GPG File/Folder Encryption

GPG is an awesome open-source cryptographic library. One of it’s uses is data encryption. Most of us use file-hosting services like Dropbox, and some of us keep confident stuff in there like passwords, 2FA recovery keys, or CC info. I won’t argue that this is a bad idea, since it’s pretty convenient, but only if the files are properly protected.

The example below uses a folder, and since gpg can be used on a single file only, we archive the folder, and pass it to gpg. For decryption, it goes in reverse order, decrypt then extract. If you want to encrypt a single file, just remove the tar pipes.

Encryption:
tar -cz 2FA/ | gpg --cipher-algo AES256 --s2k-digest-algo SHA512 --compression-algo BZIP2 -co encrypted_file
Decryption:
gpg -d encrypted_file | tar -zx

Explanation of options:

  • Use --symmetric (-c) to encrypt a file with a passphrase. Symmetric here means the same passphrase is used for both encryption and decryption.
  • Use --output (-o) to specify the output file.
  • Use --compression-algo to specify the compression algorithm for the output file.
  • Use --cipher-algo to specify the symmetric cipher algorithm used to actually encrypt the message.
  • Use --s2k-digest-algo to specify the digest algorithm used for hashing passphrases in various operations (e.g., the symmetric passphrase specified when using -c).
  • Use --decrypt (-d) to decrypt an encrypted file

To get a list of supported algorithms, use gpg --version.

Tagged , , ,

OpenWRT and PPTP Pass Through

I wanted to setup a router for VPN. Use the WAN port to connect it to my main router to get internet access (DHCP), and then connect the router using PPTP to a VPN Server. For some reason I had trouble setting the firewall on my main router to properly handle it. Ended up installing this package, and it worked like a charm:

opkg install kmod-nf-nathelper-extra

Source: http://wiki.openwrt.org/doc/howto/vpn.nat.pptp

Tagged , , , ,

Upgrade all OpenWRT packages with a single line command

opkg list-upgradable | awk -F ' - ' '{print $1}' | xargs opkg upgrade

Tagged , , ,

vpnc ssh problem

Crazy story. Had SSH working over VPN (cisco, vpnc client, Ubuntu). After a while it just stopped. My employer didn’t change their VPN setup. Just stopped working. We checked logs, tried all kinds of stuff, nothing. Then one day, it started working again, but stopped a few hours later. So my guess is that I was connected to a different WiFi. Tried mobile hotspot using 3G, all fine. And I started to blame my router, tried to setup some forwarding, still nothing. Then I went on to check with my ISP, considering I have a custom router, and all the routers it was working on were their “official” routers. No luck, which isn’t a surprise, considering the usual ISP customer support. And then I ended up at these 2 topics:

http://stackoverflow.com/questions/25341773/cisco-ssh-key-exchange-fails-from-ubuntu-14-04-client-dh-key-range-mismatch
http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer

So what made it work for me is:

ssh -v -o KexAlgorithms=diffie-hellman-group14-sha1 -c aes256-ctr me@some.server

Drove me nuts, since the same machine works with different internet connection. I have no idea how the key exchange algorithm and the cipher specification make it work. And still don’t know the exact culprit, but my guess is it’s either the router or the ISP. My machine receives messages from the SSH server (when i run it without -0 -c), and then just times out on debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP.

Tagged , , , , , ,

Partitioning your Linux installation

When I bought my first SSD drive there was talk about setting it up in Linux so it may last longer. Nowadays, it doesn’t make much sense, but then it made me “properly” partition my Ubuntu install and I’ve been doing it ever since.

Here’s my fstab:

You can use

lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL,UUID

to get a list of disks and UUIDs.

I mount all of the disks with noatime, telling the OS not to save file access times. noatime includes nodiratime, which is the same thing for directories.

I mount the SSDs with the discard option. This tells the SSD to use TRIM, and TRIM internally cleans disk pages. You should make sure your SSD supports it.

I mount the /tmp and /var/tmp into tmpfs. It’s a temporary file system that resides in memory or swap. It’s cleared on restart. Tried doing this with /var/log but since it’s cleared, you need to setup the logging, or create the folders yourself, or change the permissions.

I keep my /var/log and /var/www on a HDD. Tons of small files, and a lot of accesses by the web server.

All of my code is in /home/user/Workspace. I don’t like mounting the /home/user/ folder separately. It saves a lots of configuration options, which I like to dump on new installs, but would like to keep all the code I’ve been working on.

To be honest, with new SSDs you don’t have to do any of this. I have a laptop with only a SSD drive, and it works perfectly with discard,noatime.

Tagged , , , , , ,