Wednesday, July 25, 2018

Encrypting ZFS drives on Linux using LUKS

This isn't really relevant to iPhones but then again neither was my last post on Kindle Fire sticks.  Today we're going to replace a failing hard drive in a ZFS pool, but this time the disk will be encrypted underneath ZFS, using LUKS.  I should have done this when I created the pool in the first place but I didn't know LUKS well enough back then.  With a couple years of ZFS-on-LUKS backup experience under my belt now I'm much more confident, so all new disks are getting this treatment, so that if I ever have to send a disk to the manufacturer for a warranty claim I won't worry about any of my data being exposed.  The rest of my HDDs are out of warranty anyway so there's no need to go back and redo them.

Note the prompt.  Most of this has to be done as root (the '#' prompt) but where root isn't necessary I'm doing it as a normal user (the '$' prompt).

Frankly this is as much for my own reference a for anyone else so if what I've said above is gibberish feel free to skip this post and wait for my next one.  Ready? Here comes the geekery...

  1. Run parted and create a new disklabel.  
    1. parted /dev/sdX (where 'X'... aww, hell, if I have to explain that you shouldn't be here)
    2. # parted /dev/sdh
      GNU Parted 3.2
      Using /dev/sdh
      Welcome to GNU Parted! Type 'help' to view a list of commands.
      (parted) p                                                                
      Error: /dev/sdh: unrecognised disk label
      Model: US HDD Docking (scsi)                                              
      Disk /dev/sdh: 4001GB
      Sector size (logical/physical): 512B/512B
      Partition Table: unknown
      Disk Flags: 
      (parted) mklabel gpt
      (parted) p                                                                
      Model: US HDD Docking (scsi)
      Disk /dev/sdh: 4001GB
      Sector size (logical/physical): 512B/512B
      Partition Table: gpt
      Disk Flags: 

      Number  Start  End  Size  File system  Name  Flags

      (parted)

  2. Create a partition on the disk starting at 1049kB. Why there? You want to leave a little bit of space for slight variances in makes and models of disk.  You can leave a bigger buffer, maybe even 1GB, but from what I've seen and read 1MB is enough.  Also, I name the partition after the manufacturer, model and serial number.  e.g: zraid-HGST_HUS696969ALAC64_PASTASTFU.
    1. (parted) mkpart zraid-HGST_HUS696969ALAC64_PASTASTFU 1049kb 100%
      Warning: failed to translate partition name
      (parted) p                                                                
      Model: US HDD Docking (scsi)
      Disk /dev/sdh: 4001GB
      Sector size (logical/physical): 512B/512B
      Partition Table: gpt
      Disk Flags: 

      Number  Start   End     Size    File system  Name                                       Flags
       1      1049kB  4001GB  4001GB               zraid-HGST_HUS696969ALAC64_PASTASTFU
      (parted)

  3. Generate an encryption key for LUKS and format your new partition with it. I'm using the same key for all of my z-RAID disks but you can use different ones if you want.  I figure if someone gets a hold of one of my keys they'll get all of them so why overly complicate things?  Make sure you save this key someone other than on the system in question.  Got a password keeper?  Good, put it there.  (If not, why not?!)  Or wrap it in an encrypted zip file, PGP it, etc and put it somewhere you trust and won't forget.  Have faith in a cloud vendor?   Well, you're a braver soul than I, but you can use that.  I keep meaning to look into something like tarsnap.  Suggestions? 
    1. # dd if=/dev/urandom of=/root/your.key bs=1k count=64
      # chmod 600 /root/your.key

    2. # cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/disk/by-id/ata-HGST_HUS696969ALAC64_PASTASTFU-part1 /root/luks-zraid.key
      WARNING!
    1. ========
      This will overwrite data on /dev/disk/by-id/ata-HGST_HUS696969ALAC64_PASTASTFU-part1 irrevocably.

      Are you sure? (Type uppercase yes): YES

  4. Find the UUID for your new partition in /dev/disk/by-id then use that to mount it.  You could mount it by its ID but you'll need the UUID for /etc/crypttab so it's better to verify everything works this way.  The last parameter is what will appear in /dev/mapper and how ZFS will identify it.  That doesn't have to match the partition label but self-documentation can be a sanity saver. 
    1. $ ls -l /dev/disk/by-uuid | grep sdh1
      lrwxrwxrwx 1 root root 10 Jul 25 19:43 aa173e06-8675-309-abbababba -> ../../sdh1

    2. cryptsetup open --type luks /dev/disk/by-uuid/aa173e06-8675-309-abbababba --key-file/root/your.key zraid-HGST_HUS696969ALAC64_PASTASTFU

    3. $ ls -l /dev/mapper
    4. total 0
      crw------- 1 root root 10, 236 Jul 25 00:50 control
      lrwxrwxrwx 1 root root       7 Jul 25 19:49 zraid-HGST_HUS696969ALAC64_PASTASTFU -> ../dm-0
  5. Update /etc/crypttab so that the volume mounts at boot-time:
    1. $ cat /etc/crypttab
      zraid-HGST_HUS696969ALAC64_PASTASTFU UUID=aa173e06-8675-309-abbababba /root/your.key luks
      $

  6. Replace the old (failing, unencrypted, small, whatever) disk with the new one, using the new disk's encrypted volume, which is now mounted in /dev/mapper.  'ashift=12' tells ZFS to use 4k blocks instead of 512k, since most disks still lie about their blocksize.
    1. # zpool replace -o ashift=12 tank ata-ST3000DM001-1ER169_BADHDD-part1 /dev/mapper/zraid-HGST_HUS696969ALAC64_PASTASTFU
      #
  7. Monitor progress as a user other than root.  My old disk is failing hard and fast so resilvering is glacial.  I don't mind if it takes a few days, but at the current clip it's looking more like three months.  If that doesn't improve soon I'll fail the old disk manually and let ZFS rebuild the data from parity.  It's a RAID-Z2 so as long as I don't lose two more disks before recon completes my data is safe.
    1. $ zpool status
        pool: tank
       state: ONLINE
      status: One or more devices is currently being resilvered.  The pool will
              continue to function, possibly in a degraded state.
      action: Wait for the resilver to complete.
        scan: resilver in progress since Wed Jul 25 20:13:03 2018
          27.8M scanned out of 9.15T at 241K/s, (scan is slow, no estimated time)
          3.32M resilvered, 0.00% done
      config:

              NAME                                             STATE     READ WRITE CKSUM
              tank                                             ONLINE       0     0     0
                raidz2-0                                       ONLINE       0     0     0
                  ata-ST3000DM001-NEXT_DEADDISK3E              ONLINE       0     0     0
                  ata-TOSHIBA_MADCOWA400_YYZRGBBLAHA           ONLINE       0     0     0
                  zraid-HGST_HDN23455VALE614_HVYMETAL          ONLINE       0     0     0
                  ata-ST4000VN000-2AH302_NEWSGHDD              ONLINE       0     0     0
                  replacing-4                                  ONLINE       0     0     0
                    ata-ST3000DM001-1ER169_BADHDD-part1        ONLINE       0     0     4
                    zraid-HGST_HUS696969ALAC64_PASTASTFU       ONLINE       0     0     0  (resilvering)
              logs
                mirror-1                                       ONLINE       0     0     0
                  ata-OCZ-AGILITY4_OCZ-ZIPPYZIPPYBOOTUP-part4  ONLINE       0     0     0
                  wwn-0x255c302351400460-part4                 ONLINE       0     0     0
              cache
                ata-OCZ-AGILITY4_OCZ-ZIPPYZIPPYBOOTUP-part3    ONLINE       0     0     0
                ata-ST240HM000-1G5152_SGTSSDOK-part3           ONLINE       0     0     0
      $
  8. Celebrate!

Posted by at No comments:

Tuesday, April 10, 2018

Teaching your Kindle Fire Stick or Kindle Fire TV new tricks

[Interested in the quick-start program? Jump to the bottom.]

Disclaimer: DO NOT use this to watch illegal content.  Only watch things you're licensed to watch.

As of today, April 10, 2017, Amazon is selling the standard Kindle Fire Stick for $30 and its big brother, the 4k-compatible Kindle Fire TV, for $50.  Those are the best prices I've seen on these clever, little devices so if you've been considering one for a while now is a good time to commit.

"But Jason, I already have a smart TV, why do I need another device with another remote for my already-crowded table?"

Good question, inquisitive one.  First of all, it's cheap, light, simple and portable.  I have one in my travel bag so when I'm out of town I can plug it into the hotel TV and watch what I want, not the limited and/or expensive options the hotel offers.  I can't remember the last time I saw a hotel TV without an open HDMI port and if you can tolerate slow wifi this blog is likely to bore you to tears.  It'll do all of the usual smart TV stuff in one spot: Amazon Prime Video, HBO, Netflix, Hulu, CBS All Access, etc. But much better than that you can install applications like Kodi, which makes it easy to access a media server - Plex, for example.

"But Jason, I'm not a mega-nerd like you are, so I don't have Plex or any other media server!"

Ok, but isn't that part of the reason you're here.  That reminds me: must write a blog post on building a simple media server with that old computer sitting in your closet.  (spoiler alert: FreeNAS).  Then again, even with a full-on media server you still will only have access to the content on that media server.   (well, no - FreeNAS has plug-ins too, so keep an eye on the blog for info there.)  What if you want access to pretty much everything you can think of?  For that, you install an add-on to Kodi, like Covenant or Neptune Rising, after which you can watch almost anything: current TV shows, old TV shows, new movies, old movies.  I use Covenant and Neptune Rising.  Occasionally they're spotty so this gives you a backup when one decides to be difficult.  If you know of others please post a comment or email me!

"But Jason, isn't that complex and nerdy?  Do you have to, you know, type stuff?"

Yes, but only a little, and it's easy enough that you can do it.  Yes, you.  Seriously.  I know someone who did it without help and if that person can - ANYONE can.  Rather than writing instructions from scratch then keeping them up to date, here are some of the better ones I've found.

Step 1: Install Kodi.
Step 2: Install Neptune Rising, Covenant, or similar.

Optional but highly recommended: Get a VPN service.  That's out of scope for this post but if you're interested, let me know and I'll do one of these walk-throughs.  I did find this post on installing the VPN client directly on Fire TV but I haven't tried it myself so YMMV.

Usage is pretty simple so all I can add is be patient.  It can take several minutes to start playing but it's worth it.  
Posted by at No comments:

Friday, January 19, 2018

Buying Your First Bits of Cryptocurrency

Pardon our dust, we're expanding!

Since I haven't really used this for iPhone/iPad/iPod stuff lately I figured I'd expand a bit further.  Why? Why not!

So, what first?

I've been playing with Cryptocurrency since 2013, back when the mention of it brought blank stares, rolled eyes, expressions of my suckerdom or statements about how it's only useful for buying drugs, and worse, on the dark web.  Fast forward to now and Bitcoin, Litecoin, Ether, Ripple, etc are all over the news and those who laughed and scoffed now come loaded with questions.  Rather than sending that same email yet again I'll do a nicer job (I hope) and send some traffic here.  Ready? Ok.

There are enough good explanations of what cryptocurrency is (and isn't) online so rather than writing another I'll find one and link it here later if there's any interest.  Instead, let's talk about how you can get involved.

WARNING

Nothing I say here should be construed as financial suggestions, recommendations or solicitations to spend your money.  Cryptocurrency is wildly speculative and while it's been going up a lot lately it has a history of collapsing and losing up to 75% of its peak value.  Look at late 2013/early 2014 when $1200 Bitcoins dropped to $350 in a few weeks.  IF you choose to put money in, make sure it's money you can afford to lose.  DO NOT spend the rent,  your retirement, your kid's college fund, your other kid's piggy bank, etc.  You could make money.  You could also lose it all.  I'm absolutely serious.

Getting started

Watching it all

I highly recommend the iOS app Crypto Pro for watching the space and the 1400+ (as of Jan 19, 2018) cryptocurrencies out there.  It's only $5, easy to use and packed with information including a great news feed.  Oh, and the developer is one of the nicest people I've met by logging a suggestion for an app.  It also has an Apple Watch app if you're of the wearable persuasion.  You can also create a portfolio of your holdings so you can see, at a glance, how much you've made or lost.   Free apps?  I've looked at, but haven't extensively tried, a few so if you use any of these leave a feedback with your thoughts.  On iOS: HODL, Blockfolio, Coin Ticker, and if you want a real-time view of how prices change there's CoinCap (bonus points for the Minecraftiness).  I've used the Android apps even less so please let me know what you like. These seem to be good starting points: Cryptonator, BlockfolioCryptoCurrency Bitcoin Altcoin Price, CoinMarketApp.  

Turning dollars into bits

The first thing you'll need is a way to exchange dollars for cryptocurrency.  The easiest way to do that is to register an account Coinbase.com and download their mobile app for iOS or Android.  Complete the application process, link a checking account and/or credit card then you'll be ready to buy Bitcoin(BTC), Litecoin(LTC), Ether(ETH), and Bitcoin Cash(BCH) with dollars(USD).  That Coinbase link, by the way, is my referral link and if you sign up we both get $10.  You're free to skip it if that makes you uncomfortable.

A few notes:

  • It takes about a week to move dollars to Coinbase.
  • If you buy Bitcoin or other currency with money pulled from a credit card or checking account you'll pay the price at the moment you confirm the purchase but those coins won't arrive in your Coinbase account for a week.  
  • You can transfer money from credit/checking to Coinbase and leave it there for a future purchase.  If you use that money you also pay the price the moment you confirm but you get the coins in a few minutes.  
  • If you're buying for the long-term that delay shouldn't matter but if you want to be able to buy other cryptocurrencies (see below) on short-notice you'll want to have some cash waiting for you.

Picking your first purchase

Coinbase allows you buy four different coins with USD so which should you buy? It depends on your goals.  If you think one will appreciate faster than the others you should clearly buy that one.  There's a ton of information online about each coin's history, purpose, features, usability, etc so I won't go into too much detail here.  If your goal is to buy another cryptocurrency the best choices are Bitcoin and Ether since they're the most commonly-accepted coins on other exchanges.  Ether's network is less crowded so transactions are generally faster and the transaction fees are lower so that's what I would do, though the choice is yours, of course. 

Timing your first purchase

So, how do you know the best time to buy?  I'll make this easy: you don't.  You won't.  Don't try to time the market, especially if you're new.  I've known people (me? no, not me. of course not. *cough cough*) who will watch the second-by-second ups and downs, trying to hit the perfect low point.  First of all, unless you're buying a LOT of this stuff, it's likely to only save you a few dollars, at best. Second, don't be concerned with pennies or even a few dollars especially if this is for the long haul.  If you're comfortable buying 1 Ether at $1026 it shouldn't bother you if you actually get it at $1029.  That's less than 3/1000 of the total cost - it's like spending an extra 1.5 cents on a cup of coffee.  

Enjoying your first purchase

Watch your mailbox for the notice from Coinbase that your coins are available in your account (also called your wallet).  Bask in the glory of having joined the digital currency economy.  I've been saying for a while that cryptocurrency is now where email was in around 1992: Those who use it love it, everyone else rolls their eyes and 10 years later it changes the world.  You're now a part of that.

What next?

In my next post I'll tell you how to use that newly-bought BTC or ETH to buy other cryptocurrencies.  Stay tuned!


Posted by at No comments:
Subscribe to: Posts (Atom)