hiveblocksI worked this out a few days back, maybe a week now, and I currently have it set up so that my laptop, with its convenient power loss protection (and with the nonsense going on downstairs with renovations, it has been very handy) to operate as a secured (physically) backup server. I can shut down my main workstation, and I know that even if someone physically gets control of my laptop, they have to first break my password security, and I have a script to kill it as well, destroying any ability to do this.
So this article I am going to publish the simple scripts I use to unlock and shut down my secure data storage server.
first, a script that lets me get shell on my server. It's very simple:
#!/bin/bash
sshpass -p 'PASSWORD' ssh root@serveradddress
Just to clarify, you can't get at the physical storage where my scripts live without unlocking my encrypted home folder. The system boots and demands this password. You can fail to unlock it, but then you have no way to get at it anyway.
#!/bin/bash
sshpass -p 'PASSWORD' ssh root@serveraddress "halt -p"
This script kills my server instantly. If I had DynDNS running to link to it, this could probably be launched with a few taps from an encrypted android phone. It goes down in seconds, because no apps automatically launch, only GDM3 so when I want to physically access the server, I can jump into it, if I have unlocked the home partition from my main workstation, or indeed it is not so hard to manually unlock it, since I know the password.
#!/bin/bash
sshpass -p 'PASSWORD' ssh root@serveraddress "$1"
This one lets me execute any arbitrary command at all on the secure storage server. The command can be given by
COMMANDNAME "PARAMETERS"
This is to cover the cases when I want to do something arbitrary. Like for example "shred /dev/sda" which would utterly wipe the entire system's hard drive without any possibility of data recovery.
#!/bin/bash
sshpass -p 'PASSWORD' ssh root@serveraddress 'bash -s' </home/l0k1/.local/bin/unlockhome.sh
This one is the script that I set up that automatically unlocks the home filesystem, and in my case, automatically bind-mounts the /var/cache/apt/archives that I use to share the .deb archives between both of my machines. I am not going to show you what that script is, but this is an example of running an arbitrary script within another script.
## Finally
The last script I am going to share is one that I use to sync my home folder to the unlocked encrypted storage in the previous entry.
#!/bin/bash
sshpass -p 'PASSWORD' rsync -uav --progress /home/l0k1 root@servername:/home/
This one uses rsync to do a synchronisation, pushing all updates onto the secure server store. This does not handle the cleanup of updated, but deleted files. The destination storage device just accumulates changes, anything removed on the workstation, remains on the data storage server. It would be nicer to have a git or other CVS repo to allow me to track back and forward, but this is expedient and I keep pretty close attention on what my workstation has on it.
I hope this helps someone, better, many people, in how to operate a secure data store for their work.| author | l0k1 |
|---|---|
| permlink | how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder |
| category | development |
| json_metadata | {"tags":["development","security","encryption"]} |
| created | 2016-09-06 22:41:09 |
| last_update | 2016-09-06 22:41:09 |
| depth | 0 |
| children | 5 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.024 HBD |
| curator_payout_value | 0.003 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 20.000 HBD |
| body_length | 3,224 |
| author_reputation | 94,800,257,230,993 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,152,384 |
| net_rshares | 153,219,756,306 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| acidyo | 0 | 5,083,775,558 | 42% | ||
| thecryptofiend | 0 | 76,001,442,766 | 100% | ||
| crok | 0 | 4,468,268,973 | 100% | ||
| steemswede | 0 | 933,317,929 | 100% | ||
| igster | 0 | 24,955,670,064 | 100% | ||
| raymonjohnstone | 0 | 713,803,053 | 100% | ||
| felixxx | 0 | 15,329,260,131 | 100% | ||
| xanoxt | 0 | 3,232,132,910 | 100% | ||
| disofdis | 0 | 22,448,917,053 | 100% | ||
| nelyp | 0 | 53,167,869 | 100% |
I travel a lot, in fact since I sort of live in cyberspace I always have at least two computers around me. In fact there are four computers I can see and that is simply because I am not looking for more computers . . . Thus everything is gmail online server and dropbox online cloud; how safe and secure are these systems? I mean these are not Hillary's emails but could they be compromised easily ? I am not trying to be paranoid neurotic, just prudent and security conservative : ) / hugz ; )
| author | crok |
|---|---|
| permlink | re-l0k1-how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder-20160906t232052458z |
| category | development |
| json_metadata | {"tags":["development"]} |
| created | 2016-09-06 23:20:57 |
| last_update | 2016-09-06 23:20:57 |
| depth | 1 |
| children | 1 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 499 |
| author_reputation | 9,979,380,525,768 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,152,687 |
| net_rshares | 0 |
steem is transparent. the others, secure but not maybe so reliable. i depend on them but i hate them. When I have myself finally on my feet again properly, I'm not running any damn cloud crap. I will set up an email->bitmessage relay, probably a couple of them in very separate places, and I won't need to trust anyone. Email goes to one of my two redundant servers, gets bounced into the bitmessage network and I can be anywhere when I collect it, and nobody can know where that is. Likewise, for data security, I'll have something like what I have just made, but even more secure, with smart cards and the like. This solution in the post is just a quick and dirty hack, to be perfectly honest.
| author | l0k1 |
|---|---|
| permlink | re-crok-re-l0k1-how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder-20160907t010446053z |
| category | development |
| json_metadata | {"tags":["development"]} |
| created | 2016-09-07 01:04:48 |
| last_update | 2016-09-07 08:16:09 |
| depth | 2 |
| children | 0 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 699 |
| author_reputation | 94,800,257,230,993 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,153,466 |
| net_rshares | 0 |
The major problem with your approach is the `PASSWORD` is stored in clear text on your disk. Instead of using a password, I use SSH-keys. It works like this:
1. **Create a ssh key**
ssh-kegen
2. **Store the key in the server's authorized key**
ssh-copy-id <user@server>
This step adds the content of `~/.ssh/id_rsa.pub` (the public key) to the `~/.ssh/authorized_keys` file **on the server**. This file is used by the server to verify if the user is allowed to login (only if he has the corresponding private key)
3. **Login**
SSH automates the whole process with keyesxchange and stuff so that you only need to do
ssh <user@server>
If everything is setup properly you don't even need to provide a password.
Have fun!| author | xeroc |
|---|---|
| permlink | re-l0k1-how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder-20160907t060107508z |
| category | development |
| json_metadata | {"tags":["development"]} |
| created | 2016-09-07 06:01:06 |
| last_update | 2016-09-07 06:01:06 |
| depth | 1 |
| children | 2 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 1.270 HBD |
| curator_payout_value | 0.001 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 759 |
| author_reputation | 118,819,064,085,695 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,155,610 |
| net_rshares | 2,357,723,053,966 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| anonymous | 0 | 375,843,464,624 | 100% | ||
| xeroc | 0 | 1,690,074,992,075 | 100% | ||
| steve-walschot | 0 | 145,711,133,864 | 100% | ||
| michaelx | 0 | 33,790,400,161 | 100% | ||
| mrhankeh | 0 | 523,414,717 | 100% | ||
| isteemit | 0 | 38,703,850,548 | 100% | ||
| billykeed | 0 | 1,862,836,189 | 100% | ||
| wildchild | 0 | 96,640,276 | 100% | ||
| paynode | 0 | 1,215,542,017 | 100% | ||
| stevescriber | 0 | 60,730,988 | 100% | ||
| loli | 0 | 51,247,757 | 100% | ||
| jaredcwillis | 0 | 8,260,249,844 | 100% | ||
| l0k1 | 0 | 3,607,401,833 | 100% | ||
| tracemayer | 0 | 57,921,149,073 | 100% |
Yeah, I think, though, what's the damn difference anyway? If someone gains control of my user account on my machine, does it actually matter if they have the password or SSH cert for the root of my backup server? The result is the same. It was just quicker for me to do it with a password. I don't have to remember it either, it's in my scripts. Good to remind me though, it should really be set to 700 mode. I am pretty sure they are though. btw, i think it's **ssh-keygen** , just a little typo. I don't think you get grammar nazi status in IT for typo correcting ;)
| author | l0k1 |
|---|---|
| permlink | re-xeroc-re-l0k1-how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder-20160907t081011276z |
| category | development |
| json_metadata | {"tags":["development"]} |
| created | 2016-09-07 08:10:12 |
| last_update | 2016-09-07 08:12:48 |
| depth | 2 |
| children | 0 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 571 |
| author_reputation | 94,800,257,230,993 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,156,452 |
| net_rshares | 242,307,857 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| realme | 0 | 242,307,857 | 100% |
As @l0k1 pointed out, simply using keys doesn't make much difference. But what you can do to improve the security of the server, is restricting the commands that can be run. You can do this by using the option `command="..."` in the `authorized_keys` file. Then, for each command you create a separate key. The man page `sshd(8)` has some information on this in the section "AUTHORIZED_KEYS FILE FORMAT".
| author | realme |
|---|---|
| permlink | re-xeroc-re-l0k1-how-to-secure-a-server-with-an-encrypted-volume-to-back-up-your-home-folder-20160907t160709003z |
| category | development |
| json_metadata | {"tags":["development"],"users":["l0k1"]} |
| created | 2016-09-07 16:07:12 |
| last_update | 2016-09-07 16:07:12 |
| depth | 2 |
| children | 0 |
| last_payout | 2016-10-08 05:43:09 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 404 |
| author_reputation | 49,351,409,465 |
| root_title | "How to secure a server with an encrypted volume to back up your home folder." |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 1,160,281 |
| net_rshares | 242,307,857 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| realme | 0 | 242,307,857 | 100% |