Let's say we have some very sensitive personal files. At all costs, we do not want any other pair of eyeballs to gaze upon them. We need these sensitive files to be secure and available.
So, we have a bright idea: encrypt them and put them in the Cloud.
What side-channel attacks, if any, are specific to Cloud storage?
For example, could various Cloud-storage providers accidentally introduce weaknesses?
The cloud trend brought its problems. In the classical system, your servers were near to you, so the side-channel capability was limited. They were mostly on the smart-card systems where the card reader was malicious.
There are side-channel attacks on the cloud if the attacker can co-locate with you. For this, you need to use a shared machine to reduce your cost. However, co-locating is a real problem since you are not selecting your cloud machine when you use shared hardware where virtualization happens.
Cache-Attack
Assume the attacker located you, so both you and the attacker use the same hardware. What can they do? Cache-attack on the AES encryption. This attack works if you encrypt your files on the server and use software AES (not AES-NI) using T tables for the encryption.
During your encryption, the attacker runs their process, fills all of the cache lines, waits, your AES runs, and they enter again, then they check the cache lines. If a line still has the attacker's data, this implies the cache line is not used during encryption. If changed, then it is used during the encryption: cache hit and cache miss. After many, many steps, the key is extracted. For how cache works, see B degnan's answer.
Some articles:
2007 - ACI ICMEZ, O. Yet another microarchitectural attack: exploiting I-Cache.
2012 - WEISS, M., HEINZ, B., AND STUMPF, F. A cache timing attack on AES in virtualization environments
2016 - Ashokkumar C.; Ravi Prakash Giri; Bernard Menezes (2016). "Highly Efficient Algorithms for AES Key Retrieval in Cache Access Attacks"
2018 - Mehmet S. Inci; Berk Gulmezoglu; Gorka Irazoqui; Thomas Eisenbarth; Berk Sunar, Cache Attacks Enable Bulk Key Recovery on the Cloud
2018 - Gorka Irazoqui; Mehmet Sinan Inci; Thomas Eisenbarth; Berk Sunar Wait a minute! A fast, Cross-VM attack on AES
2018 - Yuval Yarom; Katrina Falkner, Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack .
Now the above works if you encrypt on the cloud and use software AES.
Deduplication
The aim was to eliminate copies of the data in the memory so that the cloud provider can reduce the cost, and we have another attack vector.
2011 - SUZAKI, K., IIJIMA, K., YAGI, T., AND ARTHO, C. Memory deduplication as a threat to the guest.
2015 - Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar Know Thy Neighbor: Crypto Library Detection in Cloud. PoPETs 2015, 1 (2015)
2018 - Jens Lindemann and Mathias Fischer A Memory-Deduplication Side-Channel Attack to Detect Applications in Co-Resident Virtual Machines
This helps the attacker to determine whats is going on with the neighbors (on the shared machine).
Spectre and Meltdown
Whereas Meltdown allows unauthorized applications to read from privileged memory to obtain sensitive data from processes running on the same cloud server, Spectre can allow malicious programs to induce a hypervisor to transmit the data to a guest system running on top of it.
Spectre is a threat to shared hardware with a hypervisor, and patching Spectre is not an easy job.
If you encrypt locally and use the cloud only as a storage service, then this means you don't process your data-- then you will be immune to this attack.
However, if you want the encryption on the server, this brings problems; for example, you may lose your encryption key. To mitigate this, some cloud providers provide HSM on the cloud that is useful primarily for servers and have some additional costs.
To encrypt locally, most CPUs have AES-NI so that you have fast encryption. Use a password manager to manage your key and use a good password like one generated by Dicewire for the master password.
The problem starts when you want to access your files. If you want to search for them, then you need a mechanism. This is another long story. Read Song's famous article about this. Song's famous article about this.
In any case, fully homomorphic encryption (FHE) is the holy grail of cryptography, and it promises to solve many issues about operations on encrypted data. Let it write some applications and then wait.
An important note: due to business considerations, the cloud provider should be considered a semi-honest adversary that, as a semi-honest adversary, obeys the protocol. However, they can use all information they observed and deduce more if they can. Over time we understood that this approach is not correct. We should consider them as a covert adversary.
Covert adversaries have the property that they may deviate arbitrarily from the protocol specification in an attempt to cheat but do not wish to be “caught” doing so.
Therefore, if you plan to store your data, even only for storage, use authenticated encryption to assure the integrity and authentication of your data. In addition, a Merkle Tree-based approach is necessary to ensure the freshness of your data (to detect a possible rollback).
Kelalaka gave a great answer detailing many side channel attacks relvant to the cloud. But it is important to note that none of these are relevant if your secret key isn't in the cloud.
If you store encrypted data in the cloud but only do encryption/decryption locally, the cloud specific vectors are irrelevant. Anyone who wants to do a side channel attack will have to attack the local site with the key. Anyone attacking the cloud will be stuck with ciphertext only attacks(on top of whatever access controls the cloud storage has).
