Home Blog Page 1113

How to full encrypt your linux system with lvm on luks

By
Egidio Docile
-

luks-logo-cropped

 

 

 

 

 

Security and privacy are two very important subjects, and everyone of us, in a way or another, has sensitive data stored on his computer. While you can consider pretty safe your data on a home computer, on a laptop (or any portable device) the situation is a lot different. You carry your device with you and don’t want to loose all your precious data in case it is stolen or lost. Here is when system encryption comes in handy.

In this tutorial i will show you how to full encrypt your system using two linux native tools: LVM (for partitioning) and LUKS (for the actual encryption).

Why LVM on LUKS?

Imagine you have your hard drive divided in at least two partitions: one for the root of your system and the other used  as a swap partition. You could encrypt them separately but then 2 passwords will be asked during boot time, and this is really annoying.

You could decide to avoid the use of swap partition or to use a random generated key, but in both cases you would lost the ability to hibernate (actually to resume from hibernation).

The solution is to use LVM partitioning: we will encrypt the whole disk with LUKS, then we will use the disk as phisical volume and make it part of a volume group which will contain as much logical volumes as we need, each for every partitions we want. The only partition that must be unencrypted is the boot partition, so for the most secure setup, we will use an external device for it. Using the LVM partitioning we won’t even need to create a partition table, we will use the raw disk instead.

Why do it from command line?

Most of the modern distributions installers offer the option to encrypt the disk grephically, so why do it from CLI? Well, the answer is in two words: more control. Most graphical installers offer no chance to fine tune the encryption options, and none of them (that i know) would encrypt the whole raw disk without creating a partition table. Sure this could have no importance for you, and in this case you can use the default (and usually good) options. Anyway, it’s always nice to know how things work under the hood.

First things first: fill your disk with random data

Before anything else, we need to fill the disk with random data, so that the whole device content would appear the same and indistinguishable, and no patterns could be discovered on it (for example what zones of the disk are filled with data and what are empty). Filling a disk with random data can be very time consuming, especially on very large hard drives, but we can use a trick here: we will luks format the device first, and then fill it with zeros ( zeros are much faster to generate then random). Because of encryption the data will be written on the disk as random, so we’re actually using the luks device as a random data generator device. At that point only the luks header will remain as clear data at the beginning of the disk and we will override it with random data from /dev/urandom.

Here’s the process in few steps:

1) Create luks partition

cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda

Note that obviously you can use different settings for the luksFormat command; above it’s what i usually use. After that you will be asked to enter a password for the encryption, it doesn’t matter if it’s not very secure now, because we will only use this device as random data generator.

2) Open the encrypted device: the command below opens the luks device and maps it as “sda_crypt”

cryptsetup luksOpen /dev/sda sda_crypt

3) Now we fill this device with 0s using dd and /dev/zero as source:

dd if=/dev/zero of=/dev/mapper/sda_crypt bs=1M

4) All the underlying disk appears now to be filled with random data, minus the luks header that we are about to override (you can take a look using “hexdump /dev/sda | less” command). Usually the header takes few Megabytes, but to avoid calculations and be rude we will cover the first 10 Megabytes of the disk. We will use dd with /dev/urandom as random data source this time:

# first destroy the mapping
cryptsetup luksClose sda_crypt

# override the header
dd if=/dev/urandom of=/dev/sda bs=512 count=20480

5) We have now the disk full of random data. Now for the serious stuff. Just repeat steps 1 and 2 but this time use a very secure passhrase, because it will be the key to unlock your disk

6) Now we will use the device as phisical volume…

pvcreate /dev/mapper/sda_crypt

7) Now create a volume group (i will name it “vg00” ) that will contain the phisical device /dev/mapper/sda_crypt

vgcreate vg00 /dev/mapper/sda_crypt

8) Create the logical volumes. I usually use 4: one for root, one for the swap partition, one for /home and the other for a data partition, but this is obviously up to you. The “+100%FREE” options on the last line modifies the command to use logical extents instead of size, and to use all of the free remaining ones for that logical volume.

lvcreate -n lv00_swap -L 4G vg00
lvcreate -n lv01_root -L 30G vg00
lvcreate -n lv02_home -L 10G vg00
lvcreate -n lv03_data -l +100%FREE vg00

7) Now create the boot partition on a separate device, ideally an usb stick, and install grub on the mbr of this device. With this setup we both will have no clear partitions on our encrypted disk, and no chance to boot the system without the external device, which adds an extra layer of security. 

Please rembember that encryption protects your data only on a pre-boot situation when the machine is not on. After you boot and decrypt the disk you will have no added protection. All you have to do now is to install your system as always, and enjoy full disk encryption!

How to Kill Processes on the Linux Desktop with xkill

By
Falko Timme
-

Linux is renown for its stability, rigidness and superior error-free functionality, but no matter how advanced and bug-free a system may be, it is inevitable that things will brake and windows will freeze/hang at some point. This is thankfully not disastrous at all, as Linux users can utilize smart tools and commands that will allow them to get rid of those nasty “not responding” applications instantly!

Read more at HowtoForge

How To: Install/Upgrade to Linux Kernel 4.0.4 in Ubuntu/Linux Mint Systems

By
YourOwnLinux
-

The Linux Kernel 4.0.4 is now available for the users, announced Linus Torvalds. This Linux Kernel version comes with plenty of fixes and improvements. This article will guide you to install or upgrade to Linux Kernel 4.0.4 in your Ubuntu or Linux Mint system.

Read more at YourOwnLinux

How To: Speed Up File Transfers in Linux using RSync with GNU Parallel

By
YourOwnLinux
-
    In order to rsync a huge chunk of data (containing considerably large number of smaller files), the best option one can have, is to run multiple instances of rsyncs in parallel. This seems to be pretty effective, but at the cost of high load average, more I/O oparations and network bandwidth utilization.
 
    So as to parallelize multiple rsync commands, one might use xargs or a series of rsync commands run in the background using &. But, over all of those alternatives, I would prefer GNU Parallel, a utility used to execute jobs in parallel. It is a single command that can replace certain loops in your code or a sequence of commands run in background.
 
Read more at YourOwnLinux

9 First Steps with Ubuntu 15.04

By
Steve Emms
-

One of the first things to do with a new release of Ubuntu is to check for updates. Typically, I won’t upgrade to the latest release immediately, so there’s always quite a few updates since the release. There’s a handy Software Updater tool which makes the updating process painless.

<A HREF=”http://www.linuxlinks.com/article/20150516044302592/Ubuntu1504.html“>Read article</A>

Install Linux on a Modern WiFi Router: Linksys WRT1900AC and OpenWrt

By
-

linksyswrt1900ac router

The Linksys WRT1900AC is a top-end modern router that gets even sweeter when you unleash Linux on it and install OpenWrt. OpenWrt includes the opkg package management system giving you easy access to a great deal of additional open source software to use on your router. If you want the pleasure of SSH access on your router, the ability to use iptables on connections passing through it, and the ability to run various small servers on it, the Linksys WRT1900AC and OpenWrt are a powerful combination.

From a hardware perspective, the Linksys WRT1900AC includes simultaneous dual band with support for 802.11n (2.4 GigaHertz) up to 600 Megabytes per second and 802.11ac (5 GHz) up to 1.3 Gigabytes per second. This lets you connect your older devices to 802.11n and newer hardware can take advantage the greater speed and less congested 802.11ac signal.

The router has a dual-core Marvell Armada 370/XP CPU with 256 MB of RAM and 128 MB of flash storage. You can also attach more storage to the WRT1900AC using its USB 3.0 and eSATA ports. When using OpenWrt you might also like to attach a webcam and printer to the router. The Linksys WRT1900AC has a 4 port gigabit switch and a gigabit upstream WAN port.

Initial setup

The stock firmware that comes with the Linksys WRT1900AC uses a very simple four-step procedure for initial setup. I only partially followed the recommended setup steps.

Step 1: Connect the antennae and power.

Step 2: Connect your upstream “Internet” link to the appropriate port on the router.

Step 3: Connect to the wifi signal from the router. You are given a custom wireless network name and password which appears to be set differently for each individual router. This step 3 nicely removes the security vulnerability inherent in initial router setup, because your router will have a custom password right from the first time you power it on.

Step 4: Log in to linksyssmartwifi.com and setup the router.

Instead of directly connecting to the Internet port, I used one of the 4 gigabit switch ports to attach the router to the local LAN. This made using the linksyssmartwifi.com website at step 4 not work for me. I could create an account on the smartwifi site, but it wanted me to be connected through the wifi router in order to adjust the settings.

You can however set up the router without needing to use any remote websites. The Linksys will appear at 192.168.1.1 and connecting a laptop to the wifi router and manually forcing the laptop’s IP address to 192.168.1.2 allowed me to access the router configuration page. At that stage the Connectivity/Local Network page lets you set the IP address of the router to be something that will fit into your LAN in a non conflicting manner (and on the subnet you are using) and also disable the DHCP server if you already have one configured.

The initial screen I got when I was connecting directly using 192.168.1.1 again wanted to take me off to a remote website, though you can click through to avoid having to do that if you want.

I tried to attach a 120 GB SanDisk Extreme SSD to test eSATA storage. Unfortunately ext4 is not a supported filesystem for External Storage in the stock firmware. It could see /dev/sda1 but 0 kilobytes used of 0 kb total space. Using a 16 GB flash pen drive formatted to FAT filesystem was fine; the ftp service was started and the drive showed up as a Samba share, too.

Switching over to OpenWrt

At the time of writing the options for installing OpenWrt on the device were changing. There were four images which offered Linux kernel version 3.18 or 4.0 and some level of extra fixes and updates depending on the image you choose. I used Kaloz’s evolving snapshots of trunk linked at openwrt_wrt1900ac_snapshot.img.

Flashing the image onto the router is very simple as you use the same web interface that is used to manually install standard firmware updates. The fun, and moments of anxiety that occur after the router reboots are familiar to anyone who has ever flashed a device.

When the router reboots you will not have any wifi signals at all from it. The router will come up at a default IP address of 192.168.1.1. The easiest method to talk to the router is to use a laptop and force the ethernet interface to an address of 192.168.1.2. Using a trunk distribution of OpenWrt you are likely not to have a useful web interface on the router. Visiting 192.168.1.1 will likely show an empty web server with no files.

When falling back to trying to do an SSH or network login to the router, another little surprise awaits. Trying to SSH into the router showed that a connection was possible but I was unable to connect without any password. Unfortunately, OpenWrt sets the default password to nothing, creating a catch-22 with SSH not allowing a login with no password, so connection seemed impossible. The saving grace is that telnet is also running on the router and after installing the telnet client on the laptop I could login without any password without any issue. Gaining access to the router again was a tremendous relief.

In the telnet session you can use the passwd command to set a password and then you should be able to login using SSH. I opted to test the SSH login while the telnet session was still active so that I had a fallback in case login failed for some reason.

To make the web interface operational you will have to install the LuCI package. The below commands will do that for you. If you need to use a proxy to get to the Internet the http_proxy, https_proxy, and ftp_proxy environment variables will be of use. Again you might run into a little obstacle here, with the router on the 192.168.1.0/24 subnet it might not be able to talk with your existing network if it is on the often used 192.168.0.0/24 subnet. I found that manually forcing the IP address to a 192.168.0.X address using ifconfig on br-lan changed the address for bridged ports and everything moved to that subnet. This is not a permanent change, so if it doesn’t work rebooting the router gets you back to 192.168.1.0/24 again. It is easy to change this for good using LuCI once you have that installed.

export http_proxy=http://192.168.1.10
opkg update
opkg install luci

Once you have LuCI installed the rest of the router setup becomes point and click by visiting the web server on your router. To enable WiFi signals, go to the Network/Wifi page which gives you access to the two radios, one for 2.4 Ghz and the newer 5 Ghz 802.11nac standard. Each radio will be disabled by default. Oddly, I found that clicking edit for a radio and scrolling down to the Interface Configuration and the Wireless Security page, the default security was using “No Encryption.” I would have thought WPA2-PSK was perhaps a better default choice. So getting a radio up and running involved setting an ESSID, checking the Mode (I used Access Point), and setting the Wireless Security to something other than nothing and setting a password.

Many of the additional features you might install with opkg also have a LuCI support package available. For example, if you want to run a DLNA server on the Linksys WRT1900AC the minidlna package is available, and a luci-app-minidlna package will let you manage the server right from the LuCI web interface.

opkg install minidlna
opkg install luci-app-minidlna

Although the Linksys WRT1900AC has 128 MB of flash storage, it is broken up into many smaller partitions. The core /overlay partition had a size of only 24.6 MB with /tmp/syscfg being another 30 MB partition of which only around 300 KB was being used. While this provides plenty of space to install precompiled software, there isn’t enough space to install gcc onto the Linksys WRT1900AC/OpenWrt installation. I have a post up asking if there is a simple method to use more of the flash on the Linksys WRT1900AC from the OpenWrt file system. Another method to gain more space on an OpenWrt installation is to use an extroot, where the main system is stored on external storage. Perhaps with the Linksys WRT1900AC this could be a partition on an eSATA SSD.

If you don’t want to use extroot right away, another approach is to use another ARM machine that is running a soft floating point distribution to compile static binaries. Those can be transferred over using rsync to the OpenWrt installation on the Linksys WRT1900AC. An ARM machine is either using soft or hard floating point, and generally everything is compiled to work with one or the other. To see which version of floating point your hardware is expecting you can use the readelf tool to sniff at a few existing binaries as shown below. Note the soft-float ABI line in the output.

root@linksys1900ac:~# readelf -a /bin/bash|grep ABI
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Flags:                             0x5000202, has entry point, Version5 EABI, soft-float ABI

I tried to get push button WPS setup to work from OpenWrt without success. I had used that feature under the standard firmware so it is able to work and makes connecting new devices to the router much simpler.

I also notice that there are serial TTL headers on the Linksys WRT1900AC and a post shows a method to reflash the firmware directly from uboot. I haven’t tried this out, but it is nice to see as a possible final ditch method to resurrect a device with non functioning firmware.

Another useful thing is to set up users other than root to use on the OpenWrt installation so that you have less risk of interrupting normal router activity. You might like to install that shadow utils and sudo in order to do this as shown below:

  root@wrt1900ac:/dev# opkg install sudo
  root@wrt1900ac:/dev# opkg install shadow-useradd shadow-groupadd
  root@wrt1900ac:/dev# sudo -u ben bash

I found that the fan came on when the Linksys WRT1900AC was booting into OpenWrt. The fan was turned off again soon after. The temperature readings are available using the sensors command as shown below.

root@wrt1900ac:~# sensors 
tmp421-i2c-0-4c
Adapter: mv64xxx_i2c adapter
ddr:          +52.8 C  
wifi:         +55.1 C  
armada_thermal-virtual-0
Adapter: Virtual device
cpu:          +61.7 C

Performance

Using an LG G3 phone with Android 5, the Wifi Network Analyzer app indicated a speed of 433 Mbps with the phone about a foot from the router. That speed dropped back to around 200Mbps when I moved several rooms away. The same results were given using the stock firmware and the OpenWrt image.

Running iperf (2.0.5) on the OpenWrt installation and a Mid 2012 Macbook Air gave a Bandwidth of 120 Mbps. The same client and server going through a DLink DIR-855 at a similar distance on 5 Ghz gave only 82 Mbps. Unfortunately the Mac only has wifi-n on it as wifi-ac was added to the next year’s model.

The LG G3 running Android 5 connected to the wifi-ac network using the iperf app could get 102 Mbps. These tests where run by starting the server with ‘-s’ and the client with ‘-c server-ip-address’. The server which was running on the Linksys WRT1900AC/OpenWrt machine chose a default of 85 kb TCP window size for these runs. Playing with window sizes I could get about 10 percent additional speed on the G3 without too much effort.

I connected a 120 GB SanDisk Extreme SSD to test the eSATA performance. For sequential IO Bonnie++ could write about 89 Mbps and read 148 Mbps and rewrite blocks at about 55 Mbps. Overall 5,200 seeks/s were able to be done. This compares well for read and rewrite with the eSATA on the Cubox which got 150 Mbps and 50  Mbps respectively. The Cubox could write at 120  Mbps which is about 35 percent faster than the Linksys WRT1900AC. This is using the same ext4 filesystem on both machines, the drive was just moved to each new machine.

bonnie++ -n 0 -f -m Linksys1900ac -d `pwd`

OpenSSL performance for digests was in a similar ballpark to the BeagleBone Black and CuBox i4Pro. For ciphers the story was very different depending on which algorithm was used, DES and AES-256 were considerably slower than other ARM machines, whereas Blowfish and Cast ran at similar speeds to many other ARM CPUs. For 1,024 bit RSA signatures the Linksys WRT1900AC was around 25-30 percent the performance of the more budget ARM CPUs.

digests linksys router  

ciphers linksys router

rsa sign Linksys router

Final Thoughts

It is great to see that LuCI gives easy access to the router features and even has “app” packages to let you configure some of the additional software that you might like to install on your OpenWrt device. OpenWrt images for the Linksys WRT1900AC are a relatively recent development. Once a recommended stable image with LuCI included is released it should mitigate some of the tense moments that reflashing can present at the moment. The 177+ pages on the OpenWrt forum for the Linksys WRT1900AC are testament to the community interest in running OpenWrt on the device.

It is wonderful to see the powerful hardware that the Linksys WRT1900AC provides being able to run OpenWrt. The pairing of Linux/FLOSS and contemporary hardware lets you customize the device to fit your usage needs. Knowing that you can not only SSH in but that rsync is ready for you and that your programming language of choice can be installed on the device for those little programs that you want to have available all the time but don’t really want to leave a machine on in order to do. There are also some applications which work well on the router itself, for example, packet filtering. A single policy on the router can block tablets and phones from connecting to your work machines.

We would like to thank Linksys for providing the WRT1900AC hardware used in this article.

Arduino Shrinks Linux-Ready Yún to “Mini” Size

By
LinuxGizmos
-

Arduino announced a smaller, cheaper “Mini” version of the Arduino Yún SBC that offers fewer real-world ports, but gives more control to Linux. Arduino, the Italian-based project that designs the official line of Arduino hacker boards, announced a $60 Arduino Yún Mini SBC today at the Maker Faire Bay Area. This was the same event […]

Read more at LinuxGizmos

RadeonSI Gallium3D Driver To Be Enabled For Android

By
Phoronix
-

With the latest Mesa patch series by Chih-Wei Huang of Android-x86, the AMD RadeonSI Gallium3D driver is to be enabled…

Read more at Phoronix

Latest Atheros IoT SoCs include OpenWRT-friendly model

By
LinuxGizmos
-

Qualcomm has launched two WiFi-enabled SoCs that support the AllJoyn IoT standard, including a 650MHz, MIPS-based “QCA4531″ SoC that runs OpenWRT Linux. Qualcomm’s Atheros business unit has enjoyed wide adoption of its WiFi-enabled, MIPS-based AR9331 system-on-chips running OpenWRT Linux. The chipmaker is now introducing two new Internet of Things processors: a low-end, RTOS-driven QCA401x, and […]

Read more at LinuxGizmos

ScudCloud: Unofficial Slack Client for Linux

By
The Linux Foundation
-

Slack is a team communication platform which features persistent chat rooms organized by topic, private groups and direct messaging, all searchable from one search box. Furthermore, the app integrates with Google Docs and Dropbox, GitHub and many others.

 
Slack provides apps for Windows, Mac, iOS and Android but unfortunately there’s no official Linux client. There is a web version which can be used on any OS, but it lacks the features available in the official desktop clients like native notifications and so on.
 
To get proper Linux desktop integration for Slack, WebUpd8 reader Rael has created ScudCloud, an unofficial open source Slack client for Linux, which provides native notifications, unread message count on the Unity Launcher or tray and more.
 
Read more at WebUpd8.
1...1,1121,1131,114...10,743Page 1,113 of 10,743