I've yet to stumble upon the first provider which actually uses OpenBSD
as the hypervisor, instead of VMware, Xen, KVM, etc. That, in fact,
would be an awesome development. I have been thinkering with this
thought back and forth, but the IT company I work for isn't big enough
to facilitate this - yet.
As to public clouds, no doubt it's far less secure than running OpenBSD
bare metal. However, public clouds do have one advantage over bare
metal, VMs can be made with the mere click of a button, whereas bare
metal often takes time to be put online.
Having said that, it isn't always that more cost effective. There are
very cheap dedicated servers available. Like in Germany, there is
Hetzner, Servdiscount, etc. If you need bulk storage, a dedi is often
more affordable than a VM/VPS. However, they do oversell bandwith - a
I always prefer a dedicated server to run OpenBSD on, which is my
preferred OS. However, if you would hold a gun to my head and made me
pick a public cloud provider, I'd pick Azure. There have been some
developments that sound okay-ish, like confidential computing: https://
As to the exploit mitigation, I really don't know how this upholds
after four years or whether this even applies to public clouds - this
might be somewhat related at best:
I am keen to know whether someone has real hands-on experience with
OpenBSD, exploit mitigations and public clouds - I don't.
Post by Kevin Chadwick
We all know Bare metal is more secure (ignoring physical security)
especially with OpenBSD but if you need cost effective global resources
on tap then I believe you need cloud.
We all know microsoft have a huge user base and userland issues that
are problematic however despite some recent Linux kernel mitigation
adoption attemps, Linux focus on kernel mitigations have been
lacklustre whilst microsoft have been comparatively active albeit
enabling and enforcing mitigations (even ASLR) for all applications by
default has been lacklustre.
As cloud services are free from microsofts userland it is a *hopeful*
assumption that their security mitigation works applies to their cloud
too whereas I expect it is unlikely with Amazon and Google (AFAIK
Android fairs better than Linux for mitigations due to Google
Perhaps OpenBSD mitigations still apply effectively to ec2 instances
and cloud services isolation is good enough to never undermine this,
though I find that hard to believe. Perhaps new processor developments
will solve this issue.
None of this matters if you cannot get things done. I know there is
OpenBSD AWS client availability but I am unsure about Azure, Google etc.
Any advice and experience is welcome, Thankyou.