Being a standard option in the Debian installer, whole disk encryption is actually remarkably easy. If you understand LVM. Because the way the Debian installer does it is to configure LVM over the encrypted disk. So for me, a pre-requisite for going down this road was to first go through a couple of desktops with just LVM on them, to get solid with LVM.
Now that that is done, this install is LVM over encrypted disk. So easy with the Debian installer. Just one thing so far has been a little non-obvious, and that is how to find the encrypted device and manage passwords.
/etc/crypttab gives a great clue:
sda5_crypt UUID=ea1b9a5a-88f3-42f8-861e-666c7dd37350 none luksThen
cryptsetup isLuks -v /dev/sda5confirms that I have the location correct.
cryptsetup luksDump /dev/sda5shows which key slots are occupied.
cryptsetup luksAddKey /dev/sda5adds a new key to the list. Done.
(Well, at least two hops is reliably working for me....)
A common headache, particularly for those of us who live in China: the necessity of ssh'ing first into an intermediate machine, thence to the final destination machine. Even with SSH keys, this gets ugly to setup, and uglier to maintain in the face of frequent disconnections. Unless we can find a way to login from destop through intermediate machine to destination machine, all in one entirely passwordless step.
The secret is to leverage SSH agent. First add AT LEAST any keys you will need after the first hop to your local desktop ssh agent, ie.
ssh-add /home/myuser/clients/clientname/id_rsaThen chain two or more ssh logins together as follows:
autossh -A -t email@example.com ssh firstname.lastname@example.org
(In this case, the 10.130.2.78 is on a private network behind a router without a public IP. intermediate-server.com is on the same private network, with a public IP.)
autossh will automatically reconnect an disconnected SSH session. (Works best with login via SSH key.)
-A forwards your desktop SSH agent through the first hop to the second hop.
-t forces pseudo-tty allocation
All hops before the destination need both -A and -t.
In my ~/.bashrc I put this:
alias ssh-tszz1="ssh-add /home/myuser/clients/clientname/id_rsa && autossh -A -t email@example.com ssh firstname.lastname@example.org"
so that I can login to email@example.com in any terminal, by simply invoking:
It would be more elegant to have everything configured in ~/.ssh/config, perhaps with the ProxyCommand directive and nc, but so far no success with this.
Note that I have found the second ssh fails for some reason if there is a port number, which I found an extra pair of quotes to fix. Ie. the above, with port number 1212 added, becomes:
alias ssh-tszz1="ssh-add /home/myuser/clients/clientname/id_rsa && autossh -A -t firstname.lastname@example.org 'ssh -p 1212 email@example.com'"
To add a third SSH hop:
alias ssh-tszz1="ssh-add /home/myuser/clients/clientname/id_rsa && autossh -A -t firstname.lastname@example.org 'ssh -A -t email@example.com ssh firstname.lastname@example.org'"
Note the second use of the "-A -t" switches, on the second ssh hop. Of course, one can make succeeding hops simpler by populating the .ssh/config file on intermediate servers, and using a alias Host from .ssh/config instead of fully specifying the ssh parameters in the original invocation, as I am doing here.
Note that libreoffice / openoffice will save any document as a PDF by clicking the PDF icon in the tool bar.
To convert an image file to PDF:
convert filename.jpg filename.pdf
To merge all PDF's in the current directory into one:
pdftk *.pdf cat output file.pdf
Note that when using the '*' above, files are added to the PDF in alphabetical order.