Encrypted backup disk on Linux

Problem: I would like to store a backup disk in a different physical place every now and then, just to be sure in case of severe incident like a fire etc. Different physical place means to give up the control where the disk goes: It might be stolen, or it might simply be lost, or it might be sold on ebay by accident. Ok, I totally made the ebay thing up. :-)

Solution: Keep the backup disk encrypted.

Whole disk encryption is not as secure as it sounds, due to the limitations of sector-wise access, but it is _way_ better than not encrypting the disk at all, and it usually provides solid confidentiality (meaning an attacker cannot read any information from the disk).

(There are nasty attacks on whole disk encryption, but they are all around an attacker writing stuff to the disk, modifying it contents in various ways. But if the encryption is done properly all of these attacks leave random garbage in the decrypted view of the disk.)

I am using 'plain dm-crypt' instead of LUKS since I do not need any of the LUKS features and it is very easy to set up and very easy to understand what happens.

I am also using the entire disk a one big partition, without a partition table. Encrypted partition tables do not make much sense in my opinion, and I only want one partition anyway.

Create encrypted layer of the disk:

cryptsetup --cipher=aes-cbc-essiv:sha256 --key-size 128 --key-file=key.bin open --type plain /dev/sdX enc

(I am using aes-cbc-essiv:sha256 with just 128 bit key since it seems sufficient for my purpose. If you are concerned that somebody might modify the contents of the disk you are better off with using aes-xts-essiv:sha256 with a 512 bit key, but I was not happy with the performance penalty. For very little benefit (if any).)

The file key.bin contains the 16 byte (128 bit) binary AES key. I created it using:

head -c 16 /dev/random > key.bin

I keep the key.bin file in plain on my server since I am not nervous of it getting lost. People with access to the server are unlikely to want to decrypt the backup disk of the server since they have full access to the data (even full access to the data on the encrypted disk!) anyway. Of course it is necessary to keep a backup of this key in another physical place, e.g. printed on paper etc. Otherwise the backup disk is useless.

The plain view of the encrypted disk image is now available under /dev/mapper/enc.

If there was already (plain) data on the disk (e.g. an unencrypted backup) it is wise to erase that by overwriting the disk with zeroes. By overwriting the plain view with zeroes the physical disk gets filled with random garbage which makes it impossible for an attacker to even see where encrypted data is. On the other hand, using zero creates a nice base for known-plaintext attacks. But I ignore the possibility to break the AES128 encryption through a known-plaintext attack.

Clearing the disk:

dd if=/dev/zero of=/dev/mapper/enc bs=1M

Creating an ext4 filesystem on the encrypted disk:

mke2fs -m 0 -t ext4 /dev/mapper/enc

Mount encrypted disk:

mount /dev/mapper/enc /backup_disk

Now you can create a backup on /backup_disk.

When done, umount the disk and stop the encryption (which might flush a few sectors to the disk):

umount /backup_disk
cryptsetup close enc

Useful links:

Monitor dd progress on Linux with old binutils

I recent was on an Ubuntu 14.04 machine, started a long running dd to clear a disk, and then wanted to monitor progress of this command to get an indication how long it would take.

In found that my binutils (dd) were too old for the dd status=progress feature.

Sending signal USR1 to dd prints its progress:

killall -USR1 dd

Alternatively you can just look at the write file descriptor of the dd process, e.g.:

grep pos /proc/4609/fdinfo/1


Save GNU screen buffer to file

To save the content of a screen in the "GNU screen" tool to a file, including the scrollback buffer, do the following:

- Press Ctrl-A and then :
- Enter "hardcopy -h myfile.txt"

myfile.txt will be created in the current working directory of the screen instance you are connected to.

This is useful in situations where you think "I should have really redirected that into a log file". Of course this only works well if you have a big scrollback buffer. I have:

defscrollback 100000

in my .screenrc.


Reset screen terminal after printing garbage

When accidentally printing binary data in a terminal the state of the terminal gets messed up and one needs to reset it. When using GNU screen, this is maintaining part of the terminal state as well.

To reset it:
- press Ctrl-A
- enter ":reset" and press enter

Done. You many need to enter "reset" in the terminal itself as well.


rsyslogd does not log kernel messages to kern.log on Ubuntu 14.04.1 and OpenVZ

Problem: Logging dropped packets using iptables LOG policy did not work. Well, the precise problem was, that the messages did not end up in /var/log/kern.log (nor in any other log file), but they did show in 'dmesg' and /proc/kmsg.

This one was tough. Googling showed that this problem could be solved by uncommenting the line '$ModLoad imklog' in /etc/rsyslog.conf. This in turn caused kern.log to be filled with messages like 'imklog: error reading kernel log - shutting down: Bad file descriptor'. This in turn is probably caused by some strange interaction between Ubuntu and OpenVZ/virtualization combination, but initially I did not find the precise cause of the problem, nor a solution.

This link finally gives a clue what the problem is and also presents a working workaround:


Following the solution worked for me. In more detail:

Create file /etc/init/kmsg-pipe.conf with the following content:

# Ye Olde /proc/kmsg hack by Mike Gogulski 
# from http://www.nostate.com/4228/fixing-the-100-cpu-and-no-useful-output-imklogrsyslog-kernel-logging-problem-on-ubuntu-guests-under-xen-pv 
# This is free and unencumbered software released into the public domain under # the terms of the Unlicense [http://unlicense.org/]. 
description "/proc/kmsg pipe hack for rsyslogd" 
start on started rsyslog 
stop on stopped rsyslog 
        mkdir -p /var/run/rsyslogd || true 
        mkfifo /var/run/rsyslogd/kmsg || true 
        chown -R syslog /var/run/rsyslogd || true 
        chmod -R 700 /var/run/rsyslogd || true 
        exec dd bs=1 if=/proc/kmsg of=/var/run/rsyslogd/kmsg 

end script

This effectively creates a shadow copy of /proc/kmsg (using dd and a named pipe) which is accessible by the syslog user.

Then adapt /etc/rsyslog.conf to use this:

echo '$KLogPath /var/run/rsyslogd/kmsg' >> /etc/rsyslog.conf

Then execute the script and restart rsyslogd:

initctl start kmsg-pipe
service rsyslog restart

Now /var/log/kern.log should show kernel messages, for example iptables LOG output.


Reset Toner on Brother MFC-9340CDW

The original Brother toner cartridges for the Brother MFC-9340CDW printer runs out of toner after a programmed amount of toner usage which is of course useless. This is how to reset the toners so you can continue to print for quite some time:

- Close all warning and error message windows and return to the main menu.
- Open the Fax menu
- Mark the '*' Button with a pencil, or just remember where it is. Do not press it. It will disappear in the next step.
- Return to the main menu.
- Open the printer so you can see the toners. 
- Press and hold the hidden '*' button for 7 seconds.
- A toner reset menu appears. Reset the toner in question.
  - Choose K=black, C=cyan, M=magenta, Y=yellow, STR=starter (small), STD=standard, HC=high capacity.
- Close the printer and return to the main menu.

See also https://www.timoschindler.de/brother-mfc-9140cdn-toner-resetten/


Copy multiple lines from Windows Command Prompt (cmd.exe)

Holding down shift while pressing the right mouse button in the selected area copies the text and removes all linefeeds. This is not proper cut/copy/paste of multiple lines, but works for a single long line spanning multiple terminal lines. It is better than nothing.


Visual Studio Intellisense: No focus on suggestions.

For some reason sometime my Intellisense changes behavior every now and then (probably a Linux Keyboard shortcut entered in VS). To fix this:

1. Type something so the Intellisense Popup opens.
2. Press Ctrl+Alt+Space to toggle whether the suggestion should have the focus or not.


Volumio autoplay with NAS (hack)

Goal: Let Volumio 1.55 automatically start playing music automatically after the Raspberry Pi is powered on. The RPi is used completely headless and without any buttons, and while it is fine that I can control it through my phone or a computer, I sometimes just want to start the music on random play by flicking a plain old power switch and nothing more. 

After a lot of fiddling with /etc/rc.local I realized that the NAS is mounted only after my commands in rc.local were executed. A sleep may help, but rc.local is killed if you sleep to long ... argh, nasty!

Instead I decided to hardcode the autoplay into the PHP scripts directly. I don't know any PHP, but how hard can it be? :-)

Edit file /var/www/command/player_wrk.php and search for 'WORKER MAIN LOOP'.
Add the following lines before the '// --- WORKER MAIN LOOP --- //' line:

// Autoplay
$cmd = 'amixer cset numid=3 1';
$cmd = 'mpc repeat on';
$cmd = 'mpc random on';
$cmd = 'mpc consume off';
$cmd = 'mpc single off';
$cmd = 'mpc play';

The amixer line tries to force 3.5mm jack audio output. Not sure this works. Omit it if you use your own DAC or HDMI.
Not sure the sleep(5) is necessary. This is actually not specific for NAS and should work with any source. It should play the playlist which was last active. 

I would love to have this in the GUI, but I do not know how to hack that in.

Ah yes. Completely unrelated and just so I do not forget it: To get my TL-WN725N WLAN Dongle working with volumio 1.55 I had to download the firmware for it:
sudo wget https://github.com/lwfinger/rtl8188eu/raw/c83976d1dfb4793893158461430261562b3a5bf0/rtl8188eufw.bin -O /lib/firmware/rtlwifi/rtl8188eufw.bin


Mac OS X telnet escape character on a german keyboard is Ctrl+Ü

The title says it all. To get the telnet escape char (^]) in a Mac OS X Terminal, for example to quit telnet, you have to type Ctrl+Ü on a german keyboard.


Update Samsung SSD 840 EVO firmware on Zotac Linux server (poor read performance of old files).

My Samsung SSD 840 EVO was suffering from the apparently well known problem that 'old' files (files which have been written a long while ago and not touched since) had slow read transfer rates (as low as 5 MBytes/s in places, 29 MBytes/s for some big files I had).

I have a Zotac server without a CD drive, so I needed to run the Samsung Performance Restauration tool. I used the DOS / Mac variant which is a DOS bootable disk which contains the update tool. The easiest way to prepare the USB stick is NOT to use the USB zip provided by Samsung but to use the *.iso file (Samsung_Performance_Restoration.iso) instead:

- Mount the ISO file and get the file ISOLINUX/BTDSK.IMG from it.
- dd the BTDSK.IMG directly onto a USB stick
- boot from the USB stick and follow the instructions

On my Zotac machine when booting from this USB stick I got a couple of broken error messages about not being able to boot from device XYZ, but it booted OK from the stick after a couple of seconds.

The performance restauration procedure took 4.5h for a 1TB SSD (60% full) and about 15h for another 1TB SSD (95% full), so expect this to take some time.

Both SSDs were not erased by the procedure.

Avoid hang of headless Zotac server on Ubuntu Linux reboot. (How to disable the graphical console for grub and the Linux kernel.)

My Zotac server did not reboot without a monitor attached. Booting from power-up did work ok. The graphical console of grub seemed to be the problem. Since I do not use the monitor output at all not setting any graphics mode at all and using the 80x25 default console is fine for me. This is how to disable the graphical grub console:

Edit /etc/default/grub

Uncomment this line:

In addition I disabled setting any graphics mode on the Linux kernel and setting the timeout to 1 second.

My /etc/default/grub  file now looks like this:
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`


Reboot time: The time between pressing enter after 'reboot' and being logged in again with ssh is 25s.


Copy files using rsync as root when the remote host does not allow root access and ssh is on a different port

  • Step 1: Make sure you can execute commands as root on the remote host after logging in, without entering your password. For this there are two alternative options:
    • You can allow the user to execute sudo without entring the users password. You can do this by adding the following line to the end of /etc/sudoers:
      •      ALL=NOPASSWD: ALL
    • You can enter the sudo password in advance once and make sure it is cached between sessions. To make sure it is cached between sessions you must add the '!tty_tickets' option to the Defaults line in /etc/sudoers, and then you must run a dummy command as root:
      • Defaults        env_reset,!tty_tickets
      • ssh -p PORT -t USER@REMOTE_HOST sudo id
  • Step 2: Do the rsync. Override the ssh port. Specify "sudo rsync" as remote rsync command. Target the rsync at the non-root user which can now sudo:
    •  sudo rsync -avRe "ssh -p PORT" --rsync-path "sudo rsync" LOCAL_DIR USER@REMOTE_HOST:


Ubuntu Linux: Show network throughput of network device eth0 etc in bytes: iftop -B

By default iftop shows the bandwidth in Bit/s

To show the bandwidth in Bytes/s
iftop -B


Quit screen on german keyboard

On a german keyboard the key binding for 'quit' on GNU screen does not seem to work for me (on Max OS X). But one can simply invoke the quite command directly through the command mode:

  • Ctrl-A : quit

Save screen scrollback buffer to file


  • Ctrl-A : hardcopy -h file.txt

For me this saves a lot of leading blank lines, but this is ok.


Strip PDF restrictions on Mac OS X without any special tools

Assuming you have a PDF which has certain restrictions on it (for example you cannot edit the PDF using Preview in the usual way), but which you can print, this is how you can strip these restrictions from the PDF:

  • open the Printer Queue for your Printer
  • stop the Queue
  • print the PDF
    • now you should have a file starting with 'd' under /var/spool/cups which is an unprotected version of your PDF
  • in Terminal type sudo cp /var/spool/cups/d* ~/Desktop/d.pdf
    • this assumes there is just one file starting with a 'd' which is usually the case. If there are multiple files pick one by one until you have your file.
  • in Terminal type sudo chown foo:foo ~/Desktop/d.pdf (replace foo with your actual user name)
  • file ~/Desktop/d.pdf does not have any restrictions
  • in the Printer Queue delete the print job
  • start the Printer Queue
Note that this procedure does not allow you to strip passwords from files which you cannot print without a password. The restricted file must at least allow you to print the file.


Mac OS X Lion: Scan for wireless networks

Mac OS X Lion provides a command line tool to scan for wireless networks and print useful information about the networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

Also, to see additional information about the currently active wireless connection hold down the Option key while clicking on the Airport Symbol in the menu bar.


Common bashrc settings

There are my personal preferences. Your preferences may differ.

alias e=jed
alias mv="mv -i"
alias cp="cp -i"
alias rm="rm -i"
complete -r
export LANG=C
export EDITOR=jed
export PATH=$PATH:${HOME}/bin


Zotac Zbox ID18 Linux Server

  • Zotac Zbox ID18
  • Samsung SSD 840 EVO 1TB
  • 4GB RAM (SODIMM 1600)
  • Ubuntu 13.10
Samsung SSD firmware update: The process is quite broken:

  • download the 'Windows' Firmware update for the 840 EVO
  • mount it
  • dd the btdsk.img onto a USB stick
  • put the USB stick into the Zotac
  • change the Zotac BIOS so it boots from the USB stick
  • reboot
  • ignore all error messages about missing partitions
  • eventually the Samsung Firmware Update program comes up
  • take note of the Firmware revision
  • follow the instructions of the program
  • wait
  • ignore the message about power cycling the SSD, since you cannot power cycle it in isolation
  • ignore the message about the firmware update being unsuccessful
  • reboot (still from the USB stick)
  • check that you have the new firmware revision
  • Linux shows: ata1.00: ATA-9: Samsung SSD 840 EVO 1TB, EXT0BB6Q, max UDMA/133)
The installation of Ubuntu is quite straight forward.
Recommended settings after installation:
  • Enable TRIM support and avoid unnecessary writes when reading files and dirs:
    • /etc/fstab:
    • UUID= /   ext4    discard,noatime,errors=remount-ro 0       1
  • Reduce amount of disk space reserved for root from 45GB to 1GB:
    • sudo tune2fs /dev/sda1 -m 0.1
  • Install sshd:
    • sudo apt-get install openssh-server
  • Install 'sensors' to check the CPU temp:
    • sudo apt-get install lm-sensors
    • sudo sensors-detect
    • sudo service kmod start
    • sensors
  • Install 'smartmontools' to see the SSD temp and other interesting data:
    • sudo apt-get install smartmontools
    • sudo smartctl -x /dev/sda | grep -i 'Current Temp'
  • Do not start GUI/X
    • edit /etc/default/grub:
      • GRUB_TIMEOUT=1
    • sudo jed /etc/default/grub
    • sudo update-grub
  • I like to install:
    • sudo apt-get install jed apcalc screen minidlna openssh-server samba emacs ispell subversion g++ imagemagick
  • If you have a couple of minutes:
    • sudo apt-get update
    • sudo apt-get upgrade
  • If you would like to manually TRIM the SSD:
    • sudo fstrim -v /
  • Install SAMBA:
Example /etc/samba/smb.conf:
    comment = Share on the Zotac
    path = /zotti
    browsable = yes
    guest ok = yes
    read only = no
    create mask = 0777
    veto files = /.*.pdf/.*.jpg/.DS_Store/._.DS_Store/.*.ini/.*.txt/.*.mov/.*.avi/.*.mpg/.*.png/
    delete veto files = yes
    hide dot files = yes
    hide unreadable = yes


jed settings for indent=4, just spaces, line numbers on, sane brace insertion

My favorite jed setting in $HOME/.jedrc
% For the following to work you _must_ comment out any c_set_style() call!
C_BRACE = 0;
C_Colon_Offset = 0;
public variable C_Class_Offset = 4;


Brother MFC-7440N Toner empty message

Today I again got the 'toner empty' messages from my Brother MFC-7440N printer, for the second toner cartridge in this printers life. I printed 3639 pages total (new toner since 2506 pages). The printer would not print any page any more (after showing the toner almost empty message for ages).

This time the 'tape across toner window' trick would not work, even with black tape. The 'toner empty' message would only go away after doing this strange procedure which probably resets some internal state so it re-checks the toner state:

Open the front cover, then press the Back (german:Storno) button (the left bottom one of the four round black buttons), then press * 0 0 and then * 1 0. (Do not press 1 or 2 as indicated in the display. This is for the drum.) After this the 'toner empty' and also the 'toner almost empty' messages were gone and I could perfectly print again.

A subset of * 0 0 and * 1 0 might be sufficient. Not 100% sure the black tape is necessary at all.

Now the printer is printing happily and in perfect quality again. Lets see how long. :-)


Mac OS X Desktop Background is gray

One thing which bugged me was that every now and then my desktop background on my Mac Book Pro would turn plain medium gray at tome point. I cannot even tell when this happens. Trying to reset the background image will not help when this occurs.

(I am using an external monitor connected to the Mac Book Pro and I put this configuration to sleep and I turn the monitor off at least once a day. I do not power down or reboot the laptop at all unless absolutely necessary.)

Logging out and back in solves the problem, but is of course tedious. I found a better workaround here: http://reviews.cnet.com/8301-13727_7-57389668-263/os-x-desktop-backgrounds-gray-after-waking-from-sleep/

  • open a Terminal 
  • type: killall Dock
The background image is managed by the Dock application which automatically restarts when killed. This is of course not a solution, but is a rather easy way to 'fix' this, until it happens again. :-)


Ubuntu 12.04: Boot Windows by default

If you have a dual-boot system with Ubuntu Linux and Windows and you would like to boot Windows by default instead of Ubuntu you will find to useful answers here:

I was using the GUI option since the manual option requires you to know the index of the Windows entry upfront (index starting at 0, for me Windows was at index 5).
This is what I did:

- Start a Terminal (search for 'Terminal' in one of the topmost icons), then paste/type this into the terminal:
sudo add-apt-repository ppa:danielrichter2007/grub-customizer
(enter password)
sudo apt-get update
sudo apt-get install grub-customizer
(program comes up)
- click Preferences
- select Windows as default
- Close
- Save
- close the program
- restart to test it, done


Viewing local manpages (files)

When I have an unformatted manpage file like foo.1 I had always big trouble looking at it. man foo.1 and setting the man path using -M did not help, and figuring out the usage of nroff manually is a pain. I found the answer on here which I just bluntly replicate here for my (and potentially your) convenience: http://craiccomputing.blogspot.de/2007/01/viewing-local-man-pages.html Just specify an absolute or relative path to the file, like:
man ./foo.1


CPU Benchmark Intel Core i3-2350M vs Intel Core i7-2820QM

Today I benchmarked my i3 Linux laptop vs my i7 MacBook. The results are what I expected, though I am quite happy about the performance of the 'slow' i3, which is a really cheap Lenovo B570 mainstream notebook.

The benchmarks are of course rather meaningless.

  • Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz 
    • (dual core, 4 cores with hyperthreading, no turbo boost)
    • (in a Lenovo B570 M58GMGE, 8GB, Ubuntu 12.04)
    • (according to cat /proc/cpuinfo)
  • Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz
    • (quad core, 8 cores with hyperthreading, turbo boost up to 3.4GHz)
    • (in a MacBookPro8,2, 8GB, Mac OS 10.7.4)
    • (according to Temperaturmonitor 4.94)
Benchmark      i3     i7     speedup
g++-4.6        6.8s   3.9s   1.74x
calc           5.7s   4.2s   1.36x
Cinebench CPU  2.22P  4.63P  2.09x (i3 Win7, i7 OSX)
Cinebench GL   12.40  27.90  2.25x (i3 Win7, i7 OSX)
Cinebench CPU  -      1.24   -     (VirtualBox guest Windows 7, host OSX, 1 CPU)
Cinebench CPU  -      4.27   -     (VirtualBox guest Windows 7, host OSX, 8 CPUs)
(s in real time)

Benchmark command lines:
  • time make CXX=g++-mp-4.6 OPT=-O3 -j 20 
    • compiling streplace 0.9.36
    • just 5 parallel objects (does not fill the 8 slots of the i7)
  • time calc 'log(fact(11**5))
    • single core
  • Cinebench 11.5 on Windows 7 SP1 and Max OS X 10.7.4


I support this to the fullness:

Copyright-restriction-free Christmas songs from the Musikpiraten e.V.:


Create Booklet PDF service (Mac OS X)

I used this tool to print an A5 document as booklet with staples and four pages per sheet on Mac:


This worked for me from Word 2011 on Mac OS X Lion 10.7.1 and probably works for any other program as well as this is a universal PDF service (Create Booklet in the PDF menu button in every print dialog).