Hey, > 1) I have never used a VPS before. Can they be nearly as > private/secure as a local machine?
No, you are trusting the hosting provider, when you rely on trust within your security model it weakens it. You have to trust the hosting provider to provide good physical security, and also digital security too (for example, if their servers are vulnerable the isolation between virtual machines could be compromised). > For example, if I use full disk encryption and only ssh to > communicate, is there any way the company can know what I'm > doing/data? Using full disk encryption on vps isn't that useful. Hosting providers can take the FDE key directly from memory and decrypt your data at rest. > 2) I use FDE on my laptop, and after update, I have to type the > password before I can boot. So how is this achieved on a VPS as ssh > doesn't start before the OS does? Usually you need a terminal server or KVM for physical servers, when you collocate servers you are sometimes provided this. For virtual servers (vps), most hosting providers will give you vnc access to access the vm directly in case of network issues, or in this case, to decrypt them, so yes it is possible. Does it improve security? Seldom. > 3) Even if I use FDE, the company can read the password during the > initial setup right, and also temper the ISO? Can I install/setup ISO > locally and then upload image to the vps, so I know the iso is > genuine and they did not read my password during setup? In order to decrypt the partition(s) FDE keys have to be loaded into memory. Because the company controls the host, there is nothing stopping them intercepting the key, and storing it to decrypt your data later. There is confidential computing, and there was a talk about it at EuroBSDCon 2024 [1] and EuroBSDCon 2025 [2] (can't find recording, sorry) which might interest you, however support for it is limited unless you are using certain hosting providers, and if I remember correctly, it usually costs a pretty penny. > 4) Is openbsd a good server os for hosting websites and possibly > E-mail? Dumb question :) OpenBSD base includes httpd [3], a small but powerful webserver built for security, and also relayd [4] which can be used for proxying. Unlike the norm on Linux, OpenBSD actually has different tools for different jobs and doesn't heap it all into one giant daemon. It also includes acme-client [5] which as the name implies, its an acme client, but unlike the solutions often used on Linux (such as acme.sh, dehydrated, certbot) its small, simple and just works. As for email, OpenBSD base ships with smtpd (aka opensmtpd) [6] which makes email simple, unlike postfix. smtpd delivers to local mailboxes, which you can read over SSH, but if you want support for IMAP/POP, you can use dovecot from the ports and set it up with opensmtpd. Name another operating system in which almost your entire stack is within the base install? Take care, -- Polarian Jabber/XMPP: [email protected] [1] https://www.youtube.com/watch?v=t6eQ1Wf0zd8 [2] https://www.openbsd.org/papers/eurobsdcon2025-hshoexer-confidential-computing.pdf [3] https://man.openbsd.org/httpd.8 [4] https://man.openbsd.org/relayd.8 [5] https://man.openbsd.org/acme-client.1 [6] https://man.openbsd.org/smtpd.8

