Expat-IT Tech Bits




Search this site:


/ (289)
  Admin/ (123)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (7)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (31)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)


  • 2019/06
  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Sat, 22 Jun 2019

    /Linux: Turning off Gnome Keyring Password Prompt (in QubesOS)

    The login keyring did not get unlocked when you logged into your computer

    I use Evolution to access remote calendars in a QubesOS AppVM, and Evolution stores passwords in the gnome keyring. I had that damned keyring password prompt turned off, and it came back somehow, all by itself. I find it hard to like Gnome and it's spawn.

    The way I turned it off THIS time is with Seahorse:


    Just find the "Login" button somewhere in the seahorse UI, then "change password". You will need to enter your Qubes login password, which somehow made it into the AppVM. Then at the new password prompt just leave the two fields blank.

    Solved for another year?

    posted at: 06:46 | path: /Linux | permanent link to this entry

    Sat, 28 May 2016

    /Linux/Android: Android with Minimal Google Malware

    Why? I already have such a setup, and have Google Pinyin installed for Chinese input. Shortly after configuring Google Pinyin as my main keyboard, I got a popup reporting that Google Pinyin tried to access my address book. Why? Or how about this[1]: Google breaks networking for anyone in an iffy network environment (that would include all of China) just so Android can have a tantrum because it cannot callback to Google's servers. Why is that necessary? Sadly, even with minimal Google malware, the latter issue means that in China, the newest version of CyanogenMod (CM) I can run is CM11.

    Down to business: the following is an outline of the necessary steps, if anyone needs more detail let me know and I will try to fill in the gaps.

    First get yourself a CM-compatible phone from [2], and follow the installation instructions MINUS the bit about installing Google Play and friends. You do not need Google play, and you REALLY do not want it because of all the other Google crap it drags along. You just need to flash the bare CM image. Note that if you use a recent version of Debian or Ubuntu, all the necessary tools for flashing CM are already in the repos.

    The first thing you want to install on your newly-flashed CM phone is FDroid[3]. (You can install FDroid with adb, one of the tools you just used to flash the CM image.) FDroid only contains open source software, so install as much of the software as you want / need first from the FDroid reposities. (This is also not blocked within China.) For the stuff you cannot find in FDroid, we will next get by a backdoor method that avoids running Google Play on your phone (which *is* blocked in China, anyway.)

    On your (recent Debian/Ubuntu) machine install fdroidserver, apache, and pip. Also install gplaycli as follows:

    pip install gplaycli

    (Note that gplaycli is often installable by other methods, but in my experience it is extremely sensitive to dependency versions, and probably will not work. Use pip.)

    Setup your FDroid repository[4]. (I run this on one of my desktop Linux machines.)

    mkdir -p /srv/fdroid/repo
    cd /var/www/
    ln -s /srv/fdroid
    cd /srv/fdroid/
    fdroid init

    FDroid apps look automatically for a repository at /fdroid/repo/ for any configured server. The above directory structure and symlink in /var/www/ provides exactly that.

    I have a script that updates the repository as follows:

    echo "Update custom FDroid Google Play mirror:"
    chown -R user: /srv/fdroid
    chmod -R 755 /srv/fdroid
    chmod 600 /srv/fdroid/config.py
    proxychains /usr/local/bin/gplaycli -u /srv/fdroid/repo --progress --verbose
    cd /srv/fdroid/
    fdroid update --create-metadata

    gplaycli updates all Android apps (apk's) in the repo from Google Play. (Note: I use proxychains to proxy this action to a server outside China, where Google Play is blocked.) Then fdroid needs to update the repo metadata for any changes.

    Applications in the repo can get there initially by either copying an existing apk file in your possession into the repo, or searching / downloading the apk with gplaycli.

    Now on your Android, add the FDroid server you just created as a repository. For this machine on my local network, for example, I just added an IP address like this:

    After that, if port 80 is open on your server machine and all permissions are correct, when you next update the repositories in your Android FDroid app, they should make available the apk's in your new repository.

    Something really worth noting about CM: if you look in settings under "Privacy", have a look at "Privacy Guard". Any app selected in there (which should be most of them, certainly from among the non-Open Source apps) is blocked from accessing the address book or call logs. That is how I know Google Pinyin tried to access my Address Book, CM told me.

    [1] https://code.google.com/p/android/issues/detail?id=81843
    [2] http://wiki.cyanogenmod.org/w/Devices
    [3] https://f-droid.org/
    [4] https://f-droid.org/wiki/page/Setup_an_FDroid_App_Repo

    posted at: 06:38 | path: /Linux/Android | permanent link to this entry

    Wed, 24 Sep 2014

    /Linux/Debian: Debian Multiarch on amd64

    You will need this for Skype, for example. If you try to install the current version


    on a newish 64-bit Debian machine, it will complain about a bunch of missing dependencies. What you need to do:

    dpkg --add-architecture i386
    apt-get update
    dpkg -i /path/to/skype-debian_4.2.0.11-1_i386.deb
    apt-get -f install

    after which a whole pile of *:i386 32-bit packages should install on your 64-bit machine. And skype should start now. But, you may find your sound does not work, as there seems to be a missing dependency. This

    apt-get install libpulse0:i386

    fixed it for me. Further note that you may have to add

    deb http://www.deb-multimedia.org <debian-version> main

    to your /etc/apt/sources.list to find some dependencies that are sometimes not available in vanilla Debian.

    posted at: 20:16 | path: /Linux/Debian | permanent link to this entry

    Fri, 31 Jan 2014

    /Linux/remoteDesktop: Remote Access to Your Linux Desktop

    So downloading the 2g+ of Oracle's installer is a PITA if you wish to download directly to the server, and you work remotely. They REALLY make it difficult to download with anything other than a web browser. I have heard there are ways to get this to work with wget, but if there is a Linux desktop on the network where you wish to deliver the download, I think VNC is easier. This[1] got me start nicely, and this is what just worked for me:

    On the desktop you wish to connect to, install x11vnc / xvfb / xterm, then start up a VNC server as follows:

    x11vnc -forever -rfbport 5900 -create -ncache 10

    Note that I am using "-create" because there is no current user session on the machine, and I am not physically present to login, so this way VNC will create a Xvfb (framebuffer) X session for me. Also note that I have not set a password on this VNC server, as the machine is not on a public network and I am connecting over a VPN.

    Then on the client (your desktop) side, run the vinagre client in VNC mode, and connect to the IP:port of the VNC server. Works like a charm.

    [1] http://ubuntuguide.org/wiki/Ubuntu_Precise_Remote_Access#X11VNC_Server

    posted at: 03:21 | path: /Linux/remoteDesktop | permanent link to this entry

    Sun, 05 Jan 2014

    /Linux/misc: How to Make Gnome3 Usable

    I am one of the many who abandoned Gnome after the transition to Gnome3[1]. All the other desktops (KDE, XFCE, LXDE) that I use are configured to have six workspaces, mapped to Ctrl-F1, F2, F3, and Ctrl-1, 2, 3. And I put specific applications in each of those workspaces, which I always want to be able to access with the same keyboard shortcuts. Default Gnome3 behavior is to "disappear" a workspace once the last app in that workspace is closed, causing all workspaces above to shift down one keyboard shortcut. Simply unacceptable.

    But now I have a fix[2]. Put this in ~/.xsession:

    gsettings set org.gnome.shell.overrides dynamic-workspaces false
    gsettings set org.gnome.desktop.wm.keybindings switch-to-workspace-5 "[\"2\"]"
    gsettings set org.gnome.desktop.wm.keybindings switch-to-workspace-6 "[\"3\"]"

    [1] https://www.gnome.org/gnome-3/
    [2] http://jeffbastian.blogspot.com/2012/06/static-workspaces-and-keyboard.html

    posted at: 09:02 | path: /Linux/misc | permanent link to this entry

    Thu, 12 Dec 2013

    /Linux/misc: Sending (Big) E-mails to Your Kindle

    I have a lot of interesting things stacking up in my e-mail client (RSS feeds, mailing lists, etc.) that I am not getting around to. Particularly difficult to get to are the long ones.

    Queue my Kindle, while on public transit....

    First copy the mail files to a temporary directory. (Personally, I use claws-mail and maildir, so that is as simple as copying the e-mails to there own folder, and then copying that folder in /tmp.)

    Then cd into that temporary directory, and strip out the text portions of those e-mails:

    munpack -t *

    This places the text portion of each maildir file into a file named "part{name-of-file}". Then add ".txt" to each file by running this script:

    for file in part*; do mv $file $file.txt; done

    Now import these txt files in calibre (tagging appropriately) and send them to your Kindle. (Note that this is probably only really worthwhile for BIG e-mails.)

    posted at: 04:01 | path: /Linux/misc | permanent link to this entry

    Tue, 29 Oct 2013

    /Linux/router-bridge: Virtualbox and Shorewall: Put Virtual Machines on Their Own Subnet

    Tired of your Virtual Machine's (VM's) network connection being b0rked every time your laptop moves to a different network environment? So am I. The solution: use VirtualBox's Host-Only Adaptor option to put the VM on it's own, routed, subnet so that kernel routing can shield the VM from the external network. On VirtualBox:

    On the VirtualBox host's Shorewall configuration:

    For the guest VM's network configuration, bring up the network with DHCP, create a default route, specify DNS servers:


    auto eth0
    iface eth0 inet dhcp
    post-up route add default gw



    posted at: 04:08 | path: /Linux/router-bridge | permanent link to this entry

    Sat, 06 Jul 2013

    /Linux/Debian/APT: Adding an Ubuntu PPA to Debian

    I seem to need to look this up once a year or so, so let's stop that. Add a line to /etc/apt/sources.list like this:

    deb http://ppa.launchpad.net/csoler-users/retroshare/ubuntu raring main

    You will need to tweak which version of Ubuntu to pull from, to correspond to your Debian version. After the first "apt-get update" there might be an error complaining about missing repository keys. Import as follows:

    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0AA42215

    where you get the last item from the error message. Re-run the update, and now (in this example) you can install retroshare.

    posted at: 05:40 | path: /Linux/Debian/APT | permanent link to this entry

    Tue, 30 Oct 2012

    /Linux/Debian/APT: Apt-Pinning and Mixing Multiple Repositories in the Same Machine

    I generally run a Debian Testing box, but frequently find the need to install stuff from the unstable repository. And I am getting tired of juggling my sources.list manually.

    So I have created the following file, with thanks to Paul Wise[1]:

    Package: *
    Pin: release a=testing
    Pin-Priority: 800
    Package: *
    Pin: release a=unstable
    Pin-Priority: 700
    Package: lintian
    Pin: release a=unstable
    Pin-Priority: 900

    and included sources for both testing and unstable in my sources.list. Note that a higher Pin-Priority gives that source a higher priority for sourcing the specified package(s).

    So now when I do an "apt-get upgrade" APT will pull updates from testing only, UNLESS the package does not exist in testing and only exists in unstable. And installing a newer version of a package that already exists in testing from the unstable repo is the usual

    apt-get install -t unstable packageName

    [1] http://bonedaddy.net/pabs3/log/2012/10/29/thoughts-on-debian-testing/

    posted at: 01:44 | path: /Linux/Debian/APT | permanent link to this entry

    Fri, 28 Sep 2012

    /Linux/encryption: Whole Disk Encryption with Debian

    Being a standard option in the Debian installer, whole disk encryption is actually remarkably easy. If you understand LVM. Because the way the Debian installer does it is to configure LVM over the encrypted disk. So for me, a pre-requisite for going down this road was to first go through a couple of desktops with just LVM on them, to get solid with LVM.

    Now that that is done, this install is LVM over encrypted disk. So easy with the Debian installer. Just one thing so far has been a little non-obvious, and that is how to find the encrypted device and manage passwords.

    /etc/crypttab gives a great clue:

    sda5_crypt UUID=ea1b9a5a-88f3-42f8-861e-666c7dd37350 none luks
    cryptsetup isLuks -v /dev/sda5
    Command successful.
    confirms that I have the location correct.
    cryptsetup luksDump /dev/sda5
    shows which key slots are occupied.
    cryptsetup luksAddKey /dev/sda5
    adds a new key to the list. Done.

    posted at: 10:11 | path: /Linux/encryption | permanent link to this entry

    Mon, 11 Jun 2012

    /Linux/China: Where to Download Your Linux Distribution in China

    Bandwidth across the Great Firewall sucks. That means that downloading an ISO can take hours, even a whole day, if you are pulling it from another country.

    Thank you 163.com:


    For instance, go here to grab your preferred version of Ubuntu Precise:


    posted at: 01:35 | path: /Linux/China | permanent link to this entry

    Fri, 20 Jan 2012

    /Linux/misc: Running and Installing Debian from a USB Stick

    So unbelievably easy[1]:

    cat debian.iso > /dev/sdX

    I grabbed the latest net install[2] ISO, did the above, popped it into my new laptop, hit F12 during boot to get the boot menu, and picked the USB option. Never had such a swift and painless install....


    And then there was Ubuntu Lucid. Not so easy. The ISO will not boot from USB per the above. After a bit of flailing around, it seems the easiest way (and so far the only way) that has worked for me is to use usb-creator, which is packaged with Lucid. And only works with X, there is no console version.

    Yes, that means you need a running Lucid desktop to do this. Lame. The package that needs to be installed is usb-creator-gtk. Note that you can invoke it from the following menu:

    System --> Administration --> Startup Disk Creator

    but that did not work for me either, there were errors. What I did was installed the sux package, logged into root in a terminal by invoking sux, and then invoked usb-creator-gtk as root. Then it worked, and the USB stick booted.

    [1] http://www.debian.org/releases/stable/i386/ch04s03.html.en
    [2] http://www.debian.org/CD/netinst/

    posted at: 02:51 | path: /Linux/misc | permanent link to this entry

    Thu, 15 Dec 2011

    /Linux/CPUfreq: Manual CPU Frequency Control in Linux

    In comes Gnome 3, out goes my beloved (out of necessity) CPU frequency applet. It seems Gnome 3 does not do applets, at least not yet. And I have a couple of miscreant laptops that love to overheat under load. One Lenovo is actually almost unusable unless I throttle back the CPU before extended heavy loads like a massive apt-get upgrade.

    [1] clued me in to a command-line option to the applet in the cpufreqd package. After installing cpufreqd one must first uncomment the following lines in /etc/cpufreqd.conf:


    which basically enables the command-line tools. Now


    will list your options, and

    cpufreqd-set <n>

    is how you choose your CPU speed, and

    cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies

    displays the available frequencies, and

    cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq

    shows the current frequency in effect. And now I can install Gnome 3 on these handicapped machines....

    [1] http://www.go2linux.org/how-to-configure-cpufreqd

    posted at: 09:04 | path: /Linux/CPUfreq | permanent link to this entry

    Sun, 06 Nov 2011

    /Linux/China: Chinese Input with IBUS

    Until recently I was a long time user of SCIM, and then, at around the same time I noticed that the Ubuntu Desktop default was IBUS[3], and that SCIM was on it's way out.

    Getting SCIM to work has always been somewhat dodgy, and I am happy to say that IBUS is less so.

    I recently discovered that there is a native Linux QQ chat client[1], but published by a Chinese company and apparently(?) not Open Source. For a long time I have run Skype on my machine despite the fact that it is not Open Source, and it's bad reputation for security[2]. But an application published by a Government-controlled Chinese company is more then I can tolerate, so I am running my QQ in a Debian VM, where I also eventually intend to exile Skype and others of its ilk.

    This is an absolutely minimal VM running only fluxbox. To get Simplified Chinese input going I:

    apt-get install ibus ibus-pinyin ttf-arphic-ukai
    Then I ran im-config as root to select IBUS as the system master input method. And then ibus-setup as my normal user to turn on the "Chinese Pinyin" input method. I believe I restarted X somewhere along the way, and after that Ctrl-Space had me typing Chinese.

    [1] http://im.qq.com/qq/linux/
    [2] http://blog.langex.net/index.cgi/Security/skype
    [3] http://code.google.com/p/ibus/

    posted at: 11:14 | path: /Linux/China | permanent link to this entry

    Mon, 13 Jun 2011

    /Linux/encryption: Transparently Encrypt Part of Your Home Directory

    Update: This all works really well. I now encrypt my entire home directory on all of my machines, plus usually add another encrypted partition for things I do not think need to be backed up. I will leave this howto in the form of encrypting a home subdirectory, as I think that is probably still a good place to start for someone just sticking a toe in these waters.

    Laptops are easily stolen. And these days, if you travel internationally, it is not uncommon for the thief to be Customs / Immigration agents who have the power to permanently seize your laptop on little or no grounds. All they need do is invoke the "National Security" bogey-man. Some thought should be given to protecting personal data, especially if setup seems easy.

    In the title, I say "transparently" in the sense that once this is setup, everything should work just like before. Under the hood, though, you will have an encrypted subdirectory in your home directory, which is automatically mounted when you login, and unmounted when you logout.

    I was lead to do this, finally, because this article[1] makes it sound very easy and convenient. Obviously, it would be more secure to encrypt my entire home directory (or even the entire hard drive) but to do this for an already installed system is a bit more trouble and risk. Plus I would like to build a little confidence in my ability to not lose data first, before I commit myself entirely. This way I will protect (and risk) only my most sensitive data (and keep good backups elsewhere should something go wrong with the encrypted partition). On the other side of the ledger, encryption does add a certain amount of overhead to everything you do with the encrypted files, especially on an older machine. There is a reasonable argument, I think, for only encrypting what is necessary.

    First step: Make a good backup. Messing with the partition table is risky business. Now use gparted to make space for an empty partition. Be warned that I shrank an 80G partition down to free up 1G, and this took a whole afternoon on a Pentium III, and making changes to your partitions is a process you *really* do not want to interrupt. So if you have a laptop, make sure your battery is charged to guard against power failures. Also note that changing the size of the encrypted partition later may not be easy, so be generous....

    In Debian, install packages cryptsetup and libpam-mount, and then next we will create an encrypted volume out of the just-created empty partition hda7. This section is a summary of the corresponding section from [1].

    Create the encrypted volume:

    cryptsetup luksFormat /dev/hda7

    LUKS[3] most noteworthy feature is that is supports unlocking the encrypted volume with any one of several passwords. Now name the encrypted volume "mysecrets", and format it:

    cryptsetup luksOpen /dev/hda7 mysecrets
    mkfs.ext3 /dev/mapper/mysecrets

    Mount the encrypted volume and write a test file, and then unmount:

    mount /dev/mapper/mysecrets /home/userid/protected/
    date > /home/userid/protected/date.txt
    cat /home/userid/protected/date.txt
    umount /home/userid/protected/
    cryptsetup luksClose mysecrets

    Now verify that mount.crypt from libpam-mount will open the encrypted volume:

    mount.crypt /dev/hda7 /home/userid/protected/
    cat /home/userid/protected/date.txt
    umount.crypt /home/userid/protected/

    Mount the Encryped Volume Automatically on Login:

    Unfortunately, at this point the advice from [1] stopped working for my circa November 2008 Debian installation. This was a bit disconcerting since [1] was only just published. However, a bit of poking around indicated that PAM is a bit of a complex beast, and that there was more then one way to get this to work. So next I tried the "Automagically mounting" section of [2].

    As [2] says, for this to work, the user's login password must be the same as one of the passwords assigned to the LUKS-formatted encrypted volume we created in the preceding section.

    Next we have to do something a little different then [2], since PAM has evolved a bit since [2] was written. Add the following block to /etc/security/pam_mount.conf.xml:

    <volume fstype="crypt" path="/dev/hda7" mountpoint="/home/userid/protected" options="cipher=aes" fskeycipher="" fskeypath="" user="username" />

    And that is it. user="username" means this block will only kick in when "username" logs in. The empty strings assigned to the last two parameters above apparently tell PAM to use the user's login password instead of a key file. Now log out, log back in, and you should find that /home/userid/protected has been automatically decrypted and mounted.

    (Note: I have since taken to doing this for my whole user directory, and there seem to be permission problems on the first login that kick up some errors and lead to a read-only home directory. So, after the first login, do an Alt-Ctrl-F1 and login as root.) Then fix the permissions:

    chown -R username:username /home/username
    chmod -R 755 /home/username

    Logout and login again, and everything should work.

    Future password changes must also be separately applied to the encrypted volume, ie.

    cryptsetup luksAddKey /dev/hda7

    to first add a new password to the volume (up to a maximum of eight). Note that this will add the new password to the first empty slot, and not overwrite your current password, as the dialog might imply. Then change your Linux user password. And finally

    cryptsetup luksDelKey /dev/hda7 0

    to delete the oldest password, in the first slot, when you are ready. No rush. That is one of the advantages of using LUKS.

    cryptsetup luksDump /dev/hda7

    will tell you which password slots are in use (among other things) but obviously will not tell you what the passwords are.


    I have been running with this setup now for well over a year, and am very satisfied as to usefulness and stability. The only irritation is that, since I am only encrypting a subdirectory of my user directory, after I login my encrypted directory will sometimes automatically unmount after a few seconds if nothing accesses any files in that directory. I just use a terminal to cd into the directory and lock it open the first thing I do after logging in. There is probably a more elegant way to resolve this issue....

    I also think this solution is more elegant then what I have read about the new standard Ubuntu encrypted home directory, which though simpler to turn on at install time still requires you to store / remember an encryption key. My setup still only requires you to remember your user password to login and decrypt the user directory.

    On a strategic note, if you are going to cross a border with your now-encrypted directory, I would suggest you create a dummy user account with a throw-away password. That way, if the immigration goons seize your laptop and insist that you give them "the password", you can give them one that does not matter, and in particular, does not unlock your encrypted directory. Likewise, make sure that the root password is not the same password as the user password that unlocks your encrypted partition, as they might be smart enough to demand the root password as well.

    [1] http://www.linux.com/feature/151989
    [2] http://pupeno.com/blog/encrypted-home-in-ubuntu
    [3] http://luks.endorphin.org/

    posted at: 23:03 | path: /Linux/encryption | permanent link to this entry