While it’s easy to install a GNU/Linux operating system on your machine, and opt for full disk encryption during that installation process, it can be a little trickier if you want to add a second encrypted disk to your system and have that automatically unlock on start-up.

Fortunately, it’s not too much harder. This guide just focuses on decrypting the partition and mounting it somewhere. If you’re interested in setting up an encrypted partition, you’re probably just best off Googling it 🙂

Let’s get started.

Let’s say your partition is /dev/sda1.  Firstly, create a key that only root can read.

$ sudo bash

# cd /root

# dd if=/dev/urandom of=sda1keyfile bs=1024 count=4

# chmod 400 sda1keyfile

Now, you need to add this key file as a passphrase to your encrypted disk.  This key will live in a slot, which there are eight of in total.  You will be prompted to enter your passphrase that your originally supplied when creating the partition:

# cryptsetup -v luksAddKey /dev/sda1 sda1keyfile
Enter any passphrase:

Once entered, you will see something like this:

Key slot 0 unlocked.
Key slot 1 created.
Command successful.

Now, you need to locate the disk using a way that will always be recognised by the system, even if disks change positions and /dev/sd* entries remap.  The safest way is to use the UUID of the partition.

This one-liner will probably get you the right answer (be sure to change the disk id):

ls -l /dev/disk/by-uuid/ | grep sda1 | awk ' {print $9;}'

This should give you something looking like this:

2e08befa-6a53-4628-8f16-8b6dd7631aa5

You then want to tell the system to unlock this disk on boot. How to do this? Well, the file /etc/crypttab is all you need to know!

The field order is like this:

NamePathUnlock credentialOptions
mycryptdiskUUID=2e08befa-6a53-4628-8f16-8b6dd7631aa5/root/sda1keyfileluks,timeout=30,discard

Just save the file and you’re nearly ready. Device Mapper (dm) will read this file on boot up, and attempt to unlock the encrypted partition using the supplied key.

The last part of this process is to automatically mount this decrypted partition. For that, you’ll need to visit /etc/fstab. Enter a line similar to the following, making adjustments for your environment:

/dev/mapper/mycryptdisk /mnt/mydata ext4 defaults,discard 0 2

There you have it. You should now be able to access your encrypted volume automatically on boot up, and not rely on a desktop environment like GNOME to help you unlock it with a passphrase in your keyring.

Filed an Issue

How to remove Nvidia HDMI audio output in PulseAudio?

If you’re having trouble with audio routing throught the wrong device, this may be the answer.

Source: sound – How to remove Nvidia HDMI audio output in PulseAudio? – Ask Ubuntu

Calendar interface in Nextcloud

The problem with purism

At heart, I’m a Linux guy.  For many tasks, I use Emacs (a popular editor among some developers due to its extensibility), with Orgmode as my primary means of managing tasks, recording time, jotting down notes and, at times, trying to manage my calendar.

But there were several problems with this. Firstly, the only mobile client to sync Orgmode files with reasonable reliability, was MobileOrg.  Sadly, this project has been discontinued for a while, and to my knowledge it hasn’t yet seen a superior successor.  In addition, Orgmode is a great calendar within Emacs, but it’s not so strong outside. And while MobileOrg was “ok”, it didn’t present information in a convenient, easily-interpreted way.

In short, having a text-only, Linux/Android-only solution, was awkward.

The compromising advantage

Part of the appeal of Orgmode and MobileOrg was being able to keep all data within one’s own infrastructure.  As one of MobileOrg’s features is to “sync files from an SSH server”, and Emacs has TRAMP for accessing network locations, this made it possible to get each end talking with the other, and the synchronisation was generally reliable.

But in some ways, using Emacs, Orgmode and MobileOrg – to achieve data security and ultimate privacy – is arguably a case of the tail wagging the dog.  Was this the only private-data solution? Probably not. Was it the most convenient?  Was Orgmode the right tool for many of life’s repeatable, short-lived events? Definitely not.

image of org-mode
org-mode in action: showing a list of links

Despite trying to use only free, libre & open source software to address this requirement, around 2016 it started becoming clear that simpler solutions existed – albeit involving proprietary software of some kind.  Certain diehards might scoff that, if some software only exists in proprietary form, it’s inherently evil and you must build a free/libre version. But such ideals are rarely achievable when your needs as a new parent and business owner outweigh most others.

As I pondered my motives, it became clear to me that controlling my data was more important to me than controlling the tools.

The next move

For years on Android, I used CalDav and CardDav syncing tools, which were proprietary plugins that presented calendar and contact “providers” to the OS.  These worked great, but finding equivalent staples on Linux was somewhat harder.  The time had arrived when I needed desktop access to calendar, task and contact management, that wasn’t based in an Office365 tenancy.

The right move here was to set up Nextcloud. On my small personal hosting box at DigitalOcean [discount referral link], I set up a virtual server to run Nextcloud.  Nextcloud provides calendar, tasks and contact databases that are conveniently accessible through CardDav & CalDav.

As I had to work on a Mac in order to test websites in Safari (which accounted for at least 9% of traffic, and often more), it was useful to have syncing of this data there too.  And this, unlike some of my earlier grumpiness with all things Mac, was actually a pleasant surprise: macOS actually had great support for CalDav and CardDav.

Conclusion

Account set-up in iOS
Setting up access to other services is a cinch in iOS.

Do I get the solution I need? Yes. Does it sync well? Yes. Am I happier? Yes.

Not only that, but the downside of Orgmode syncing was that it worked best if restricted to two-way communications. If you added a third or fourth client and tried syncing between all of them, it would quickly become a clusterfunk.

Is Apple the enemy?  Well, probably. But better the devil you know, sometimes. Due to the ease of synchronisation with tasks, contacts and calendar in macOS, I slowly warmed up to the idea of replacing my ageing Samsung Galaxy Note 4 with an iPhone. So I did.  And arguably, for this requirement, it was a good choice.

Does this mean I’m no longer a Linux guy? Oh no, not at all. I still have my ThinkPad T420S, which was a side-grade replacement for my chunky T420. I use it every day in my work as a Senior Systems Administrator, for one of the UK’s top universities. I still use Emacs and Orgmode as a daily driver for tasks and coding.

But at home, my wife and I share a calendar and contact list across Android and iOS, thanks to the support of industry standard protocols.

Controlling where the data is has served us pretty well.

Reposted

Reddit threadsters are suggesting that certain 5400rpm 8TB Western Digital drives are actually rotating faster, at 7200rpm, and using startup sound profiles to back up their claims. There are a group of reddit threads, like this one by u/sbjf, saying WD 8TB EMAZ and EZAZ drives, used in WD’s Elements and My Book external storage…

via What madness is this? WD 5400 rpm 8TB drives sound like faster 7200 rpm spinners — Blocks and Files