posts for 2013.
from today on, i’m enforcing https for (almost) all my web pages. i’ve added an automatic redirect which redirects all
http:// pages to their corresponding
despite the tons of problems ssl/tls have – essentially, everything less than TLS 1.2 is unsafe, but only very few browsers actually support TLS 1.2 even though it has already been standarized in 2008 –, it is better than using no encryption at all.
and yes, i know that “just” having a self-signed certificate is only partially helpful. but i don’t have a better solution at the moment, as i don’t want to dump tons of money into CAs which i don’t really trust anyway. (maybe i’ll change my mind eventually. but not right now.) so for the moment, you have to accept my self-signed certificate (whose sha-1 fingerprint is
69:02:33:1D:F7:E3:9C:DA:D2:7D:9E:1D:4A:C6:40:99:A3:F8:B2:58, and whose md5 fingerprint is
E5:DA:7D:4E:11:34:20:BD:7C:9E:3B:CD:E1:C9:6A:1B. you can compare them in firefox, for example, by clicking the padlock and then clicking “more information…” and then “view certificate”, and in chromium/chrome by clicking the padlock and then “certificate information”).
last week, we visited the säntis, one of the highest landmarks in northeastern switzerland. despite being quite crowded – after all, it was on a sunday with good weather – it didn’t feel too crowded on the top, and we caught some great views onto germany, lake constance, liechtenstein and austria. (i’m not sure whether we also saw france or italy due to haze. but in theory, we could have.) enjoy some of the views and panoramas:
more than one year ago, miukumauku, my cat, moved in with us. so when i was sitting outside and saw her playing in the sun, i had to take some pictures. she grew quite a bit, and stopped playing with most of her toys, in favour of having a real-life outside, playing with anything that moves and is not too big. and she’s still extremely cute.
here are some pics from today:
recently we were in knie’s kinderzoo in rapperswil. judging from the huge amount of families, apparently a very attractive destination. and from judging the kids, they seem to like it a lot. here are some impressions:
the interplay of sunlight and clouds sometimes results in interesting shots… some days ago, parts of the sky was cut in two pieces:
sometimes, we can observe quite dramatic sky panoramas:
after recently installing arch linux on my laptop (a thinkpad x230), i was first quite happy. but after some time, i noticed some flaws. first of all, having to do so many things by hand is somewhat annoying. if it would be just about installing software: no big deal (for me). but it is also about configuring stuff, like deciding between networkmanager and the arch-specific command line wireless setup, which is installed by default. switching to networkmanager was quite annoying, and in the end didn’t work very well (one anecdote: at some point, i had to reboot to get plain eth0 working again – reconfiguring by hand might have worked, but you don’t always have time to do that). and also power management was not so good, after trying some things i finally had a system which, coming back from suspend, waited a few seconds (usually enough to enter my password and unlock the computer) and sent it back to suspend. after the next unsuspend, there was no password protection left…
the final kick came when i tried to install hugin: it simply didn’t work. at all.
pacman always gave up without an understandable error message. great, eh? at that point i decided to try linux mint another time.
last weekend, i first tried to install linux mint debian edition (lmde) on my laptop. it has the advantage of being a rolling release distribution. well, the installer doesn’t support harddisk encryption, but it allows you to do that by yourself. after having managed that with arch linux, i tried it. basically, at two points during the installation process, the installer lets you do some stuff – set up and mount partitions in the first stop, and installing packages/modules and setting up stuff for the first boot in the second stop – and waits for you to press the “forward” button. unfortunately, during the second stop, the “forward” button was grayed out. i hoped that maybe the installer enables it when time comes, but after doing everything (hopefully) and waiting, nothing happened. great, eh? well, i searched around the net, but found nothing. the only thing i found was a blog entry announcing lmde 201303 (which i was trying to install) with the note “please use this blog to report bugs”, which is nice, but not when you notice that comments are disabled. at that point, i gave up and downloaded a linux mint 15 image instead…
installing that one went quite smoothly. of course, again, the installer didn’t support using my encrypted setup (seems to be implemented nowhere, except in the old ubuntu alternate installer which is discontinued. yay, the good old times when stuff just worked out of the box!). mounting stuff before starting the installer (i also had to install the lvm2 package), the install went well, before rebooting, though, i had to do some new tricks. after trying around unsuccessfully for some time, i finally found a question on askubuntu.com, whose accepted answer provided the solution for me: it explains how to set up
grub to ask for a password on boot-up and unlock the encrypted disks (see also below in this post). with these steps, i was able to boot the newly installed linux mint 15, and from that point on, everything went well.
most stuff worked out of the box, and all packages i wanted to install actually existed (arch linux doesn’t have mmv by default, for example), and both wine and hugin did work out of the box. the only very annoying part was that linux mint screwed up my firefox profile. it created a new profile and changed the
.mozilla/firefox/profiles.ini to only use the new profile. after modifying that file, i had my old profile back. after that, i was happy, and after a couple of days with wlan/vpn field test (i never even got so far to try vpn on arch linux), i’m opting to keep linux mint 15 for some while. i guess i’ll also install it on my desktop (replacing ubuntu 12.04 lts).
(actually, for desktop machines, arch linux will function much better, since there you don’t need fancy stuff like wireless setup, power saving etc. nonetheless, after the experience i had i won’t try it again for some time…)
quick conclusion: how to set up luks/lvm encryption manually on ubuntu/mint.
before i forget how this was done, or maybe askubuntu gets rid of the question and answer, i’ll document the necessary steps i had to do here (all paths are relative to the installed system’s root):
/etc/crypttabwith a line like this:
sda2_crypt UUID=... none luks
to find out the correct uuid, try
ls -la /dev/disk/by-uuid/. then you can see which uuid is mapped to which device. another (somewhat unrelated) useful tool is
lsblk, which shows your current device and filesystem topology.
/etc/initramfs-tools/conf.d/cryptrootcontaining a similar line:
again, use the correct uuid instead of the “…”.
/devinto the new environment by running
mount -o bind /dev /target/dev
targetwith the path to the new system’s root directory.)
chrootthe environment, and run the following commands:
1 mount -t proc proc /proc 2 mount -t sysfs sys /sys 3 mount -t devpts devpts /dev/pts 4 locale-gen --purge --no-archive 5 update-initramfs -k all -c
this will set up the ram disk correctly so that it will deal with the encrypted root partition. (note that it usually will complain about an “invalid line” in
/etc/crypttab. you can usually ignore this.)
/etc/default/grubto something like
again, think of replacing
sda2_cryptif necessary and filling in the correct uuid.
- in the
after this, it should work. maybe you also have to install
lvm2 in the
chroot environment, if it wasn’t already done by the installer.
anyway, i’m really looking forward to the moment when most distribution installers know how to (again!) deal with existing luks/lvm installations. i hope it won’t take as long as it took for basic hdd encryption find its way into the graphical installers in the first place. (that was, like, forever! and without an initiative of the eff, it might really have taken forever.)