Profile cover photo
Profile photo
Clint Armstrong
Clint's posts

Post has attachment

Post has attachment

Post has attachment

Post has attachment

Concept / Work in Progress
Remote GELI decryption of NAS4Free from anywhere

After doing much searching, but not seeing good solutions for remotely entering an on-boot passphrase for GELI encryption in FreeBSD, I decided it was time to invent my own.

My Nas4Free lives in an all-in-one ESXi box with the SATA controller passed through to the VM. On this ESXi box also lives my firewall running on PFSense.

If my server goes down, it is pfsense that boots back up first. Followed by Nas4Free. By adding a serial port to each VM, and enabling the serial console in Nas4Free, I can now SSH into my pfsense VM, even from the internet, and connect to the serial port of the Nas4Free VM and supply the GELI password.

This is nice, but kind of a pain in the butt with 12 partitions to decrypt (more on that later). Ideally I'd like one password to enter and have them all decrypted, but I don't really want them to all use the same password.

After considering many options to solve this, originally considering encrypting with keys stored on another GELI image file, I stumbled across a much simpler solution.

Salted hashes. I can develop a secure password  has it using the UUID of the disk as a salt and now I have a unique encryption phrase for each disk but only have to enter one password for it.

Now I just need to make this all easier. My plan is to create a user on PFSense who's shell automatically runs a Expect script that asks for the password, then enters each passphrase derived from the password+UUID hash.

Right now this is all very preliminary, and more of a though exercise than anything, but I'll update as I make progress.

The Google plus app looks terrible on the nexus 7. The forced two column layout shows nothing but over cropped photos and 3 word headlines. The website doesn't split to two columns on a full computer screen, why would I want it that way on a 7 inch tablet? 

Post has shared content
We invited +Steven Levy to be the very first journalist to get an inside look at our datacenters and Wired just posted his article. 

+VMware ESXi 5.1 purple screens with PCI Passthrough devices. I wonder if I'll learn my lesson and wait a few weeks to upgrade next release... probably not.

My sisters, +Victoria Armstrong and Vivien Armstrong will be singing the National Anthem at the Detroit Tigers / Texas Rangers game on Sunday. Very happy for them.

Does there exist yet any good method for dynamic dns on IPV6? Cause I haven't found one yet. In IPV4 having the DHCP server populate DNS is pretty trivial, but in IPV6 without DHCP...
Wait while more posts are being loaded