public stuff through a few "entry points" which tend to be my more reliable VPSes and they fan it out to redundant backends on the internal network using HAProxy.
End result might look something like this on a node:
Not super complex but keeps the stress manageable. When Carrier-1 in Dallas lost power a few days ago, I had about 5-6 VPSes go offline, but DNS updated automatically and everything failed over OK & kept ticking along, apart from a bazillion monitoring notifications.
Long reply, but you did ask!
Thanks, what is the pricing on these?
I'm thinking through treesmokah's idea of putting Tor in the middle and how that might work.
Check out this fir pricing
https://lowendspirit.com/discussion/7839/natkvm-net-buy-nat-vps-in-just-3-30-year-de-pk-se-sg-jp-tr-in-usa-uk-tw-hk#latest
KhanWebHost Cheap Shared Hosting | Cheap KVM VPS (DE,UK,US,FR) | KVM Sale - LES Offers
Interesting. Both are available in NixOS. I'll check them out. Thanks!
Woah. Thank you so much for the detailed write-up! This, by the way, is my exact use case. When NexusBites (pun intended) went belly-up, I kicked myself for not taking the time to encrypt my data there.
It's pronounced hacker.
Recently I have been enrypting more, and also more often. Mostly I have still been using ccrypt, which I guess is better than Rot13. Maybe the time is coming has arrived for me to switch to a more complex, more automagic method.
Thanks for the explanations and discussion in this thread!
I hope everyone gets the servers they want!
I've also had good luck with ecryptfs, to atuomagically encrypt $HOME in Debian: https://wiki.debian.org/TransparentEncryptionForHomeFolder
I used to have this as my email signature for a long time, and more than one person claimed to be able to translate it in their head. 😁
"Vs lbh pna ernq guvf, lbh arrq gb trg ynvq."
For the lazy among us:
"If you can read this, you need to get laid."
It's pronounced hacker.
If I can help out lemme know. I do this on most of my boxes and have already blundered my way through figuring out the quirks.
Thanks so much for the offer. I'll try to carve some time to try it this weekend.
It's pronounced hacker.
I ended up doing something like this. Key server running a .onion. One disadvantage with this is that Tor hides a lot of the "anti-tampering" stuff, e.g. it becomes harder for the key server to detect if the VPS has been moved to a "sandbox".
What I've done is basically a "bastion" where the client "knocks" and asks for a token, then opens a (random) port and the key server connects to it (routed over Tor so key server isn't exposed) and provides the token which is passed back in subsequent requests.
Seems to work, but needs more testing to see how robust it is.
HostVDS, the cheapest VPS I know, and it is relatively stable. https://btc-vps.com/bitcoin-vps/hostvds (AFFILIATE LINK WARNING mod edit)
Cloud VDS: 1 vCPU, 1 GB RAM, 10 GB NVMe Storage, 500GB Traffic ($1 per extra 1TB), 50 Mbps Bandwidth, 0.5TB Traffic, 1 IPv4 ($0.59/mo for an extra IPv4), Linux OS, as low as $0.99/month (or $0.00133/h).
Location: America (US), Amsterdam (NL), Dallas (US), Finland (FI), France (FR), Moscow (RU), Netherlands (NL), Paris (FR), Russia (RU)
@AK_KWH posted something less than half the price in this same thread, and if you're going to suggest a provider please give the link to their site, not to some aff generator, or make it clear to everyone what you're doing. That's not good form. Thanks.