Solution: Keep the backup disk encrypted.
Whole disk encryption is not as secure as it sounds, due to the limitations of sector-wise access, but it is _way_ better than not encrypting the disk at all, and it usually provides solid confidentiality (meaning an attacker cannot read any information from the disk).
(There are nasty attacks on whole disk encryption, but they are all around an attacker writing stuff to the disk, modifying it contents in various ways. But if the encryption is done properly all of these attacks leave random garbage in the decrypted view of the disk.)
I am using 'plain dm-crypt' instead of LUKS since I do not need any of the LUKS features and it is very easy to set up and very easy to understand what happens.
I am also using the entire disk a one big partition, without a partition table. Encrypted partition tables do not make much sense in my opinion, and I only want one partition anyway.
Create encrypted layer of the disk:
cryptsetup --cipher=aes-cbc-essiv:sha256 --key-size 128 --key-file=key.bin open --type plain /dev/sdX enc
(I am using aes-cbc-essiv:sha256 with just 128 bit key since it seems sufficient for my purpose. If you are concerned that somebody might modify the contents of the disk you are better off with using aes-xts-essiv:sha256 with a 512 bit key, but I was not happy with the performance penalty. For very little benefit (if any).)
The file key.bin contains the 16 byte (128 bit) binary AES key. I created it using:
head -c 16 /dev/random > key.bin
I keep the key.bin file in plain on my server since I am not nervous of it getting lost. People with access to the server are unlikely to want to decrypt the backup disk of the server since they have full access to the data (even full access to the data on the encrypted disk!) anyway. Of course it is necessary to keep a backup of this key in another physical place, e.g. printed on paper etc. Otherwise the backup disk is useless.
The plain view of the encrypted disk image is now available under /dev/mapper/enc.
If there was already (plain) data on the disk (e.g. an unencrypted backup) it is wise to erase that by overwriting the disk with zeroes. By overwriting the plain view with zeroes the physical disk gets filled with random garbage which makes it impossible for an attacker to even see where encrypted data is. On the other hand, using zero creates a nice base for known-plaintext attacks. But I ignore the possibility to break the AES128 encryption through a known-plaintext attack.
Clearing the disk:
dd if=/dev/zero of=/dev/mapper/enc bs=1M
Creating an ext4 filesystem on the encrypted disk:
mke2fs -m 0 -t ext4 /dev/mapper/enc
Mount encrypted disk:
mount /dev/mapper/enc /backup_disk
Now you can create a backup on /backup_disk.
When done, umount the disk and stop the encryption (which might flush a few sectors to the disk):
cryptsetup close enc
In found that my binutils (dd) were too old for the dd status=progress feature.
Sending signal USR1 to dd prints its progress:
killall -USR1 dd
Alternatively you can just look at the write file descriptor of the dd process, e.g.:
grep pos /proc/4609/fdinfo/1
- Press Ctrl-A and then :
- Enter "hardcopy -h myfile.txt"
myfile.txt will be created in the current working directory of the screen instance you are connected to.
This is useful in situations where you think "I should have really redirected that into a log file". Of course this only works well if you have a big scrollback buffer. I have:
in my .screenrc.
To reset it:
- press Ctrl-A
- enter ":reset" and press enter
Done. You many need to enter "reset" in the terminal itself as well.
This one was tough. Googling showed that this problem could be solved by uncommenting the line '$ModLoad imklog' in /etc/rsyslog.conf. This in turn caused kern.log to be filled with messages like 'imklog: error reading kernel log - shutting down: Bad file descriptor'. This in turn is probably caused by some strange interaction between Ubuntu and OpenVZ/virtualization combination, but initially I did not find the precise cause of the problem, nor a solution.
This link finally gives a clue what the problem is and also presents a working workaround:
Following the solution worked for me. In more detail:
Create file /etc/init/kmsg-pipe.conf with the following content:
Then execute the script and restart rsyslogd:
See also https://www.timoschindler.de/brother-mfc-9140cdn-toner-resetten/
After a lot of fiddling with /etc/rc.local I realized that the NAS is mounted only after my commands in rc.local were executed. A sleep may help, but rc.local is killed if you sleep to long ... argh, nasty!
Instead I decided to hardcode the autoplay into the PHP scripts directly. I don't know any PHP, but how hard can it be?
Edit file /var/www/command/player_wrk.php and search for 'WORKER MAIN LOOP'.
Add the following lines before the '// --- WORKER MAIN LOOP --- //' line:
$cmd = 'amixer cset numid=3 1';
$cmd = 'mpc repeat on';
$cmd = 'mpc random on';
$cmd = 'mpc consume off';
$cmd = 'mpc single off';
$cmd = 'mpc play';
The amixer line tries to force 3.5mm jack audio output. Not sure this works. Omit it if you use your own DAC or HDMI.
Not sure the sleep(5) is necessary. This is actually not specific for NAS and should work with any source. It should play the playlist which was last active.
I would love to have this in the GUI, but I do not know how to hack that in.
Ah yes. Completely unrelated and just so I do not forget it: To get my TL-WN725N WLAN Dongle working with volumio 1.55 I had to download the firmware for it:
sudo wget https://github.com/lwfinger/rtl8188eu/raw/c83976d1dfb4793893158461430261562b3a5bf0/rtl8188eufw.bin -O /lib/firmware/rtlwifi/rtl8188eufw.bin
I have a Zotac server without a CD drive, so I needed to run the Samsung Performance Restauration tool. I used the DOS / Mac variant which is a DOS bootable disk which contains the update tool. The easiest way to prepare the USB stick is NOT to use the USB zip provided by Samsung but to use the *.iso file (Samsung_Performance_Restoration.iso) instead:
- Mount the ISO file and get the file ISOLINUX/BTDSK.IMG from it.
- dd the BTDSK.IMG directly onto a USB stick
- boot from the USB stick and follow the instructions
On my Zotac machine when booting from this USB stick I got a couple of broken error messages about not being able to boot from device XYZ, but it booted OK from the stick after a couple of seconds.
The performance restauration procedure took 4.5h for a 1TB SSD (60% full) and about 15h for another 1TB SSD (95% full), so expect this to take some time.
Both SSDs were not erased by the procedure.
Avoid hang of headless Zotac server on Ubuntu Linux reboot. (How to disable the graphical console for grub and the Linux kernel.)
Uncomment this line:
In addition I disabled setting any graphics mode on the Linux kernel and setting the timeout to 1 second.
My /etc/default/grub file now looks like this:
Copy files using rsync as root when the remote host does not allow root access and ssh is on a different port
- Step 1: Make sure you can execute commands as root on the remote host after logging in, without entering your password. For this there are two alternative options:
- You can allow the user to execute sudo without entring the users password. You can do this by adding the following line to the end of /etc/sudoers:
- You can enter the sudo password in advance once and make sure it is cached between sessions. To make sure it is cached between sessions you must add the '!tty_tickets' option to the Defaults line in /etc/sudoers, and then you must run a dummy command as root:
- Defaults env_reset,!tty_tickets
- ssh -p PORT
-t USER @REMOTE_HOST sudo id
- Step 2: Do the rsync. Override the ssh port. Specify "sudo rsync" as remote rsync command. Target the rsync at the non-root user which can now sudo:
- sudo rsync -avRe "ssh -p PORT
" --rsync-path "sudo rsync" LOCAL_DIR USER @REMOTE_HOST :
To show the bandwidth in Bytes/s
- open the Printer Queue for your Printer
- stop the Queue
- print the PDF
- now you should have a file starting with 'd' under /var/spool/cups which is an unprotected version of your PDF
- in Terminal type sudo cp /var/spool/cups/d* ~/Desktop/d.pdf
- this assumes there is just one file starting with a 'd' which is usually the case. If there are multiple files pick one by one until you have your file.
- in Terminal type sudo chown foo:foo ~/Desktop/d.pdf (replace foo with your actual user name)
- file ~/Desktop/d.pdf does not have any restrictions
- in the Printer Queue delete the print job
- start the Printer Queue
Also, to see additional information about the currently active wireless connection hold down the Option key while clicking on the Airport Symbol in the menu bar.
- Zotac Zbox ID18
- Samsung SSD 840 EVO 1TB
- 4GB RAM (SODIMM 1600)
- Ubuntu 13.10
- download the 'Windows' Firmware update for the 840 EVO
- mount it
- dd the btdsk.img onto a USB stick
- put the USB stick into the Zotac
- change the Zotac BIOS so it boots from the USB stick
- ignore all error messages about missing partitions
- eventually the Samsung Firmware Update program comes up
- take note of the Firmware revision
- follow the instructions of the program
- ignore the message about power cycling the SSD, since you cannot power cycle it in isolation
- ignore the message about the firmware update being unsuccessful
- reboot (still from the USB stick)
- check that you have the new firmware revision
- Linux shows: ata1.00: ATA-9: Samsung SSD 840 EVO 1TB, EXT0BB6Q, max UDMA/133)
- Enable TRIM support and avoid unnecessary writes when reading files and dirs:
/ ext4 discard,noatime,errors=remount-ro 0 1
- Reduce amount of disk space reserved for root from 45GB to 1GB:
- sudo tune2fs /dev/sda1 -m 0.1
- Install sshd:
- sudo apt-get install openssh-server
- Install 'sensors' to check the CPU temp:
- sudo apt-get install lm-sensors
- sudo sensors-detect
- sudo service kmod start
- Install 'smartmontools' to see the SSD temp and other interesting data:
- sudo apt-get install smartmontools
- sudo smartctl -x /dev/sda | grep -i 'Current Temp'
- Do not start GUI/X
- edit /etc/default/grub:
- sudo jed /etc/default/grub
- sudo update-grub
- I like to install:
- sudo apt-get install jed apcalc screen minidlna openssh-server samba emacs ispell subversion g++ imagemagick
- If you have a couple of minutes:
- sudo apt-get update
- sudo apt-get upgrade
- If you would like to manually TRIM the SSD:
- sudo fstrim -v /
- Install SAMBA:
- sudo apt-get install samba
- see https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html
USE_TABS = 0; LINENUMBERS = 2; % For the following to work you _must_ comment out any c_set_style() call! C_INDENT = 4; C_BRACE = 0; C_BRA_NEWLINE = 0; C_Colon_Offset = 0; C_CONTINUED_OFFSET = 4; public variable C_Class_Offset = 4;
This time the 'tape across toner window' trick would not work, even with black tape. The 'toner empty' message would only go away after doing this strange procedure which probably resets some internal state so it re-checks the toner state:
Open the front cover, then press the Back (german:Storno) button (the left bottom one of the four round black buttons), then press * 0 0 and then * 1 0. (Do not press 1 or 2 as indicated in the display. This is for the drum.) After this the 'toner empty' and also the 'toner almost empty' messages were gone and I could perfectly print again.
A subset of * 0 0 and * 1 0 might be sufficient. Not 100% sure the black tape is necessary at all.
Now the printer is printing happily and in perfect quality again. Lets see how long. :-)
(I am using an external monitor connected to the Mac Book Pro and I put this configuration to sleep and I turn the monitor off at least once a day. I do not power down or reboot the laptop at all unless absolutely necessary.)
Logging out and back in solves the problem, but is of course tedious. I found a better workaround here: http://reviews.cnet.com/8301-13727_7-57389668-263/os-x-desktop-backgrounds-gray-after-waking-from-sleep/
- open a Terminal
- type: killall Dock
I was using the GUI option since the manual option requires you to know the index of the Windows entry upfront (index starting at 0, for me Windows was at index 5).
This is what I did:
- Start a Terminal (search for 'Terminal' in one of the topmost icons), then paste/type this into the terminal: sudo add-apt-repository ppa:danielrichter2007/grub-customizer (enter password) sudo apt-get update sudo apt-get install grub-customizer grub-customizer (program comes up) - click Preferences - select Windows as default - Close - Save - close the program - restart to test it, done
The benchmarks are of course rather meaningless.
- Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz
- (dual core, 4 cores with hyperthreading, no turbo boost)
- (in a Lenovo B570 M58GMGE, 8GB, Ubuntu 12.04)
- (according to cat /proc/cpuinfo)
- Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz
- (quad core, 8 cores with hyperthreading, turbo boost up to 3.4GHz)
- (in a MacBookPro8,2, 8GB, Mac OS 10.7.4)
- (according to Temperaturmonitor 4.94)
Benchmark i3 i7 speedup g++-4.6 6.8s 3.9s 1.74x calc 5.7s 4.2s 1.36x Cinebench CPU 2.22P 4.63P 2.09x (i3 Win7, i7 OSX) Cinebench GL 12.40 27.90 2.25x (i3 Win7, i7 OSX) Cinebench CPU - 1.24 - (VirtualBox guest Windows 7, host OSX, 1 CPU) Cinebench CPU - 4.27 - (VirtualBox guest Windows 7, host OSX, 8 CPUs) (s in real time)
Benchmark command lines:
- time make CXX=g++-mp-4.6 OPT=-O3 -j 20
- compiling streplace 0.9.36
- just 5 parallel objects (does not fill the 8 slots of the i7)
- time calc 'log(fact(11**5))
- single core
- Cinebench 11.5 on Windows 7 SP1 and Max OS X 10.7.4
This worked for me from Word 2011 on Mac OS X Lion 10.7.1 and probably works for any other program as well as this is a universal PDF service (Create Booklet in the PDF menu button in every print dialog).