martes, 14 de junio de 2011

Encrypted filesystems in Debian Squeeze


We need to have cryptsetup installed

root@squeeze:~# apt-get install cryptsetup

The partition can be a whole disk (a pendrive per example), a partition or even a lvm volume. In this case, we are going to use a lvm volume using a hard disk

root@squeeze:~# vgcreate vol0 /dev/sda
  No physical volume label read from /dev/sda
  Physical volume "/dev/sda" successfully created
  Volume group "vol0" successfully created
root@squeeze:~# vgs
  VG   #PV #LV #SN Attr   VSize    VFree   
  vol0   1   0   0 wz--n- 1020.00m 1020.00m
root@squeeze:~# lvcreate -n lv_crypt -L 200M vol0
  Logical volume "lv_crypt" created
root@squeeze:~# lvs
  LV       VG   Attr   LSize   Origin Snap%  Move Log Copy%  Convert
  lv_crypt vol0 -wi-a- 200.00m 


After this, the best thing to do is to write random data in the partition to generate noise.


root@squeeze:~# dd if=/dev/urandom of=/dev/mapper/vol0-lv_crypt
dd: writing to `/dev/mapper/vol0-lv_crypt': No space left on device
409601+0 records in
409600+0 records out
209715200 bytes (210 MB) copied, 60.7331 s, 3.5 MB/s

Finally, we create/format the encrypted partition, and open it to have it available to the system


root@squeeze:~# cryptsetup luksFormat /dev/mapper/vol0-lv_crypt 

WARNING!
========
This will overwrite data on /dev/mapper/vol0-lv_crypt irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
root@squeeze:~# cryptsetup luksOpen /dev/mapper/vol0-lv_crypt crypt
Enter passphrase for /dev/mapper/vol0-lv_crypt: 


Once opened, we can access it as a non-encrypted partition available under /dev/mapper/crypt (all the names can be changed to something more suitable for you), so we can format and access it like a normal partition.


root@squeeze:~# mkfs.ext4 /dev/mapper/crypt 
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
51000 inodes, 203772 blocks
10188 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
25 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks: 
        8193, 24577, 40961, 57345, 73729

Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 36 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

root@squeeze:~# mount /dev/mapper/crypt /media/crypt/




If you are using a graphical desktop, like GNOME, it can manage it automatically with Nautilus, asking you the pass-phrase and root password.

You can avoid to work in the command line using the /etc/crypttab file, to open this filesystem during system boot. The systax of this file is pretty simple:


root@squeeze:~# cryptsetup luksUUID /dev/mapper/vol0-lv_crypt 
1495abcf-38b5-4065-9880-4f8512d7c535
root@squeeze:~# cat /etc/crypttab 
             
crypt   UUID=1495abcf-38b5-4065-9880-4f8512d7c535 none  luks

Using the disk UUID we can avoid future problems of the disk not being in the same path (like a pendrive)

At boot time, the system will ask for the passphare to open the encrypted disk



We can also especify a file with the key, to avoid this question. We can have a external usb drive with this file, or we can have this key files locally, to open external usb drives.

Publicado por en No hay comentarios:
Etiquetas: , ,

jueves, 17 de marzo de 2011

ext4 optimization and throughput (Preview)

Scenario: Debian Stable 6.0 under VmWare ESXi 4.1
Cases:

  • 1 core and 497 Mb RAM
  • 4 cores and 4Gb RAM

Test used:  Phoronix Test Suite
Mount options:
  • defaults
  • noatime
  • long  noatime,barrier=0,data=writeback,nobh,commit=100,nouser_xattr
  • no_journal - defaults, but fs created with "mkfs.ext4 /dev/sdb1 -O^has_journal" defaults
Results Case1 (1 Core):
Results Case2 (4 Cores):
Results Case1 & Case2 Mixed:
http://openbenchmarking.org/result/1103160-IV-MERGE353122 (It has some visualization problems)
Comments:
To be update... soon
Improvements to do:
Test in a bare installation, and testing hypervisor overload (vmware Vs. kvm)
Publicado por en No hay comentarios:

jueves, 5 de junio de 2008

Evitando apagados innecesarios

Cuando se maneja un gran número de servidores desde un único monitor/teclado, más de una vez se corre el peligro de que por querer hacer las cosas rápidas, pulsamos crtl+alt+sup para iniciar sesión en Windows... pero si es un Linux, eso supone un reinicio del servidor. Para evitarlo, en el fichero /etc/inittab, buscaremos algo parecido a esta línea y la comentamos:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
Publicado por en No hay comentarios:
Etiquetas:

miércoles, 7 de mayo de 2008

Instalar un número de paquetes mínimos (sin recomendaciones) en Debian

Las recomendaciones para un equipo de escritorio suelen ser útiles, pero cuando se trata de un servidor, cuanta menos mierda mejor. Para evitar tener que acordarse de ésto siempre que instalemos algo, basta con:

echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/70debconf
Publicado por en No hay comentarios:
Etiquetas:
Suscribirse a: Comentarios (Atom)