The idea here is to have a LUKS2 encrypted volume stored on a remote server that allows authenticated clients to load and decrypt the data without letting the server know what is being written, read and stored. Keep in mind that this solution is not 100% bulletproof, you still kind of have to trust the backup server because a malicious entity might take multiple snapshots of the encrypted iSCSI LUN and try to crack the encryption. …

Version 2 of cryptsetup got a few new fancy options, one of them is the ability to use Argon2 as key derivation function. Creating a LUKS2 volume with Argon2 as hash function is very easy: sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdb Please note that grub still does not support it, so it can’t be used for boot drives. Once the volume is created, to mount it run: …

In Fedora, CentOS and probably many other Linux distros ssh-keygen; still defaults to RSA 2048. People have not yet realized that the newer, and also faster, elliptic curve cryptography is available; even between my peers I still see that many of them are using old and insecure RSA based keys. Since SSH clients support multiple keys transitioning to newer keys can be painless: create a new elliptic curve key; do not delete the old RSA key; once you login into a server swap the old key with the new one. …

For some reason gpg gen-key still defaults to SHA1 and RSA2048, due to the known weaknesses of SHA1 it is probably a better idea to use SHA256. First of all, we need to create a configuration file. cat ~/.gnupg/gpg.conf" --- personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed To generate a new key type (also specify to use RSA 4096): gpg --gen-key ### or gpg --full-generate-key Other useful commands are: …

Apcupsd is a powerful daemon that can be used to manage APC UPS, add epel repositories and run: $ yum install apcupsd To configure apcupsd edit the following file: cat /etc/apcupsd/apcupsd.conf" --- ## apcupsd.conf v1.1 ## # # for apcupsd release 3.14.14 (31 May 2016) - redhat # # "apcupsd" POSIX config file # # Note that the apcupsd daemon must be restarted in order for changes to # this configuration file to become active. …

I have got my hands on an APC UPS and some HP gen8 server, installed apcupsd on CentOS 7, connected the USB cable and everything was working fine except for this very annoying issue I had: * power goes down (pull the UPS power cord). after some minutes the UPS battery threshold is triggered and the server shutdown procedure is launched by apcupsd. power goes back up (plug in the power cord) while the server is already shutting down but the shutdown sequence is not yet completed. …

After upgrading my OpenVPN server to CentOS 7.5 I had trouble connecting to it. Specifically, I had two different issues: ** the laptop, which is running Fedora 28, was able to connect just fine but DNS resolution was broken. ** OpenVPN for Android was also connecting just fine but reporting a weird error: OpenVPN: tun tap invalid argument (code=22). The first one was caused by me because after the CentOS upgrade procedure was completed I also run yum autoremove which deleted dnsmasq; the solution was fairly simple, reinstall and reconfigure dnsmasq. …

Since I am a real master at forgiving things I am writing this one down. PHP mail function relies on sendmail but SELinux by default block webservers from sending emails, the usual error that pop-out is: cat /var/log/maillog"> --- sendmail[16328]: NOQUEUE: SYSERR(nginx): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied Allow webservers to send email is as easy as editing the appropriate SELinux boolean: setsebool -P httpd_can_sendmail 1 Use sestatus to check SELinux booleans: …