The short answer is, yes, a malicious admin at the VPS provider can access everything.
Even encrypted storage has to be decrypted and passed through RAM and CPU to be used. An admin can leverage the hypervisor to read data out of RAM or CPU registers. They could, in theory, use your decryption key out of RAM to read your unlocked encrypted storage. Or, even easier, sniff a password you're sending to the console.
Ultimately, you can really only protect data at rest, encrypted storage, when it's not in use and the password or key hasn't been obtained by an attacker.
|