encrypting a drive

I recently had two colleagues pass away at work over the same weekend; one expectedly, the other unexpectedly. Tasked to retrieve/secure/archive their computers, it got me thinking about all the enduring digitalia we leave behind. As with everything on a computer, some of it could be work-related and some of it could be personal. But the fact of the matter is that it is there.

Foremost, the importance of having a valid and accessible Will cannot be understated. Even more so, have your passwords readily available or not – the choice is yours, but should you choose the former, make it easy on those that you leave behind. Work data can be accessed far easier than personal data; there are admins. Personal data of course is up to the person. What are you leaving on your work computer? Personal computer? Cloud storage? Maybe you don’t give a fuck because you’re dead. I don’t know. But it got me thinking… I’ve got multiple computers, drives, websites, social media accounts, etc. and what will become of all that when I die. Circling back, all can be addressed in a Will.

Encryption should be standard practice in 2023. Bitlocker, FileVault and LUKS are easy to setup and use. If you know the password, you’re in, if you don’t. you’re out. Now say you have some digital files that you want to die with you. The best way to deal with that is to delete them before you go. The next best way is to put them on an encrypted drive and through away the key.

Linux systems use the cryptsetup command to implement Linux Unified Key Setup (LUKS). Here’s the steps I took to install and encrypt a drive in my Linux box.

After installing a new drive in my computer, I booted up but got an error. Ugh. It wasn’t initialized. From the error console, I quickly did the following:

lsblk

NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS

sda           8:0    0   1.8T  0 disk 

sdb           8:16   0   3.6T  0 disk /mnt/data

nvme0n1     259:0    0 238.5G  0 disk 

├─nvme0n1p1 259:1    0   512M  0 part /boot/efi

└─nvme0n1p2 259:2    0   238G  0 part /

Great! there’s the new 1.8TB drive on /dev/sda. Now let’s get a file system on it so we can get reboot and not see errors:

sudo mkfs -t ext4 /dev/sda

You could do this with fdisk (which might be better) and also edit /etc/fstab to get the drive to mount, but the idea here behind an encrypted drive is only to access it upon demand. Without intervention, it should be a paperweight.

I installed cryptsetup using:

sudo apt install cryptsetup-bin

To create an entire encrypted drive, I did the following commands. Foremost, reverify that your drive has is the same device name. Then, create a mapping to the partition with a LUKS container, I’ll call mine “cryptpart”. You’ll get a warning about erasing everything that’s on the drive, but that’s fine in my case. Be sure to check cryptsetup’s man for more options. Then enter your passcode twice and never forget it and never write it down. Next step is to create a filesystem inside the LUKS container or it won’t mount. Use the -L option for “label name”. Finally, create a mount point; mine is in /mnt, but you could also make one in /media. Be sure to give it appropriate ownership for access after creating.

lsblk
sudo cryptsetup luksFormat /dev/sda
sudo mkfs.ext4 /dev/mapper/cryptpart
sudo mkdir /mnt/here
sudo chown user:group /mnt/here

That’s it, you’ve created the encrypted drive. Now let’s mount it, and then unmount it:

sudo cryptsetup luksOpen /dev/sda cryptpart
sudo mount /dev/mapper/cryptpart /mnt/here
cd /mnt/here
sudo umount cryptpart
sudo cryptsetup luksClose cryptpart

Easy, right? There are a lot of options, like using crypttab and a keyfile for auto-mounting, but again, I want it to be a paperweight that no-one can access but me. You may want to back the LUKS headers on the drive, or do a luksdump in case of drive failure. Which also brings up the final point to be made: BACK UP EVERYTHING. If you have one drive that’s encrypted, you’ll need another backup drive of it that’s also encrypted.

Advertisement

minidlna, redux

I haven’t used minidlna is quite some time, but as I was trying to get a friend into streaming, I thought it was time for a revisit, not only for my own re-edification, but for two reasons: First, Roon does not support streaming video; minidlna gives me a handy way to do that using VLC. Second, I don’t have all my digital audio in my Roon library. I reserve that for lossless or better digital files that Roon can easily recognize and tag properly.

I started with this old post – which is a GREAT place to start. But had a few issues, foremost, minidlna didn’t load any music from my mounted RAID drive on my computer! To troubleshoot why nothing was there, I checked user permissions on the folder:

sudo -u minidlna ls -al /mnt/data/Music/napster

Access denied! Fair enough.

First thing I did was add the user “minidlna” to the “user” group.

sudo usermod -a -G "user" minidlna

Then verify it added:

user:~/Desktop$ id minidlna
uid=131(minidlna) gid=137(minidlna) groups=137(minidlna),1000("user")

Next, I had to check the permissions of the drive I have at /mnt/data/. Ends up that it was created with 755 so I changed it to 775 so the group had access to the mount point and gave others read and execute:

sudo chmod 775 /mnt/data
sudo chmod o+xr <folder>

Next, reboot and check again. It worked:

I’m using VLC locally as it’s a very easy and useful front end for mindlna/UPnP servers, and Bubblesoft remotely (because I did all those years ago) but further interacting with clients I’ll save for the next post.

Quick note: Artwork wasn’t turning up when I added it, but after I killed minidlna and did a rescan, it appeared.

sudo service minidlna stop
sudo minidlnad -R

On the web:
Minidlna

---

pixel 7

I bought my wife Google’s new Pixel 7. She had an older Pixel 3 which was showing it’s age. Plus, there’s some power in saying “Wife, you have the most modern tech in the household.” Anyway, arrived quickly, easily connected to Google Fi, only cost $499 and I haven’t had a chance to use it yet… but early reports are “OMG, this phone is faster than my old one”.

roon arc

Just announced today is Roon ARC, a new app for Android and iOS that allows streaming outside your home network! That’s a huge feature, and one that I’m sure will pay huge dividends for the company as having your music “on the go” was one of two features missing from Roon. (The other? Yes, it’s the ability to add your own reviews, bios, etc.).

I first updated my core, desktop, etc. to Roon 2.0, and then downloaded Roon ARC to my cell phone. I next opened the desktop application to configure Settings>Roon ARC. Before this connected, I had to open the following firewall port in UFW on Ubuntu box (see above, looks like it’s configurable):

sudo ufw allow 40229/tcp comment roonarc

I then cut wifi on my phone and guess what, I’m streaming! Now Roon, please add ARC to the Microsoft Store so I can get it on my Surface Go when I travel.

On the Web:
Roon 2.0

dnscrypt-proxy

Time to setup dnscrypt-proxy on my new Ubuntu 22.04 LTS box. I found the best way to do this was to also install resolvconf and use that to ensure that /etc/resolv.conf always get the dnscrypt port of 127.0.2.1. Previously I’ve used a bunch of different methods, but for this distro, I’m happy with my results.

sudo apt udpate
sudo apt install dnscrypt-proxy resolvconf
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Here you can change the settings for dnscrypt, by altering the server_names line (e.g. [‘cisco’], [‘cloudflare’]). Also ensure that the listen_addresses is empty. Restart the service if you make changes.

sudo systemctl restart dnscrypt-proxy

Next, open your Network Manager and go to the IPv4 settings. Turn off Automatic DHCP and set the address to 127.0.2.1. Restart the NetworkManager service.

sudo systemctl restart NetworkManager

Finally, edit the following resolvconf file to use the dnscrypt’s address in /etc/resolv.conf by adding the following line: nameserver 127.0.2.1

sudo nano /etc/resolvconf/resolv.conf.d/head

Now restart your computer.

You can test a number of ways. If you used [‘cisco’] you can do the following. Note in the ANSWER section “dnscrypt enabled”.

dig txt debug.opendns.com
; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28688
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	59	IN	TXT	"server m45.chi"
debug.opendns.com.	59	IN	TXT	"flags 20040022 0 50 180000000000000000003950000000000000000"
debug.opendns.com.	59	IN	TXT	"originid 585506578"
debug.opendns.com.	59	IN	TXT	"actype 2"
debug.opendns.com.	59	IN	TXT	"bundle 13458843"
debug.opendns.com.	59	IN	TXT	"source 76.229.202.213:57968"
debug.opendns.com.	59	IN	TXT	"dnscrypt enabled (7158645166363443)"

;; Query time: 4 msec
;; SERVER: 127.0.2.1#53(127.0.2.1) (UDP)
;; WHEN: Fri May 06 10:48:39 CDT 2022
;; MSG SIZE  rcvd: 313

Another way of checking is to visit https://www.dnsleaktest.com/ which will tell you your DNS resolver.

The only thing I don’t get is this: Why does this use the old address? For another day.

dnscrypt-proxy -resolve google.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
Resolving [google.com] using 127.0.0.1 port 53

Unable to resolve: [read udp 127.0.0.1:35375->127.0.0.1:53: read: connection refused]

parental controls

I have a teen that refuses to do homework. You know, gets a “zero”. Thus, I take the phone away. However, teen needs a computer for homework. Fine. But you know when she gets on to the computer, she’s going to go to all those sites where “screenagers” waste their time. That’s fine. I’m going to show you how to block individual sites using OpenDNS and your Router. [Note that I’m going to use terminology for my Netgear, but chances are if you’re bothered to read this, you’ll know what I’m talking about. Also, while my Netgear router has a “Blocked Sites” function, it doesn’t work. Useless!]

DNS can be set in many places: local computer, router, modem. I’m not quite sure what trumps what, but I believe that’s the line. Using your router for DNS is better than using your modems – my AT&T modem does not allow it to change! Setting on an device level, well, that’s a lot of work. Also, I have to believe that most “screenagers” don’t know what DNS even is. So, here we go.

The first step is to open your router’s settings and go to Internet Settings (also called WAN). Set the Primary and Secondary numbers to OpenDNS, 208.67.222.222 and 208.67.220.220. Now, all requests originating form your router will go through OpenDNS. I’m sure there is some chatter on whether using Cisco-owned product is all that good, but from what I’ve read, it’s one of the better choices out there for the home user. What you may give up in privacy, you’ll gain in secure web browsing.

The second step is to let OpenDNS know that request from your router are yours. Okay, that may sound all scary and Big Brother, but let’s not pretend that our web surfing is anonymous. It’s not. You buy your internet from someone, or are you really getting it for free from a leaky neighbor or a nearby Starbucks?

To sign up for an OpenDNS account, go to their website and sign up for a free Home account. All it requires is an email address. Once completed, open their Dashboard from a computer on your home network. Under settings, add your local network: it’s going to be the IP address of your modem. Give it name, and save it. OpenDNS will now associate requests from that IP as yours. Under Web Content Filtering, you’ll see two areas. The top is a predefined set for a variety of “undesirable” sites – if I had teenage boys, I’d sure as hell use this to block the “naughty bits”. The bottom section allows individual site blockage. Here’s what I wanted:

Give it about five-ten minutes (they say three) and those sites are as good as gone! While a web browser may give a different warning (usually a cert error), dig one deeper with nslookup, you’ll see what’s going on:

PS Desktop> nslookup snapchat.com
Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: snapchat.com
Addresses: ::ffff:146.112.61.104
146.112.61.104

And if you go to that IP:

Couple of points: First, you’ll probably need to run Cisco’s OpenDNS-Updater program as your ISP provides your modem with a dynamic host; exact same thing as if you were running a DynamicDNS service like DuckDNS. Second, a really smart kid could probably figure out how those sites are being blocked. My kid is smart, but if she was really that smart, she’d just do her homework in the first place.

One the web:
https://www.opendns.com/home-internet-security/

no wayland

Having run Ubuntu 22.04 LTS for a week now, I tracked a lot of the “misbehavior” down to the Wayland display server protocol. Totem never quite loaded correctly, if it even ran, while seemingly innocuous tasks like dropping a file on Audacious also proved troublesome. So until Ubuntu figures out Wayland’s inadequacies, I’m back to using good ol’ Xorg.

When you log in to Ubuntu, there’s a gear in the bottom right screen to choose which display server you want to use. But to make it a little more foolproof, simply edit Wayland out of existence:

sudo nano /etc/gdm3/custom.conf

#Uncomment the line below to force the login screen to use Xorg
WaylandEnable=false

You can always check which display you are using with:
echo $XDG_SESSION_TYPE
x11

ubuntu 22.04lts jammy jellyfish

Now that the new box is built, it’s off to make it work. As previously stated, I downloaded Ubuntu 22.04 LTS on DVD, but it had issues loading. I quickly made a bootable USB drive and was off to the races. I chose a minimal install without encryption and with updates. I can’t be bothered entering a password after every reboot, let alone remotely; but foremost, there’s nothing on the computer that needs to be encrypted.

Once completed, I first got the RAID1 with my music configured by creating a mount point, adding it to /etc/fstab and made an alias for it in my home folder. I then downloaded Roon, made it executable, installed its dependencies (curl, ffmpeg, cifs-utils) and then ran the installation script. On my Windows computer, I signed into Roon Desktop (btw, remember to sign out of any previous installations), added my music libraries and – most importantly – restored the latest backup of my previous Roon Core!

Next up was getting Duckdns so I can login remotely, UFW because it’s open for remote access, and configuring SSH for my website’s production host. Most of this was simple, though I did have to temporarily enable PasswordAuthentication on the production host for keys, and I also needed to reconfigure my router with the MAC address for the new motherboard to access the computer via port forwarding.

I then set to install the applications I need. Some are little tweaks like numlockx, while others were from that list I made – Audacious, Brasero, MOC, Easytag, etc, while fre:ac was a snap. I have issues with dt14-tmeter, which has always been prickly (fixed 04/26/22), and Totem which crashes and doesn’t play correctly under Wayland. I also imported bookmarks into Firefox and did quick run through of my top sites to get their passwords remembered.

I’m on the fence about tweaking out the UI, as the older I get the less I care about having it my way: Ubuntu and Gnome are good enough out of the box. I’m sure at some point I’ll get bored and add Gnome Extensions, Tweaks, get the Snap-free Firefox, change the colors etc, but for now, the computer is fine as it is. In the meantime, I will continue to use Xorg as everything seems to run best under it, including Totem, Audacious, etc.

One the web:
https://ubuntu.com/download/desktop

byopc 2022

With the arrival of Ubuntu 22.04 LTS, aka Jammy Jellyfish, it’s time to build a new Linux box. Hard to believe that another four years has already passed. I’m still happy with the old one, but the fans are a bit noisy, and I’d like to up performance. Note that this computer is an “always-on” dedicated music server for Roon software, containing a 4TB RAID1 with my music collection. And that’s just about all I use it for: ripping CDs to the library, running Roon server, the occasional DVD or CD burn, and of course, having the Linux environment at home to keep my itjerk skills up.

Over the years, I’ve found myself gravitate almost exclusively to the Windows environment for “day to day” computing. Why? It’s just fine for me. Other than running a few applications (mostly InDesign), the vast majority of my desktop experience is inside a web browser. Yours too, probably. And as someone that’s spent the past 20+ years in desktop support, I’m completely agnostic about Mac vs Windows vs Linux. Whatever costs less should be one’s top choice, not some brand fetish. Whether it’s a Dell or any Apple, Windows or macOS or Ubuntu, a properly maintained computer is both safe and secure. “Better” is subjective.

I’ve chose an Intel i3-10105 processor for the computer because a) it’s the cheapest I could find ($89) and b) it gives me plenty of “boost” from the current G4400 Pentium; more cores/threads/cache, faster clock, and only mildly less power efficiency (65w vs 54w). For the motherboard, I’ll need an LGA 1200 socket and a quick look at the Microcenter website yields the ASUS H510M-E Prime Intel microATX for $85. I’ll throw in a very fast 256GB NVMe M.2 drive for $32 for the boot drive and that’s about all I need. I have 8GB of DDR4 2133 RAM from the previous build that to reuse (along with case, power supply, etc). That’s a total bill of $202 for new computer “guts”.

The very first thing to do is ensure I have a backup of the RAID1. I’m going to transfer the RAID card and drives to the new mobo, which should go without a hitch (it did), but having a fresh backup gives me 100% peace of mind. I’m getting a new M.2 boot drive, so I’ll have the previous SSD to copy things over. Then, I’ll be sure to get a list of programs I’ll need to reinstall along with bookmarks, config files and my bash history (a wealth of knowledge!). With an initial minimum install of Ubuntu, I’ll need a few things, but mostly they and their dependencies relate to Roon, CD ripping and playback (notably Fre:AC and it’s config files!), plus a few DVD programs like Handbrake, DeeVeeDee and DVDAE. No need to bring extra software baggage to a clean install; if I forgot something, I can always install later.

One thing about the installation: maybe I’m getting old or maybe the lighting was just bad, but I did have to recheck some of my connections inside the case. RAM wasn’t clipped completely, USB header was off and I didn’t push the audio plug in all the way! The old SPDIF card I had doesn’t have the right pin config, so I’ll splurge $17 for a new one.

After downloading Ubuntu 22.04 LTS, I burned a DVD of the iso but it didn’t work. So I quickly made a USB drive and installation was fine. I did a minimal install, no encryption (PITA to enter a password and no way to do it remotely). I did get a couple boot warnings, but after I updated the mobo’s BIOS and the ACPI warning went away, while enabling VMX in the BIOS advanced settings corrected that. Still have “SGX disabled in BIOS” to deal with. One other thing, when the computer boots, it doesn’t display the RAID card’s screen. Hmmm.

Now on to Jammy Jellyfish!

Microsoft Surface Go 3

Yeah, I’m a jerk, I bought one. $379 from their website, delivered in a couple days. It booted into Windows 11 and all is good except screen sharing cuts out though after a minute or so. Wonder why? Sold the orignal Surface Go on eBay for $156.50 plus shipping.