Schlagwort-Archive: privacy

Raspberry Pi: Owncloud setup revisited

The Raspberry and owncloud ran for a few months now and I really enjoyed my own personal cloud. But I was really annoyed by the poor performance. One possible solution was to switch the sd card, which I did. I replaced the Transcend 16GB SDHC card with a 4GB one. Performance is much better now. Since setting up the system is a pretty simple and fast process, I didn’t bother about cloning the card etc. I reinstalled raspbian and followed my own guide on how to setup nginx and php and oriented on my other tutorial on how to install owncloud 6 beta. Of course I needed to change some links etc.

Some more things (I) changed:

  1. owncloud added security for trusted domains
  2. moved owncloud storage to an external usb drive
  3. changed the nginx webserver configuration: restrict to https only and …
  4. accessing php-fpm through network socket

 

1. If you access the webinterface of your owncloud instance using different ips, names etc., you need to add them to the „trusted_domains“ parameter.

pi@raspberrypi ~ $ sudo vi /var/www/owncloud/config/config.php

‚trusted_domains‘ =>
array (
0 => ‚192.168.12.34′,
1 => ‚your.dyndns.org‚,
),

2. Connect the usb drive and use lsblk and blkid to find the needed UUID.

pi@raspberrypi ~ $ lsblk && blkid
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2,7T 0 disk
└─sda1 8:1 0 2,7T 0 part /media/usb
mmcblk0 179:0 0 3,7G 0 disk
├─mmcblk0p1 179:1 0 56M 0 part /boot
└─mmcblk0p2 179:2 0 3,7G 0 part /
/dev/mmcblk0p1: SEC_TYPE=“msdos“ LABEL=“boot“ UUID=“7D5C-A285″ TYPE=“vfat“
/dev/mmcblk0p2: UUID=“5d18be51-3217-4679-9c72-a54e0fc53d6b“ TYPE=“ext4″
/dev/sda1: LABEL=“Backup3TB“ UUID=“1D3F163D4EEC069E“ TYPE=“ntfs“

Create the mountpoint /media/usb and edit /etc/fstab to mount the drive on startup.

pi@raspberrypi ~ $ sudo mkdir /media/usb

pi@raspberrypi ~ $ sudo vi /etc/fstab
proc /proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mmcblk0p2 / ext4 defaults,noatime 0 1
UUID=1D3F163D4EEC069E /media/usb ntfs-3g defaults,auto, uid=pi,gid=wwwdata,umask=007,users 0 0

While setting up your owncloud, you can now define /media/usb as your data storage. Not sure if there is a way to change this on a already running owncloud setup.

 

3. Change the nginx configuration (/etc/nginx/sites-availabe/default) according to the owncloud 6 documentation

upstream php-handler {
server 127.0.0.1:9000;
}

server {
listen 80;
return 301 https://your.dyndns.org$request_uri; # enforce https
}

# HTTPS server
#
server {
listen 443 ssl;
server_name your.dyndns.org localhost;

root /var/www;

autoindex off;
index index.php index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/server.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/server.key;

client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;

rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}

location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ index.php;
}

location ~ ^(.+?\.php)(/.*)?$ {
try_files $1 =404;

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}

# Optional: set long EXPIRES header on static assets
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don’t log access to assets
access_log off;
}
}

4. Modify the php5-fpm config to listen on a netsocket.

 pi@raspberrypi ~ $ sudo vi /etc/php5/fpm/pool.d/www.conf

;listen = /var/run/php5-fpm.sock
listen = 127.0.0.1:9000

Restart the services.

pi@raspberrypi ~ $ sudo service php5-fpm restart
pi@raspberrypi ~ $ sudo service nginx restart

 

 

 

 

Facebook kauft WhatsApp

Gestern Abend wurde bekannt gegeben, dass Facebook den Messenger WhatsApp für 19 Milliarden Dollar (ca. 13,8 Milliarden Euro) übernehmen wird.

Aus diesem Grund nochmal der Verweis auf den „sicheren“ Messenger Threema. Mehr Infos und ein interessantes Interview mit den Entwicklern gibt es in einem Podcast bei monoxyd.

Android Version: Play Store
iOS Version: App Store

Raspberry Pi: Update owncloud beta to owncloud 6

The final release of owncloud 6 is now available. Just like the update how to for beta 3, here is how to install it manually.

Download the update on your owncloud server

pi@raspberrypi ~ $  wget http://download.owncloud.org/community/owncloud-6.0.0.tar.bz2

pi@raspberrypi ~ $  tar xfv owncloud-6.0.0.tar.bz2

 

Create a backup of the files and database

pi@raspberrypi ~ $  mkdir 2013_12_12_Backup_owncloud_beta3/

pi@raspberrypi ~ $  sudo rsync -a /var/www/owncloud/ /home/pi/2013_12_12_Backup_owncloud_beta3/

pi@raspberrypi ~ $  sudo mysqldump owncloud -u root -p > /home/pi/2013_12_12_Backup_owncloud_beta3/owncloud.sql

 

Copy the update

pi@raspberrypi ~ $  sudo rsync –inplace -rtv owncloud/ /var/www/owncloud/

pi@raspberrypi ~ $  rm -r owncloud owncloud-6.0.0.tar.bz2

 

Visiting the webinterface of your installation will complete the update.

Raspberry Pi: Selfhosted cloud with ownCloud 6 beta

Quick writeup on how to install the new owncloud 6 beta on your raspberry Pi.

Disclaimer: If you want something superfast, leave this site now. If you’re looking for a really cheap way to get your own cloud (No NSA. So yay!) and give some use to your raspberry pi which is sitting on the shelf since months, here you go. Just don’t expect a 1 to 1 dropbox/drive/$whatever clone.

Prequirements: Working Raspberry Pi with Raspbian (path etc. may vary on other distributions) and a running webserver with php and ssl.

Installation on the Pi
Download the package from here, extract it, move it to the right location and set the correct user rights:

pi@raspberrypi ~ $ wget http://download.owncloud.org/community/testing/owncloud-6.0.0beta1.zip
pi@raspberrypi ~ $ unzip owncloud-6.0.0beta1.zip
pi@raspberrypi ~ $ sudo mv owncloud /var/www/
pi@raspberrypi ~ $ sudo chown -R www-data:www-data /var/www/owncloud
pi@raspberrypi ~ $ cd /var/www/owncloud/

We need to change a few settings in the php config.

pi@raspberrypi /var/www/owncloud $ sudo vi /etc/php5/fpm/php.ini

Replace

upload_max_filesize = 2M
post_max_size = 8M

with

upload_max_filesize = 1024M
post_max_size = 1024M

and add some lines to the end of the file (we will install apc later):

upload_tmp_dir = /srv/www/owncloud/data/temp
extension = apc.so
apc.enabled = 1
apc.include_once_override = 0
apc.shm_size = 256

Create the directory for uploads

pi@raspberrypi /var/www/owncloud $ sudo mkdir -p data/temp
pi@raspberrypi /var/www/owncloud $ sudo chown -R www-data:www-data data

After editing your webserver config according to the documentation, visit http://localhost/owncloud or http://raspberryip/owncloud and check for error messages. In my case, I got two:

1. PHP module GD is not installed. Please ask your server administrator to install the module.

So I needed to install this:

pi@raspberrypi /var/www/owncloud $ sudo aptitude install php5-gd

And

2. No database drivers (sqlite, mysql, or postgresql) installed.

Of course. After some searching and reading the official documentation about the database configuration, I decided to use MySQL as backend. Mainly because there will be at least two persons using the system. So I installed the mysql-server and php5-mysql package.

pi@raspberrypi /var/www/owncloud $sudo aptitude install mysql-server php5-mysql

After settings the root password, connect to your mysql server. Create a user for owncloud and a database.

pi@raspberrypi /var/www/owncloud $ mysql -u root -h localhost -p
CREATE USER ‚owncloud’@’localhost‘ IDENTIFIED BY ‚password‘;
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO ‚owncloud’@’localhost‘ IDENTIFIED BY ‚password‘;
QUIT

Return to http://localhost/owncloud or http://raspberryip/owncloud and complete the setup process.

Some tips to improve performance:
There are a few guides and tips on the net on how to improve performance of owncloud on your pi. Here are some of them.

1. Install the PHP Accelerator (see modified php.ini at the top)

pi@raspberrypi /var/www/owncloud $ sudo aptitude install php-apc

2. Use a cronjob to update the database and fasten up the webinterface. Open the crontab for the webserver user:

pi@raspberrypi /var/www/owncloud $ sudo crontab -u www-data -e

For updates every 15 minutes add:

*/15 * * * * php -f /var/www/owncloud/cron.php

On the webinterface go to Administration -> Cron and change the setting to Cron.

3. Disable unused apps. Disable all apps you don’t need.

 

Installation of the owncloud ubuntu client

pat@think:~$ wget http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_13.10/Release.key
pat@think:~$ sudo apt-key add Release.key
pat@think:~$ echo ‚deb http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_12.04/ /‘ >> sudo tee /etc/apt/sources.list.d/owncloud-client.list
pat@think:~$ sudo aptitude update
pat@think:~$ sudo aptitude install owncloud-client

Sources: http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html#nginx-configuration http://doc.owncloud.org/server/5.0/admin_manual/configuration/background_jobs.html#cron-jobs http://doc.owncloud.org/server/5.0/admin_manual/configuration/configuration_database.html http://jankarres.de/2013/10/raspberry-pi-owncloud-server-installieren/ (german) http://cloudlog.de/owncloud-langsam-diese-tipps-machen-owncloud-schneller/ (german)

Raspberry Pi: Mount and unmount truecrypt on startup and shutdown

My Raspberry Pi functions as a lokal NAS and data haven for backing up remote servers and all my clients. The data is stored in a truecrypt container on an external usb harddrive. The drive is mounted on bootup, as well as the decrypted container. If you follow my notes, please be aware that the password to unlock the files is stored in cleartext in the automount script and could show up when running e.g. ps. So maybe this isn’t the right solution when you grant access to your Pi to other people.

 

Create the two directories to mount the external harddrive and the truecrypt container.

sudo mkdir /mnt/{usb,truecrypt}

If you use NTFS as a filesystem on your external drive, install the ntfs-3g package and try mounting the it manually first:

pi@raspberrypi ~ $ sudo aptitude install ntfs-3g
pi@raspberrypi ~ $ mount -t ntfs-3g /dev/sda1 /mnt/usb

When everything works, add the permanent mount entry to your /etc/fstab:

/dev/sda1 /mnt/usb ntfs-3g defaults 0 0

To automount the truecrypt container on startup, install truecrypt like explained here and create the two init scripts for mounting and unmounting the container.

/etc/init.d/tc_mount

#!/bin/bash
### BEGIN INIT INFO
# Provides:          tc_mount
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2
# Default-Stop:
# Short-Description: tc_mount
# Description:      Mount the truecrypt container
### END INIT INFO
echo „Mounting truecrypt container“
/usr/local/bin/truecrypt -t -k „“ –protect-hidden=no –mount /mnt/usb/crypt /mnt/truecrypt/ -v -m=nokernelcrypto -p ‚YOURPASSWORD‘
exit 0

/etc/init.d/tc_unmount

#!/bin/bash
### BEGIN INIT INFO
# Provides:          tc_unmount
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:
# Default-Stop:      0 1 6
# Short-Description: tc_unmount
# Description:       Unmount the truecrypt container
### END INIT INFO
echo „Unmounting truecrypt containers“
/usr/local/bin/truecrypt -d
exit 0

And add them to the correct runlevels:

pi@raspberrypi ~ $ sudo update-rc.d tc_mount start 02 2 .
pi@raspberrypi ~ $ sudo update-rc.d tc_unmount stop 02 0 1 6 .

 

Sources:

http://debianforum.de/forum/viewtopic.php?f=34&t=123447

https://www.linuxquestions.org/questions/debian-26/run-this-command-when-the-computer-shutdown-or-reboot-683851/

SSH keys nachträglich mit einem Passwort schützen

Hat man sich einmal an die Vorteile von public key Authentifizierung bei einem System gewöhnt, stellt man meist zügig alle anderen Systeme ebenfalls auf diese Art der Authentifizierung um. Möchte man sich von verschiedenen Systemen aus anmelden, muss der eigene private Key auf diese kopiert oder z.B. per USB-Stick mit sich geführt werden. Kommt dieser allerdings in falsche Hände, muss man einen neuen Schlüssel generieren und erneut an alle Systeme verteilen. Zum Schutz des privaten Keys, ist es möglich, diesen mit einem Passwort (besser: Passphrase) zu schützen. Dieses wird benötigt um den Key „freizuschalten“, die eigentliche Anmeldung am entfernten System läuft weiterhin über das public key Verfahren und benötigt kein Passwort.  Für eine einfachere Unterscheidung wird das Kennwort zur Freischaltung deshalb auch als „Passphrase“ und nich als Passwort bezeichnet. Sollte man den privaten Schlüssel bei der Erstellung nicht mit einer Passphrase versehen haben, kann man dies noch nachträglich mit ssh-keygen tun.

[pat@earth ~]$ ssh-keygen -p
Enter file in which the key is (/home/pat/.ssh/id_rsa):  [Enter]
Key has comment ‚/home/pat/.ssh/id_rsa‘
Enter new passphrase (empty for no passphrase):  newSuperSavePassword
Enter same passphrase again:  newSuperSavePassword
Your identification has been saved with the new passphrase.

Quellen:

http://kimmo.suominen.com/docs/ssh/#passwd

http://www.manpagez.com/man/1/ssh-keygen/

VPN einrichten mit pptpclient / pptp-linux

Für den Netzzugang über ein virtuelles privates Netz (VPN) gibt es sicherlich eine ganze Menge guter Gründe, einer davon ist z.B. die Überwindung der geobasierten Sperrung von Webseiten à la Youtube („Dieses Video ist in deinem Land nicht verfügbar“). Auf Amerika beschränkte Angebote wie der Streaming Dienst Hulu sind damit in Deutschland nutzbar. Der Anbieter VPN on Demand befindet sich seit einiger Zeit in der Betaphase und ermöglicht einen kostenlosen VPN Zugang. Dazu einfach eine E-Mail mit dem Betreff „vpnod“ an promotion@vpnod.com schicken und kurze Zeit später gibt es die Zugangsdaten per E-Mail.

Als erstes muss der PPTP-Client installiert werden. Unter Arch Linux mittels

[pat@earth ~]$ sudo pacman -S pptpclient

unter Debian und Ubuntu heißt das Paket pptp-linux und wird mittels

[pat@earth ~]$ sudo aptitude install pptp-linux

installiert. Nach der Installation konfigurieren wir eine neue VPN Verbindung, hier im Beispiel von VPN on Demand. Dazu legen wir im Verzeichnis /etc/ppp/peers eine Datei für die neue VPN-Verbindung an und tragen folgendes ein: (Die im folgenden verwendeten Variablen $BENUTZER und $PASSWORT sind natürlich mit den erhaltenen Zugangsdaten zu ersetzen)

[pat@earth ~]$ sudo vim /etc/ppp/peers/vpnod

pty „pptp vpn.vpnod.com –nolaunchpppd“
name $USER
linkname vpnod
remotename vpnod
ipparam vpnod
usepeerdns
require-mppe-128
file /etc/ppp/options.pptp

In der Datei chap-secrets werden nun die Zugangsdaten definiert.

[pat@earth ~]$ sudo vim /etc/ppp/chap-secrets

$BENUTZER vpnod $PASSWORT *

Zum testen starten wir das VPN und setzen die Schnittstelle als Standardgateway, so dass der gesamte Internetverkehr über das VPN läuft. Am besten vorher und nachher diese Seite zur Überprüfung der eigenen IP besuchen. Hinweis: Ab diesem Zeitpunkt wird jeglicher Traffic über das VPN geroutet, d.h. auch E-Mails, Instant Messenger oder andere Anwendungen die auf dem System laufen. Die Daten sind zwar bis zur VPN Gegenstelle verschlüsselt, ab dort ist es allerdings Aufgabe des Anwenders für die Verschlüsselung zu sorgen. Wer dem VPN Anbieter nicht traut (oder leicht zu Paranoia neigt :) ) sollte hier die selben Sicherheitsvorkehrungen wie bei der Nutzung eines öffentlichen WLAN Hotspots, sprich HTTPS/SSL, vornehmen.

[pat@earth ~]$ sudo pon vpnod
[pat@earth ~]$ sudo route add default dev ppp0

Sollte der Verbindungsaufbau scheitern, kann der Aufruf von pon mittels

[pat@earth ~]$ sudo pon vpnod debug dump logfd 2 nodetach

bei der Fehlersuche hilfreich sein.

Zum Abbau der Verbindung, die Route wieder entfernen (sollte poff automatisch machen) und die Verbindung trennen.

[pat@earth ~]$ sudo route del default
[pat@earth ~]$ sudo poff

Klappt alles ohne Probleme, kann man das ganze nun automatisieren. Alle Scripte (*.sh) im Ordner /etc/ppp/if-up.d/ werden automatisch nach dem Aufbau der VPN Verbindung ausgeführt. Da Rounting eine komplexe Sache und ein Post für sich wäre, hier nur beispielhalt ein Script zum routen des gesammten Traffics über das VPN.

pat@earth ~]$ sudo vim /etc/ppp/ip-up.d/10-route.sh

#!/bin/bash

# Interface (eth0 or wlan0 in most cases)
INTERFACE=eth0

# Interface as provided by calling pppd
VPN=$1
#VPN=ppp0

route del default ${INTERFACE}
route add default dev ${VPN}

Und erstellen ein weiteres Script, welches nach dem Abbau der VPN Verbindung wieder die richtige Route einträgt.

[pat@earth ~]$ sudo vim /etc/ppp/ip-down.d/10-route.sh
#!/bin/bash

# Interface (eth0 or wlan0 in most cases)
INTERFACE=eth0

# Interface as provided by calling pppd
VPN=$1

# Gateway (use ‚route‘ to find out, IP or name)
GATEWAY=192.168.2.1

route del default ${VPN}
route add default gw ${GATEWAY} ${INTERFACE}

Ist der Hostname oder die IP des Gateways nicht bekannt, hilft das Kommando route.

[pat@earth ip-up.d]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 202 0 0 eth0
default 192.168.2.1 0.0.0.0 UG 202 0 0 eth0

Eine Möglichkeit das Ganze nun automatisch beim Systemstart zu machen, findet man für Arch Linux z.B. hier.

Quellen: http://pptpclient.sourceforge.net

Ubuntu 10.10 + Pidgin (libpurple) + ICQ (Oscar) = Fail!

Auch wenn ich der Meinung bin, man sollte lieber das Jabber Protokoll für Instant Messenger nutzen, wie beispielsweise Google es bei Google Talk macht, ist ICQ wohl immer noch in Deutschland am weitesten verbreitet. Gründe für den Wechsel findet man z.B. bei Wikipedia.

Gelegentlich kommt es vor, dass Änderungen am ICQ Protokoll oder an der Infrastruktur vorgenommen werden und sich alternative Clients kurzzeitig nicht anmelden können. Genau das ist wohl dieses Wochenende passiert. Da laut offizieller Pidgin homepage nur Sicherheitsupdates außerhalb des Releasezyklus von Ubuntu angeboten werden, gibt es wohl erstmal keine automatisierte Lösung des Problems. In diversen Foren gibt es mittlerweile verschiedene Lösungen, wobei das Deaktivieren von SSL die einfachste, allerdings auch „unschönste“ Lösung ist, da somit eure Logindaten unverschlüsselt übertragen werden. Am sinnvollsten erscheint mir da die Installation des pidgin ppa und Aktualisierung auf das neuste Release.

Vorgehensweise:

  • Installer paket herunterladen: Pidgin PPA Package
  • Rechtsklick auf die Datei und „Mit GDebi Paket-Installationsprogramm öffnen“ auswählen
  • Rechts auf den Button „Paket installieren“ klicken
  • Nach der Installation die Aktualisierungsverwaltung öffnen (Unter xfce: Startmenü -> System)
  • Auf Aktualisierungen überprüfen und anschließend installieren
  • Pidgin neustarten und die Einstellungen für das ICQ Konto öffnen (Konten -> ICQ -> Konto bearbeiten)
  • Auf dem Reiter Erweitert den Server auf slogin.icq.com ändern und ein Häkchen bei „Benutze SSL“ und „clientLogin benutzen“ setzen

Danach sollte die Anmeldung am ICQ Server auch über SSL wieder funktionieren. Außerdem bekommt ihr durch die PPA Installation jetzt immer die neuste Version von Pidgin bequem über die Aktualisierungsverwaltung.

Fully encrypted gentoo system with LUKS/cryptsetup and LVM

I have installed this setup some time ago on my system and wrote down the steps. To validate that every step is still correct I used VirtualBox and installed the system again.

At the end of this howto, you will have a full working gentoo system with (nearly) full disk encryption, coded RAM and an easily expandable disk partition schema. Full disk encryption under GNU/Linux isn’t possible like it is with e.g. Truecrypt under Windows. So in most cases you will have to leave your /boot partition unencrypted or use a removable medium like an usb stick to boot your system. In this setup we will leave /boot as it is.

What you need:

  • Backup of your running system since your disks will be erased
  • Linux compatible hardware
  • Internet connection
  • Some time
  • Experience with the GNU/Linux system is highly recommended
  • A GNU/Linux system (Live CD, usb stick, installation on other disk etc.) This howto uses the Gentoo Weekly Minimal Install CD for amd64

Although I will try, explaining every step in detail would be to much for this howto so I have to point you to Google and the Gentoo Handbook.

1. Preparing the installation

Use for example UNetbootin to create a bootable usb stick or just burn the cd. When you’re using GRUB2 on your system, you can boot the iso file directly through grub’s loopback ability. Change your BIOS settings accordingly.

2. Booting and choosing the correct keyboard layout

Boot the installation system and choose the default kernel at prompt. When all kernel modules are loaded you have the opportunity to change the keyboard layout to your needs (for german layout, type de or 10).

3. Configuring your network

Find out how your network adapters are called with ifconfig -a. To obtain an IP for the wired network link on eth0, type dhcpd eth0. To show your IP just type ifconfig eth0 and look for inet addr. To continue the installation from another computer, start the sshd server with /etc/init.d/sshd start, set a password for root with the passwd command and connect from the other computer with ssh root@IP under Linux or use Putty under Windows.

4. Preparing your harddisk(s)

At this point you have more then one possibility on how to create your disk layout, so you should be really sure what you want. If you are not sure or don’t know how to split your disk, check out the handbook again and/or search Google. You have to decide in which order your different layers occur. It is possible to create one big (physical) LVM partition, configure the logical volumes and encrypt these individually. You can also create a standard partition, encrypt the whole partition and configure your logical volumes inside your secure container. Both setups have advantages and disadvantages. The first makes it quite easy to change your LVM layout and you can different passwords for every mount point if you like. The second method has the advantage that other systems will only see one big encrypted partition and nothing else and you only need one password to decrypt the system (although this is also possible with the first setup).
In this setup we will create a small partition for /boot, a separate partition for swap and another one for the physical LVM. Maybe I will add one or two alternatives to this guide in the future, but for now I am going with the first method as I think it is the more difficult one to reproduce. Use fdisk or cfdisk to configure the harddisk(s) to your needs.

The partition table I chose for this howto

livecd ~ # fdisk -l /dev/sda
Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sda1 * 1 61 489951 83 Linux
/dev/sda2 62 183 979965 82 Linux swap / Solaris
/dev/sda3 184 2007 14651280 8e Linux LVM

5. Loading the necessary kernel modules

You need to load the necessary kernel modules for your algorithm and cipher. Use google to learn more about algorithms and ciphers.

livecd ~ # modprobe dm-mod dm-crypt sha256

6. Create and activate the LVM Setup

First we need to create the physical volume on /dev/sda3 and a volume group called vg1 with

livecd ~ # pvcreate /dev/sda3
livecd ~ # vgcreate vg1 /dev/sda3

Next we use lvcreate to create the individual logical volumes. This step is similar to the standard partitioning process, however, since we are creating logical volumes here, it is possible to change their size later again. The chosen layout here is just a demonstration of the general functionality. The name defined with the -n flag (-L is size) is just for you, so the name doesn’t have to match the later mountpoint.

livecd ~ # lvcreate -L7G -nroot vg1
livecd ~ # lvcreate -L3G -ntmp vg1
livecd ~ # lvcreate -L3G -nhome vg1

You can use the vgdisplay or vgs command to see the remaining disk space. Check your result with lvscan.

livecd ~ # lvscan
ACTIVE ‚/dev/vg1/root‘ [7.00 GiB] inherit
ACTIVE ‚/dev/vg1/tmp‘ [3.00 GiB] inherit
ACTIVE ‚/dev/vg1/home‘ [3.00 GiB] inherit

HINT:If you need to reboot, you can reactivate the LVM setup with lvchange -a y vg1 .

7. Encrypting

Next step is to encrypt the freshly generated volumes using this short loop (easily expandable if you want to create more containers).

livecd ~ # for i in root tmp home
> do
> cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/vg1/$i
> done

Confirm with YES and type in your password twice per volume.
Also encrypt the swap partition during the setup process.

livecd ~ # cryptsetup create -c aes-cbc-essiv:sha256 -s 256 -d /dev/urandom swap /dev/sda2
livecd ~ # mkswap /dev/mapper/swap
livecd ~ # swapon /dev/mapper/swap

8. Open the containers and format with a filesystem

Next we open our containers and create a filesystem. The choice of the filesystem depends on your needs, see google or the gentoo handbook.

livecd ~ # for i in root tmp home
> do
> cryptsetup luksOpen /dev/vg1/$i crypt$i
> done

Put in the password for every volume.

livecd ~ # for i in root tmp home
> do
> mkfs.ext4 /dev/mapper/crypt$i
> done
livecd ~ # mkfs.ext2 /dev/sda1

Don’t forget to format the boot partition as well.

9. Create the mountpoints and mount your volumes

livecd ~ # mount /dev/mapper/cryptroot /mnt/gentoo/
livecd ~ # for i in boot tmp home
> do
> mkdir /mnt/gentoo/$i
> done
livecd ~ # mount /dev/sda1 /mnt/gentoo/boot/
livecd ~ # for i in tmp home
> do
> mount /dev/mapper/crypt$i /mnt/gentoo/$i
> done

10. Preparing the chroot

Before chrooting into the new installation directory we have to prepare a few things, e.g. setting the correct file permissions before changing the directory

livecd ~ # chmod 1777 /mnt/gentoo/tmp/
livecd ~ # cd /mnt/gentoo/

and setting the correct date.

livecd gentoo # date MMDDhhmmYYYY

Next download the needed installation files. Select the best mirror near you and download (press d in links) the latest stage3 and portage files as well as the .CONTENTS .DIGESTS and .md5sum files using links.

livecd gentoo # links http://www.gentoo.org/main/en/mirrors.xml

Latest stage3 file can be found under /releases/amd64/current-stage3/ (select the right folder for your architecture) and the latest can be found using the symlink in /snapshots/portage-latest.tar.bz2.

Verify your downloads with md5sum and extract them when there is no error.

livecd gentoo # md5sum -c stage3-amd64-20100617.tar.bz2.DIGESTS
livecd gentoo # md5sum -c portage-latest.tar.bz2.md5sum

livecd gentoo # tar xvjpf stage3-amd64-20100617.tar.bz2
livecd gentoo # tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr

Take a look at the wiki entry about CFLAGS and edit the make.conf to your needs. I use the Amd Athlon 64 64bit settings here.

livecd gentoo # nano /mnt/gentoo/etc/make.conf

CHOST=“x86_64-pc-linux-gnu“
CFLAGS=“-march=k8 -O2 -pipe“
CXXFLAGS=“${CFLAGS}“

Select the nearest mirror

livecd gentoo # mirrorselect -i -o >> /mnt/gentoo/etc/make.conf
livecd gentoo # mirrorselect -i -r -o >> /mnt/gentoo/etc/make.conf

Copy the DNS information to your chroot and mount the needed devices

livecd gentoo # cp -L /etc/resolv.conf /mnt/gentoo/etc/
livecd gentoo # mount -t proc none /mnt/gentoo/proc
livecd gentoo # mount -o bind /dev /mnt/gentoo/dev

11. Chroot into your new environment

Change into your new root and sync and update your system.

livecd gentoo # chroot /mnt/gentoo/ /bin/bash

livecd / # env-update && source /etc/profile
livecd / # emerge –sync

12. Select a profile

Select the right profile for you using eselect

livecd / # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0 *
[2] default/linux/amd64/10.0/desktop
[3] default/linux/amd64/10.0/desktop/gnome
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
[7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64/10.0
[9] hardened/linux/amd64/10.0/no-multilib
[10] selinux/2007.0/amd64
[11] selinux/2007.0/amd64/hardened
[12] selinux/v2refpolicy/amd64
[13] selinux/v2refpolicy/amd64/desktop
[14] selinux/v2refpolicy/amd64/developer
[15] selinux/v2refpolicy/amd64/hardened
[16] selinux/v2refpolicy/amd64/server
livecd / # eselect profile set 2

13. Adjust make.conf

Adjust the make.conf file to your needs and set the needed USE flags, languages and devices

livecd / # nano /etc/make.conf
MAKEOPTS=“-j2″

USE=“3dnow 3dnowext a52 aac acl acpi alsa -amd64 apache2 -avahi
avi bluetooth -beagle cairo cdb cddb cdparanoia cdr cli cracklib
crypt css -cups daap dbus dga directfb dri dts dvb dvd dvdr dvdread -eds
-emboss encode -esd -evo exif fam ffmpeg flac ftp gdbm     gif -gnome gstreamer gtk
hal -ipv6 -isdnlog -joystick -kde libnotify lirc lm_sensors mad mmx mmxext mp3
mpeg mysql ncurses nls ogg opengl pdf png -ppds -pppd qt3 qt3support quicktime samba sdl sse sse2
ssl svg tiff transcode unicode usb v4l vcd vorbis wma
X x264 xcomposite xine xml xorg xv xvid xvmc zlib“

LINGUAS=“de en“

INPUT_DEVICES=“keyboard mouse“
VIDEO_CARDS=“vesa“

14. Configure your charsets

Define (uncomment) and generate the needed charsets incl. UTF-8 (german)

livecd / # nano /etc/locale.gen
en_US ISO-8859-1
en_US.UTF-8 UTF-8
de_DE ISO-8859-1
de_DE@euro ISO-8859-15
de_DE.UTF-8 UTF-8

livecd / # locale-gen

15. Setting the timezone

Find the right timezone for you and copy it

livecd / # ls /usr/share/zoneinfo/
livecd / # cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime

16. Installation of kernel sources and other needed pakets

Install the kernel sources and other pakets that are needed for your setup

livecd / # emerge -av gentoo-sources
livecd / # emerge -av genkernel cryptsetup lvm2

17. Compile your own kernel

The next step is one of the most important. Take care that you include everything in your kernel that you need for your hardware to work. Use genkernel to make life a little bit easier.

livecd / # cd /usr/src/linux
livecd linux # genkernel –no-clean –menuconfig –save-config –luks –lvm all

You can use the kernel configuration of the gentoo live cd as a basis for your own configuration. Just copy the config file before running genkernel.

livecd linux # zcat /proc/config.gz > /usr/share/genkernel/arch/x86_64/kernel-config

The most important kernel options for this guide to add. You might need others depending on the chosen cipher etc. Don’t forget to enable Ext4 support if you need it.

Device Drivers  —>
Multi-device support (RAID and LVM)  —>
[*] Multiple devices driver support (RAID and LVM)
< >   RAID support
<*>  Device mapper support
<*>  Crypt target support

File Systems —>
<*>  The Extended 4 (ext4) filesystem

Cryptographic API  —>
<*>  SHA256 digest algorithm
<*>  AES cipher algorithms

I found a few postings on the net saying, that genkernel needs a valid /etc/fstab to build a correct initramfs. Do step 19 first to be 100% safe.

18. Kernel Modules

List the compiled kernel modules with

livecd linux # find /lib/modules/<kernel version>/ -type f -iname ‚*.o‘ -or -iname ‚*.ko‘ | less

and add them to your /etc/modules.autoload.d/kernel-2.6.

19. Edit the /etc/fstab

# <fs>                  <mountpoint>    <type>          <opts>          <dump/pass>
/dev/sda1               /boot           ext2            noauto,noatime  1 2
/dev/mapper/swap        none            swap            sw              0 0
/dev/mapper/cryptroot   /               ext4            noatime         0 0
/dev/mapper/crypthome   /home           ext4            noatime         0 1
/dev/mapper/crypttmp    /tmp            ext4            noatime         0 2
/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec     0 0

20. Basic system configuration

Setting a hostname

livecd / # nano /etc/conf.d/hostname

Setting the root password. Important: This password is inside your chroot and for your future system, the password you set at the beginning was just needed for ssh access to the box! If you don’t set it, you won’t be able to login.

livecd / # passwd

System information like default editor or windows manager

livecd / # nano /etc/rc.conf

Change the keymap and timezone

livecd / # nano /etc/conf.d/keymaps
KEYMAP=“de“

Setting the clock

livecd / # nano /etc/conf.d/clock
TIMEZONE=“Europe/Berlin“

Installing some system tools (logger, filesystem tools etc.)

livecd / # emerge -av syslog-ng logrotate pciutils gentoolkit

Start the system logger at boot

livecd / # rc-update add syslog-ng default

Networking: Installing a dhcp client

livecd / # emerge -av dhcp

21. Installing the bootloader GRUB

Another really important part is the installation of a bootloader. Take care that you use the correct devices, partitions and paths – double check! If you want or need the features of GRUB 2 take a look at this page.

livecd / # emerge -av grub

Now you need to find out the exact file names for your kernel and initramfs and edit /boot/grub/grub.conf accordingly.

livecd / # ls /boot/initramfs* /boot/kernel*
-rw-r–r– 1 root root 1814297 Jul 24 00:14 /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1
-rw-r–r– 1 root root 4261424 Jul 24 00:13 /boot/kernel-genkernel-x86_64-2.6.34-gentoo-r1

livecd / # nano /boot/grub/grub.conf

title Gentoo Linux 2.6.34-r1
root (hd0,0)
kernel /boot/kernel-genkernel-x86_64-2.6.34-gentoo-r1 root=/dev/ram0 crypt_root=/dev/vg1/root init=/linuxrc splash=silent dolvm
initrd /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1

Creating /etc/mtab

livecd / # grep -v rootfs /proc/mounts > /etc/mtab

Installing GRUB

livecd / # grub-install –no-floppy /dev/sda

If this doesn’t work for you, try running grub manually

livecd / # grub
root (hd0,0)
setup (hd0)
quit

22. LVM configuration

The LVM process scans all connected drives for volumes. You can define a filter so that only the needed block devices are scanned.

livecd / # nano /etc/lvm/lvm.conf
filter = [ „a|/dev/sda|“, „r/.*/“ ]

23. LUKS/dm-crypt configuration

Next we edit /etc/conf.d/dmcrypt and define which encrypted containers should be opened and with which name. We will use a keyfile to decrypt the volumes.

livecd / # nano /etc/conf.d/dmcrypt

## swap
swap=swap
source=’/dev/sda2′
options=‘-c aes-cbc-essiv:sha256 -s 256 -d /dev/urandom‘

## /home with keyfile
target=crypthome
source=’/dev/mapper/vg1-home‘
key=’/root/hdpw‘

## /tmp with keyfile
target=crypttmp
source=’/dev/mapper/vg1-tmp‘
key=’/root/hdpw‘

Generating the keyfile. This can take some time depending on the activities on your box.

livecd / # dd if=/dev/random of=/root/hdpw bs=1 count=512
livecd / # chmod 400 /root/hdpw

Adding the generated keyfile to the known and valid keys in the LUKS keyring. After this step you can open your containers either using the password defined in step 7 or this file.

livecd / # for i in home tmp
> do
> cryptsetup luksAddKey /dev/vg1/$i /root/hdpw
> done

24. Finish the installation and clean up

Delete the installation files.

livecd / # rm /stage3-* /portage-*

Exit the chroot and unmount all devices.

livecd / # exit
livecd gentoo # cd ..
livecd mnt # umount /mnt/gentoo/*
livecd mnt # umount /mnt/gentoo

Close the LUKS containers and deactivate your LVM.

livecd mnt # for i in home tmp root
> do
> cryptsetup luksClose crypt$i
> done

livecd mnt # lvchange -a n vg1

Restart and pray! :)

livecd mnt # shutdown -r now

25. Success!

Welcome to your new system. Log in with the username root and password set in step 20.

26. Some more basic configuration

Start the SSH daemon at boot.

gentoo ~ # rc-update add sshd default

Synchronize your portage tree and make an update.

gentoo ~ # emerge –sync
gentoo ~ # emerge -avDuN world
gentoo ~ # env-update && source /etc/profile

Install ntp to sync your systemtime on boot.

gentoo ~ # emerge -av ntp

gentoo ~ # nano /etc/conf.d/ntp-client
NTPCLIENT_OPTS=“-s -b -u
0.de.pool.ntp.org 1.de.pool.ntp.org
2.de.pool.ntp.org 3.de.pool.ntp.org“

gentoo ~ # rc-update add ntp-client default

Clean your system and check for consistency and errors.

gentoo ~ # emerge –clean
gentoo ~ # revdep-rebuild

Opera Mini on Android also a Proxy-Browser

Today Marc Ruef released an article about Opera Mini on the iPhone and pointed out that all traffic is routed through Opera’s own proxy server. Opera isn’t allowed to use his own rendering engine on the iPhone because of Apple’s strict license. Opera Mini just provides another frontend for Apple’s safari engine, while the rendering happens on Opera’s server.
Users of Opera Mini should be aware that all their traffic could be analysed and used for data mining.

A quick test reveals that the Android version of Opera Mini also uses Opera’s own server as a proxy.

t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog HTTP/1.1“ 301 198 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/ HTTP/1.1“ 200 3886 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/wp-content/themes/decoder/img/bg-meta.gif HTTP/1.1“ 404 2400 „http://www.carrier-lost.org/blog/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“

Where t09-07.opera-mini.net is the proxy server.