After deploying a VPS, many people stop at a firewall and SSH keys and consider the job done. But firewalls only address external intrusion. How data is stored, whether it's encrypted in transit, and whether backups are reliable—these are what actually determine the true security posture of your server.
Know where your data lives and who can reach it
The first thing to understand is that your VPS provider has physical access to the storage underlying your server. This doesn't mean they'll actively look at your data—most reputable providers have clear privacy policies and won't do so proactively—but the technical architecture gives them the capability. They may also be compelled to cooperate with legitimate legal requests.
The implication is straightforward: if you're storing sensitive data on a VPS, you can't rely on the provider's promises alone. You need to handle encryption yourself at the application layer.
Disk encryption: protecting data at rest
Disk encryption ensures that even if someone obtains the physical storage media, the data is unreadable without the key. The standard tool on Linux is LUKS (Linux Unified Key Setup).
To encrypt a new data partition:
sudo apt install cryptsetup -y
# Encrypt partition (replace /dev/sdb with your target partition)
sudo cryptsetup luksFormat /dev/sdb
# Open the encrypted partition
sudo cryptsetup luksOpen /dev/sdb encrypted_data
# Format and mount
sudo mkfs.ext4 /dev/mapper/encrypted_data
sudo mount /dev/mapper/encrypted_data /mnt/secure_dataOne practical caveat: encrypting the system disk on a VPS creates a problem—after a reboot, the key must be entered manually before the system can mount, which doesn't work for production environments that need to restart automatically. The practical compromise is to encrypt only the data partition and leave the system disk unencrypted.
File-level encryption: protecting sensitive files
If full disk encryption isn't necessary, you can encrypt individual sensitive files using GPG:
# Encrypt a file
gpg --symmetric --cipher-algo AES256 sensitive_file.txt
# Decrypt a file
gpg --decrypt sensitive_file.txt.gpg > sensitive_file.txtFor directories that need continuous encrypted storage, EncFS creates an encrypted folder that mounts as plaintext when needed:
sudo apt install encfs -y
# Create an encrypted directory
encfs ~/.encrypted_store ~/secure_folder
# Unmount when done
fusermount -u ~/secure_folderDatabase encryption: protecting application data
If you're running a database on the VPS, sensitive fields should be encrypted at the application layer before being written to the database—don't rely solely on database permission controls.
MySQL supports transparent data encryption (TDE). Enable it in my.cnf:
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring
innodb_encrypt_tables=ON
innodb_encrypt_logs=ONFor field-level encryption at the application layer, a Python example:
from cryptography.fernet import Fernet
# Generate key (store safely, never in the database)
key = Fernet.generate_key()
f = Fernet(key)
# Encrypt
encrypted = f.encrypt(b"sensitive data")
# Decrypt
decrypted = f.decrypt(encrypted)Transmission encryption: protecting data in transit
Data needs protection while it's moving, not just while it's sitting still. A few essentials:
All web services must use HTTPS. Let's Encrypt provides free certificates:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d your_domainDatabases should never be exposed to the public internet. Restrict to local connections or specific IPs only:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
# Find bind-address and set it to:
bind-address = 127.0.0.1If inter-service communication crosses servers, use TLS or route it through an SSH tunnel:
# Access a remote database through an SSH tunnel
ssh -L 3307:localhost:3306 user@remote_server
# Then connect locally to 127.0.0.1:3307Backup strategy: the last line of defense
Encryption reduces risk; backups are the safety net. Follow the 3-2-1 principle: three copies of your data, on two different media, with one copy stored off-site.
An automated daily backup script that encrypts and uploads to remote storage:
nano ~/backup.sh#!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/home/yourname/backups"
REMOTE="user@backup-server:/backups"
mkdir -p $BACKUP_DIR
# Back up database
mysqldump -u root -p'your_password' --all-databases | \
gzip > $BACKUP_DIR/db_$DATE.sql.gz
# Back up application data
tar -czf $BACKUP_DIR/app_$DATE.tar.gz /var/www /home/yourname/data
# Encrypt backup file
gpg --symmetric --cipher-algo AES256 \
--batch --passphrase 'your_encryption_key' \
$BACKUP_DIR/db_$DATE.sql.gz
# Upload to remote server
rsync -avz $BACKUP_DIR/ $REMOTE/
# Delete local backups older than 7 days
find $BACKUP_DIR -mtime +7 -delete
echo "Backup completed: $DATE"Set permissions and schedule the task:
chmod +x ~/backup.sh
crontab -e
# Add: run at 2am every day
0 2 * * * ~/backup.sh >> ~/backup.log 2>&1To upload to S3-compatible object storage, use rclone:
sudo apt install rclone -y
rclone config # Follow prompts to configure your storage service
rclone copy $BACKUP_DIR remote:bucket-name/backups/Never hard-code sensitive information in your code
This is a habit many people overlook. Database passwords, API keys, and private keys should never be written directly into code files or config files and committed to a repository.
Use environment variables instead:
nano ~/.envDB_PASSWORD=your_secure_password
API_KEY=your_api_key
SECRET_KEY=your_secret_keyRead them in your code:
import os
from dotenv import load_dotenv
load_dotenv()
db_password = os.getenv('DB_PASSWORD')And make sure .env is excluded from Git:
echo ".env" >> .gitignoreRegularly review permissions and access logs
Security isn't a one-time configuration. Check these periodically:
See which users currently have sudo privileges:
grep -Po '^sudo.+:\K.*$' /etc/group | tr ',' '\n'Review recent login activity:
last -n 20
lastb -n 20 # failed login attemptsLook for files with unusual permissions:
# Find world-writable files
find / -xdev -type f -perm -0002 2>/dev/null
# Find SetUID files
find / -xdev -type f -perm -4000 2>/dev/nullSummary
VPS data security isn't a single solution—it's the result of layering multiple protections. Disk and file encryption protect data at rest. TLS protects data in transit. Backup strategies ensure data can be recovered. Permission management limits exposure. Regular reviews catch anomalies before they become incidents.
No single layer is sufficient on its own, but together they form a solid foundation. Spending a few hours getting this right upfront is far less painful than dealing with the fallout when something goes wrong.