Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
jeremy
/
HON95-wiki
kopia lustrzana https://github.com/HON95/wiki
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

LUKS

Håvard O. Nordstrand 5 lat temu
rodzic
f30c9e56f1
commit
eb062cd92e
4 zmienionych plików z 48 dodań i 6 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 4 0
      config/game-servers/tf2.md
  2. 8 3
      config/linux-general/examples.md
  3. 5 1
      config/linux-servers/proxmox-ve.md
  4. 31 2
      config/linux-servers/storage.md

+ 4 - 0
config/game-servers/tf2.md
Wyświetl plik 

@@ -6,6 +6,10 @@ breadcrumbs:
 
 ---
 
 {% include header.md %}
 
 
+## Resources
 
+
 
+- [CFG.TF](https://cfg.tf/)
 
+
 
 ## Installation
 
 
 Use Pterodactyl.

+ 8 - 3
config/linux-general/examples.md
Wyświetl plik 

@@ -18,12 +18,17 @@ breadcrumbs:
 
 
 ### Files
 
 
-- Find files:
 
+- Search:
 
     - By UID: `find / -user <UID>`
 
     - Without a user: `find / -nouser`
 
     - With setuid permission bit: `find / -perm /4000`
 
-- Recursive search and replace: `find <dir> \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/123/456/g'`
 
-    - `-type d -name .git -prune` skips `.git` directories and can be excluded outside of git repos.
 
+    - Recursive search and replace: `find <dir> \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/123/456/g'`
 
+        - `-type d -name .git -prune` skips `.git` directories and can be excluded outside of git repos.
 
+- Usage:
 
+    - `du -sh <dirs>`
 
+    - K4DirStat (GUI) (package `k4dirstat`)
 
+- Shred files:
 
+    - `shred --remove --zero <file>`
 
 
 ### Fun

+ 5 - 1
config/linux-servers/proxmox-ve.md
Wyświetl plik 

@@ -172,7 +172,11 @@ If you lost quorum because if connection problems and need to modify something (
 
 - Hard disk tab:
 
     - Bus/device: Use SCSI with the VirtIO SCSI controller selected in the system tab.
 
       It supersedes the VirtIO Block controller.
 
-    - Cache: Optional, typically using write back.
 
+    - Cache:
 
+        - Use none for balanced performance and safety with better *write* performance.
 
+        - Use write-through for balanced performance and safety with better *read* performance.
 
+        - Use write-back for max performance with slightly reduced safety.
 
+        - Direct-sync and write-through can be fast for SAN/HW-RAID, but slow if using qcow2.
 
     - Discard: When using thin-provisioning storage for the disk and a TRIM-enabled guest OS,
 
       this option will relay guest TRIM commands to the storage so it may shrink the disk image.
 
       The guest OS may require SSD emulation to be enabled.

+ 31 - 2
config/linux-servers/storage.md
Wyświetl plik 

@@ -108,6 +108,34 @@ This is just a suggestion for how to partition your main system drive. Since LVM
 
 | `/home` | EXT4 (LVM) | 10 | nodev,nosuid |
 
 | `/srv` | EXT4 (LVM) or none if external | 10 | nodev,nosuid |
 
 
+## LUKS
 
+
 
+### Setup
 
+
 
+1. Install: `apt install cryptsetup`
 
+
 
+### Usage
 
+
 
+#### Encrypt Normal Partition
 
+
 
+1. Format the device/partition: `cryptsetup -v luksFormat <dev> [keyfile]`
 
+    - If not keyfile is specified, a password is required instead.
 
+    - Generate random keyfile: `dd if=/dev/random of=/root/.credentials/luks/<dev> bs=64 count=1`
 
+1. (Optional) Add extra keys: `cryptsetup luksAddKey <dev> [--key-file <oldkeyfile>] [keyfile]`
 
+    - Specify `oldkeyfile` to unlock it using a existing keyfile.
 
+    - Omit `keyfile` to add a password.
 
+1. (Optional) Check the result: `cryptsetup luksDump <dev>`
 
+1. Mount the decrypted device: `cryptsetup open <dev> [--key-file <keyfile>] <name>`
 
+    - Close: `cryptsetup close <name>`
 
+    - Show status: `cryptsetup -v status <name>`
 
+1. (Optional) Zeroize it to write random data to disk: `dd if=/dev/zero of=<mapper-dev> status=progress`
 
+1. Format using some file system: `mkfs.ext4 <mapper-dev>` (for EXT4)
 
+1. (Optional) Permanently mount device and FS using keyfile:
 
+    1. In `/etc/crypttab`, add: `<name> UUID=<dev-uuid> <keyfile> luks`
 
+    1. In `/etc/fstab`, add: `/dev/mapper/<name> <mountpoint> ext4 defaults 0 0` (for EXT4)
 
+    1. Reload `/etc/crypttab`: `systemctl reload-daemons`
 
+    1. Reload `/etc/fstab`: `mount -a`
 
+
 
 ## Ceph
 
 
 ### Resources
 
@@ -311,7 +339,8 @@ Some guides recommend using backport repos, but this way avoids that.
 
 ### Usage
 
 
 - Create pool: `zpool create -o ashift=<9|12> <name> <levels-and-drives>`
 
-    - Realistic example: `zpool create -o ashift=<9|12> -o compression=lz4 <name> [mirror|raidz|raidz2|...] <drives>`
 
+    - Create encrypted pool: See [encryption](#encryption-1).
 
+    - Example: `zpool create -o ashift=<9|12> -o compression=lz4 <name> [mirror|raidz|raidz2|...] <drives>`
 
 - Create dataset: `zfs create <pool>/<name>`
 
     - Realistic example: `zfs create -o quota=<size> -o reservation=<size> <pool>/<other-datasets>/<name>`
 
 - Create and destroy snapshots:
 
@@ -345,7 +374,7 @@ Some guides recommend using backport repos, but this way avoids that.
 
     1. Reboot and test. It may fail due to dependency/boot order stuff.
 
 - Create a password encrypted pool: `zpool create -O encryption=aes-128-gcm -O keyformat=passphrase ...`
 
 - Create a raw key encrypted pool:
 
-    - Generate the key: `dd if=/dev/random of=/root/.credentials/zfs/<tank> bs=32 count=1`
 
+    - Generate the key: `dd if=/dev/random of=/root/.credentials/zfs/<tank> bs=64 count=1`
 
     - Create the pool: `zpool create -O encryption=aes-128-gcm -O keyformat=raw -O keylocation=file:///root/.credentials/zfs/<tank> ...`
 
 - Encrypt an existing dataset by sending and receiving:
 
     1. Rename the old dataset: `zfs rename <dataset> <old-dataset>`