Stretch : mount Jessie encrypted HDD via USB

2017-10-31 Thread commentsabout 
Hello,

I'm trying to connect my old Jessie HDD via USB in order to transfer
files to my new Stretch system (details below). It does not work out of
the box because it is encrypted, how should I proceed?

- I only have a laptop;

- 1 old HDD with Jessie (guided encrypted LVM install);

- 1 new SSD with Stretch (guided encrypted LVM install), this drive is
in the laptop;

- 1 S-ATA to USB adapter.

Needless to say that I have the passphrase for both systems. I am
actually worried to damage the Jessie system by using wrong commands so
I am looking for help.

Thank you in advance :)

CA

Re: Encrypted RAID1 for storage with Debian Stretch

2017-08-31 Thread commentsabout 
Hello,

Thank you for your answer.

On 2017-08-31 03:56, David Christensen wrote:
> On 08/30/17 04:28, commentsab...@riseup.net wrote:
> ...
>> Here is a picture of what I'm trying to achieve:
>> https://imgur.com/a/DAM8D (the "Today" column).
>>
>> I am trying to build a home backup system. The system (Debian Stretch)
>> will be on a SSD. For the time being, I only have one pair of HDDs (the
>> "Today" column in the picture) ; in the future (the "Future" column), I
>> would like to add other pairs of HDD to store other kind of data.
>>
>> This backup system will only be turned on when needed, I don't plan on
>> using it as some sort of server or a NAS.
>>
>> We are talking about software RAID1.
>>
>> I would like everything to be encrypted (FDE), from the system (/ and
>> /swap) to the RAID1 drives.
>>
>> Debian will be installed via a USB stick.
>>
>> If possible, I would like to have different encryption keys for the
>> system and the various RAID1 pairs (in the "Future" column in the
>> picture, one for the system, one for "work", one for "family", one for
>> "misc"). So that I can give the system encryption passphrase, "family"
>> and "misc" ones to my wife and keep the "work" one for myself.
>>
>> As stated in another mail of the thread, I'm a complete noob when it
>> comes to this kind of operations so I'm looking for a step by step ELI5
>> explanation (I have tried to use the Debian graphical installer to
>> achieve this but have failed because I was just messing around with the
>> options trying to figure out what to do).
>>
>> For the sake of the discussion: here is the complete archive of this
>> thread
>> https://groups.google.com/forum/#!topic/linux.debian.user/jjdr6LXaOm8
>>
>> You'll notice that Joshua Schaeffer provided what seems to be a complete
>> solution but I have no idea how to go from "I have my computer with all
>> the drives plugged in, Debian installer on USB stick and I launched the
>> graphical installer" to "enter these commands into a terminal to achieve
>> what you are trying to do" :
>> https://groups.google.com/d/msg/linux.debian.user/jjdr6LXaOm8/Pals7djzAAAJ
>>
>> Note: I am not criticizing Joshua's answer in any way, I am grateful for
>> it, I am just underlying (once again) the fact that I am a noob on this
>> topic :)
>>
>> Thank you in advance for your help :)
>>
>> CA
>>
>> PS: at the time of my first mail, Stretch wasn't the "stable" release
>> yet (I have now updated the title from "Jessie" to "Stretch")
> 
> STFW you might find step-by-step instructions for something similar to
> what you want, but this is Linux and the whole point is to learn
> enough to do it yourself.

I did, I couldn't find anything extensive enough.

I'm not asking "just tell me what to do", I'm asking "people have
undoubtedly already done that, please share your experience with me,
tell we what to do and explain me what I'm doing". If I wanted to get
something working out the box, or somebody doing the work for me, I just
would have purchased a Synology or the likes.

As you said, this is Linux, and part of the cake is its community.

> The most common Linux encryption technology is variously called LUKS
> and dm-crypt.  The command-line administration tool is cryptsetup(8).
> 
> There are at least two ways to do software RAID on Linux:
> 
> 1.  MD arrays -- the administration tool is mdadm(8).
> 2.  LVM RAID -- the administration tool is lvm(8).
>
> Start by STFW the underlying technologies:
> 
> https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
> 
> https://en.wikipedia.org/wiki/Mdadm
> 
> https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)
> 
> Then RTFM the tools:
> 
> https://linux.die.net/man/
> 
> If you want to combine encryption and RAID 1, you're going to need to
> choose between encrypting one RAID volume or RAID'ing two encrypted
> volumes.  There are trade-off's either way.  A primary consideration
> will be whether or not you have a processor with AES-NI:
> 
> https://en.wikipedia.org/wiki/AES_instruction_set

I don't :
https://ark.intel.com/products/78867/Intel-Celeron-Processor-J1900-2M-Cache-up-to-2_42-GHz

So, what would be the most efficient? I guess that encrypting one drive
and having the other one blindly copying every bit is the proper method.

Does it have any impact on the reliability of the setup? If the "system"
ssd fails, would I be able to reinstall Debian on a new drive and plug
the RAID drives in a plug-and-play fashion? Should I care about the
"system" redundancy? Are the encryption keys stored on the "system"
drive or on the RAID drives (one of them, both?) ?

> Read up the links above and then post when you're ready.

I am all for the RTFM approach nevertheless, this is like telling
someone who is trapped in a nuclear facility with leaking hazardous
material and asking for a way out : "here are the blueprints for the
facility, the 1200 pages `The Art of Electronics` book, and a playlist
of defcon talks about lockpicking, call us back when

Re: Encrypted RAID1 for storage with Debian Jessie

2017-08-30 Thread commentsabout 
(there was a problem with my subscription to the list, I am not sure
that my previous mail went through, copy/pasting it again just in case -
sorry for the spam if you received it twice)

Hello,

On 2017-06-07 06:11, Andy Smith wrote:
> On Wed, May 10, 2017 at 11:41:30PM +, commentsab...@riseup.net wrote:
>> From there on, how should I proceed ?
> 
> What is your goal? Exactly what setup do you have now?
> 
> You are not making it easy for people to help you as your email does
> not thread back to whatever you were discussing before. So I'm
> afraid you'll have to remind us.
> 
> If you're just looking to set up software RAID with encryption, all
> of that can be done from the Debian installer.

Sorry, I'll start again from the beginning :

Here is a picture of what I'm trying to achieve:
https://imgur.com/a/DAM8D (the "Today" column).

I am trying to build a home backup system. The system (Debian Stretch)
will be on a SSD. For the time being, I only have one pair of HDDs (the
"Today" column in the picture) ; in the future (the "Future" column), I
would like to add other pairs of HDD to store other kind of data.

This backup system will only be turned on when needed, I don't plan on
using it as some sort of server or a NAS.

We are talking about software RAID1.

I would like everything to be encrypted (FDE), from the system (/ and
/swap) to the RAID1 drives.

Debian will be installed via a USB stick.

If possible, I would like to have different encryption keys for the
system and the various RAID1 pairs (in the "Future" column in the
picture, one for the system, one for "work", one for "family", one for
"misc"). So that I can give the system encryption passphrase, "family"
and "misc" ones to my wife and keep the "work" one for myself.

As stated in another mail of the thread, I'm a complete noob when it
comes to this kind of operations so I'm looking for a step by step ELI5
explanation (I have tried to use the Debian graphical installer to
achieve this but have failed because I was just messing around with the
options trying to figure out what to do).

For the sake of the discussion: here is the complete archive of this
thread : 
https://groups.google.com/forum/#!topic/linux.debian.user/jjdr6LXaOm8

You'll notice that Joshua Schaeffer provided what seems to be a complete
solution but I have no idea how to go from "I have my computer with all
the drives plugged in, Debian installer on USB stick and I launched the
graphical installer" to "enter these commands into a terminal to achieve
what you are trying to do" :
https://groups.google.com/d/msg/linux.debian.user/jjdr6LXaOm8/Pals7djzAAAJ

Note: I am not criticizing Joshua's answer in any way, I am grateful for
it, I am just underlying (once again) the fact that I am a noob on this
topic :)

Thank you in advance for your help :)

CA

PS: at the time of my first mail, Stretch wasn't the "stable" release
yet (I have now updated the title from "Jessie" to "Stretch")

Re: Encrypted RAID1 for storage with Debian Stretch

2017-08-30 Thread commentsabout 
Hello,

On 2017-06-07 06:11, Andy Smith wrote:
> On Wed, May 10, 2017 at 11:41:30PM +, commentsab...@riseup.net wrote:
>> From there on, how should I proceed ?
> 
> What is your goal? Exactly what setup do you have now?
> 
> You are not making it easy for people to help you as your email does
> not thread back to whatever you were discussing before. So I'm
> afraid you'll have to remind us.
> 
> If you're just looking to set up software RAID with encryption, all
> of that can be done from the Debian installer.

Sorry, I'll start again from the beginning :

Here is a picture of what I'm trying to achieve:
https://imgur.com/a/DAM8D (the "Today" column).

I am trying to build a home backup system. The system (Debian Stretch)
will be on a SSD. For the time being, I only have one pair of HDDs (the
"Today" column in the picture) ; in the future (the "Future" column), I
would like to add other pairs of HDD to store other kind of data.

This backup system will only be turned on when needed, I don't plan on
using it as some sort of server or a NAS.

We are talking about software RAID1.

I would like everything to be encrypted (FDE), from the system (/ and
/swap) to the RAID1 drives.

Debian will be installed via a USB stick.

If possible, I would like to have different encryption keys for the
system and the various RAID1 pairs (in the "Future" column in the
picture, one for the system, one for "work", one for "family", one for
"misc"). So that I can give the system encryption passphrase, "family"
and "misc" ones to my wife and keep the "work" one for myself.

As stated in another mail of the thread, I'm a complete noob when it
comes to this kind of operations so I'm looking for a step by step ELI5
explanation (I have tried to use the Debian graphical installer to
achieve this but have failed because I was just messing around with the
options trying to figure out what to do).

For the sake of the discussion: here is the complete archive of this
thread
https://groups.google.com/forum/#!topic/linux.debian.user/jjdr6LXaOm8

You'll notice that Joshua Schaeffer provided what seems to be a complete
solution but I have no idea how to go from "I have my computer with all
the drives plugged in, Debian installer on USB stick and I launched the
graphical installer" to "enter these commands into a terminal to achieve
what you are trying to do" :
https://groups.google.com/d/msg/linux.debian.user/jjdr6LXaOm8/Pals7djzAAAJ

Note: I am not criticizing Joshua's answer in any way, I am grateful for
it, I am just underlying (once again) the fact that I am a noob on this
topic :)

Thank you in advance for your help :)

CA

PS: at the time of my first mail, Stretch wasn't the "stable" release
yet (I have now updated the title from "Jessie" to "Stretch")

Re: How to attach a fully encrypted drive to Stretch

2017-06-26 Thread commentsabout 
Hello,

On 2017-06-26 19:36, Eduardo M KALINOWSKI wrote:
> On 26-06-2017 16:28, commentsab...@riseup.net wrote:
>> I have an adapter to connect my older Jessie (fully encrypted) SATA HDD
>> to a USB port. Simply plugin the older disk/adapter into the freshly
>> installed Stretch doesn't seem to work (I'm not being prompted for a
>> passphrase).
>>
>> What is the proper way to access the data on that drive when connected
>> to the host system via a USB adapter ?
>>
>> I found an answer on
>> 
>> but do not know if it is valid and am not keen on running undocumented
>> commands/commands that I do not understand.
> 
> Assuming the disk is a LUKS encrypted volume (the default since who
> knows when), the command is exactly the one in your link.

Thank you for your answer.

There are actually several answers on the Stack Exchange thread, which
one is the right one ?

This one ?

> cryptsetup luksOpen /dev/sdb1 disk2
> modprobe dm-mod
> vgchange -ay
> mount /dev/disk2/disk2 /disk2


CA

How to attach a fully encrypted drive to Stretch

2017-06-26 Thread commentsabout 
Hello,

Rather than upgrading my Jessie system, I decided to go with a fresh
install of Stretch on a new SSD.

I have an adapter to connect my older Jessie (fully encrypted) SATA HDD
to a USB port. Simply plugin the older disk/adapter into the freshly
installed Stretch doesn't seem to work (I'm not being prompted for a
passphrase).

The encryption on Jessie was done at install time following the guided
install ("use entire disk and setup encrypted LVM").

What is the proper way to access the data on that drive when connected
to the host system via a USB adapter ?

I found an answer on

but do not know if it is valid and am not keen on running undocumented
commands/commands that I do not understand.

Thank you in advance for your help :)

CA

Re: Encrypted RAID1 for storage with Debian Jessie

2017-06-06 Thread commentsabout 
Hello,

Giving this thread a UP, would anyone be able to help me?

On 2017-05-10 23:41, commentsab...@riseup.net wrote:
> I'm a complete noob when it comes to this kind of operations, so,
> sorry for the dumb question : following tv.debian@'s advises, I
> purchased a cheap SSD and installed my system on it (the SSD, and one
> pair of HDD are plugged in). From there on, how should I proceed ?
> 
> Thanks in advanced for your help.

Best,
CA

Re: Encrypted RAID1 for storage with Debian Jessie

2017-05-10 Thread commentsabout 

Hello,

On 2017-04-19 09:11, tv.deb...@googlemail.com wrote:

System on usb flash disks always caused me troubles, I use it only if
the system can be loaded in ram at boot time and the drive isn't used
for write operation. A low-end small SSD would be a far better option
in my opinion.


Thanks for the advice. I managed to find a 40 Go Intel SSD, for under 
30€ :)


On 2017-04-19 15:06, Joshua Schaeffer wrote:

I can't speak to your system being on USB, but in general you can just
do something like the following:

$mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda
/dev/sdb
$mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdc
/dev/sdd
$mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sde
/dev/sdf

If you want to use LVM then you create the PV, VG, and LV:

$pvcreate /dev/md0
$pvcreate /dev/md1
$pvcreate /dev/md2
$vgcreate vg_data1 /dev/md0
$vgcreate vg_data2 /dev/md1
$vgcreate vg_data3 /dev/md2
$lvcreate vg_data1 -n lv_data1 -L 
$lvcreate vg_data2 -n lv_data2 -L 

$lvcreate vg_data3 -n lv_data3 -L 

Then create your LUKS partition:

$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data1
vg_data1-lv_data1_crypt
$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data2
vg_data2-lv_data2_crypt

$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data3
vg_data3-lv_data3_crypt

Then create your filesystem and mount them:

$mkfs.ext4 /dev/mapper/vg_data1-lv_data1_crypt
$mkfs.ext4 /dev/mapper/vg_data2-lv_data2_crypt

$mkfs.ext4 /dev/mapper/vg_data3-lv_data3_crypt

$mount -t ext4 /dev/mapper/vg_data1-lv_data1_crypt /mnt/data1
$mount -t ext4 /dev/mapper/vg_data2-lv_data2_crypt /mnt/data2

$mount -t ext4 /dev/mapper/vg_data3-lv_data3_crypt /mnt/data3


Thank you for the detailed explanations.

I'm a complete noob when it comes to this kind of operations, so, sorry 
for the dumb question : following tv.debian@'s advises, I purchased a 
cheap SSD and installed my system on it (the SSD, and one pair of HDD 
are plugged in). From there on, how should I proceed ?


Thanks in advanced for your help.

CA

Encrypted RAID1 for storage with Debian Jessie

2017-04-18 Thread commentsabout 

Hello,

Is there an easy way to attach several pair of RAID1 disks (with full 
disk encryption) to a Debian Jessie system?


Here is a picture of what I'm trying to achieve: 
http://imgur.com/vF7IqX2


I am building a home backup system, I have different type of data to 
backup (work, family, random stuff - hence the three pairs in the 
picture). The system (Debian Jessie) will be on a USB key.


It's a backup system on a budget that I'd like to have up and running 
within a couple of weeks, I know that ZFS (with FreeNAS for instance) 
can achieve similar goals but it's out of budget ; I also know that work 
is being done on BTRFS about encryption but it's not ready for prime 
time yet.


Always state the obvious so :

- the idea behind having the SYSTEM on a independent USB drive is to 
have one independent piece to handle the boot and system operations 
(that I can easily - and cheaply - mirror to have drop in replacement in 
case of failure) and "DATA" drives are just "dumb" encrypted drives that 
could be unplugged from the setup and mounted anywhere else ;


- the idea behind the RAID1 is to create redundancy, hence in case one 
drive fails, be able to plug a new one in, would it be possible with 
full disk encryption?


- this backup system will only be turned on when needed, I don't plan on 
using it as some sort of server or a NAS.


Am I re-inventing the wheel here, is there a better, simpler solution to 
achieve both redundancy and encryption ?


Thank you in advance for your help,

CA

Re: Debian-ML_Automatically spoof MAC address

2017-02-08 Thread commentsabout 

Hello,

Thank you for your answer.

On 2017-02-09 01:19, Pyroteus wrote:

-  give a try # tail


Do you mean "Tails"? Tails is not an option here.


- type on your browser : how to spoof his MAC address on linux


Yeah, I did that, didn't find any working solution so I came and asked 
here.



- https://xmodulo.com/spoof-mac-address-network-interface-linux.html


I know how to spoof a mac address temporarily and permanently, that's 
not what I'm trying to do.



- Modern Linux distributions like Ubuntu typically use Network
Manager, which provides a graphical way to spoof a MAC address. For
example, on Ubuntu you’d click the network icon on the top panel,
click Edit Connections, select the network connection you want to
modify, and click Edit. On the Ethernet tab, you’d enter a new MAC
address under “Cloned MAC address” and save your changes.


Network Manager is broken when it comes to mac address spoofing, I'm too 
tired right too go and find the bugs back there are/were a series of bug 
about the fact that Network Manager won't honor mac address passed to it 
through the GUI or simply won't let the mac address being changed.


IIRC, the devs didn't see the point of fixing that behavior and that's 
why 90% of the articles you can find about "how to spoof the mac address 
via a GUI" discourage the use of network manager and the reason why it's 
not used in tails [1].


[1] https://tails.boum.org/blueprint/macchanger/

And while we are stuck in Prehistory with network manager on our 
desktops, iOS (a fucking mobile operating system) randomizes the mac 
address of the device even for scanning [2].


[2] 
https://9to5mac.com/2014/06/09/ios-8-randomizes-mac-address-while-scanning-wifi-blocks-marketers-tracking-you/


CA

Re: Automatically spoof MAC address when interface is brought down

2017-02-08 Thread commentsabout 

Hello,

Thank you for you answer.

On 2017-02-08 16:38, Michael Lange wrote:

Does this help:
https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses
?


No :(

That is strange, the file already exists (it is a symbolic link):


su
ls -la /etc/network/if-pre-up.d/
lrwxrwxrwx 1 root root   28 Feb  9  2015 macchanger -> 
../../macchanger/ifupdown.sh*



cat /etc/network/if-pre-up.d/macchanger


Output: http://pastebin.com/raw/wmyJf5h8

So, even though the script is there, it does not seem to work.

CA

PS. note that it might be a relic of a previous attempt at this, I try 
to achieve this behavior from now and then but I constantly fail and end 
up doing the work manually via the cli :(

Re: Keys management (SSH, GPG)

2017-02-08 Thread commentsabout 

On 2017-02-08 16:20, commentsab...@riseup.net wrote:

either connect to servers via ssh or to work with on remote servers.


[...] to work with _git_ [...]

CA

Bug report: after booting, if laptop lid is closed without login in, the computer doesn't go to sleep

2017-02-08 Thread commentsabout 

Hello,

I am a Debian 8.7 user (with Gnome 3.14.1).
On a Thinkpad X220.

I do not know where this bug would be best reported so I will let people 
with more knowledge than me about these sort of things fill a bug in the 
proper place.



# laptop lid closure not taken into account

When I start my computer and reach the login screen, if I close my 
laptop lid, the computer won't go to sleep mode *.


It goes actually beyond that.

If I login but don't open any application (such as the file explorer or 
firefox or whatever) and close the laptop lid, the computer won't go to 
sleep mode *.


* until I either login and open an application or just open an 
application depending on the case.



# cancelling a shutdown prevents the user from calling a shutdown again 
from the menu


This bug migh be related so I will leave it here as well.

If click on the top right menu on my desktop (the one withe the wifi 
indicator etc), click on the "power button" icon and then chose "cancel" 
in the dialog box, I can not shut the computer again via this menu until 
next reboot/logout-and-in, the only way to shut the computer down is to:



shutdown now


Hope this is helpful and will be reported to the right people/place.

Best,
CA

Automatically spoof MAC address when interface is brought down

2017-02-08 Thread commentsabout 

Hello,

I am a Debian 8.7 user.
I use the default Network Manager.

I would like to know if there is a way to automatically spoof the MAC 
address of my wireless interface every time I bring down (and up)?


I have a Thinkpad x210 and there is a physical switch for the wifi 
interface. For the time being, every time I close my laptop lid and open 
it up again, I have to manually:



su
macchanger -a wlan0
exit


Is there a way to automate this?

Thank you in advance for your help.

CA

Keys management (SSH, GPG)

2017-02-08 Thread commentsabout 

Hello,

I am a Debian 8.7 user.


# SSH

I would like to know if there is an efficient way to manage SSH keys?

I have multiple SSH keys (rsa, ed25519) that I use all day long to 
either connect to servers via ssh or to work with on remote servers.


I would like to know if there it is possible to unlock my keys (being 
prompted once for their passwords) when the my session starts and keep 
them unlocked until the session is closed.


I have found information about ssh-agent and ssh-add but it doesn't 
provide the behavior that I would like to reach in the sense that I have 
to manually...



eval `ssh-agent -s`
ssh-add /path/to/my-key1
ssh-add /path/to/my-key2
ssh-add /path/to/my-key3
ssh-add /path/to/my-key4


... every time I open/close my session (while I would like to just have 
to provide my passwords). Furthermore, it seems that my ed25519 keys do 
not remain cached for more than a couple of minutes (while the rsa4096 
ones remain without problem).



# GPG/PGP

This list is probably not the right place to ask but I will give it a 
shot.


The question is quite the same for PGP/GPG. I use GPG/PGP extensively 
via Thunderbird and its Enigmail extension. There are known issues 
between Gnome Keyring and gpg-agent [1]. I would like to achieve what is 
described above for SSH, namely being prompted once per session for my 
GPG (whatever key) password and that's it.


I also extensively use the "pass" command-line tool (GPG based, password 
manager- awesome!) which prompts me for my password every now and then. 
A cached unlocked GPG key would be tremendously useful here too.


[1] https://wiki.gnupg.org/GnomeKeyring

Thank you in advance for your help,
CA