I just learned that this is not a good combination of resources.
Unless you trust your VPS provider completely, you should not store any sensitive data within a VPS, like:
- Keys/secrets;
- Financial information;
- Personal data that could motivate identity theft.
I used to think that it was just a matter of having LUKS enabled on the VPS to make it (very) secure. I was mistaken. The VPS provider still has absolute power over you VPS instance. He can read data via a snapshot of your volume(s), making it accessible to his own users. On-memory data is also accessible with the right tooling.
If you trust your provider from an ethical standpoint, that’s fine. However, it doesn’t eliminate the possibility of rogue employees or even third parties (a.k.a hackers) to access your data via the provider’s infrastructure if it’s vulnerable.
Possible Solutions:
- Go self-hosted if you know what you’re doing and if your purpose is not to run services to other people, meaning that you’re running services just to yourself;
- Go colocation and provide the box preconfigured, stiffed, ready to be attached to the provider’s network;
- Go bare metal or with a dedicated server if you have the budget (and the ROI), but keep in mind that in both cases you will have to trust your provider and its hardware provisioning process, thus still subject to rogue employees and supply chain attacks to the hardware.