Wednesday, December 21, 2011

Encrypted Flash Swap Partition

Flash swap can improve performance on systems with low memory, and its pretty cheap.  My laptop has 4GB of memory, but I run a lot of applications and browser tabs, so I still end up swapping.  Using flash for swap doesn't make much if any difference while you're using a single application, but I do notice a significant speedup when switching to other applications that have been swapped out.  I'm running Ubuntu 10.04 with encrypted home directory, which also encrypts the swap partition, so I want my new flash swap encrypted as well.  I'm using a Verbatim Stay 'n Store 4GB drive ($9 at amazon) , which has a very small physical footprint, so I can just leave it in all the time.

The first step is to set up a swap partition on your flash drive.  Try to pick the USB port where the drive is least likely to get dislodged.  Insert the drive, and linux should automatically recognize it and mount it.  You can use
user@laptop:~$ mount
to see what drives are mounted.  The newly added usb drive should be the last one.  For example, mine looked like this:
/dev/sdc1 on /media/VERBATIM type vfat (rw,nosuid,nodev,uhelper=udisks,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,flush)
In order to create a swap partition, you need to unmount it first:
user@laptop:~$ umount /dev/sdc1
Then create the swap partition:
user@laptop:~$ sudo mkswap /dev/sdc1
Then enable it with a high priority (so it gets used ahead of the hard disk swap partition):
user@laptop:~$ sudo swapon -p 32767 /dev/sdc1
You can see that it has been added to the list of available swap partitions (cryptswap1 is the pre-existing hard disk encrypted swap partition):
user@laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/sdc1                               partition 3875832 0 32767
Note, if you did not install with the encrypted home directory option, you might need to install the crypto utilities:
user@laptop:~$ sudo apt-get install cryptsetup ecryptfs-utils
Now to encrypt the new swap partition:
user@laptop:~$ sudo ecryptfs-setup-swap
WARNING: [/dev/mapper/cryptswap1] already appears to be encrypted, skipping.
WARNING:
An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format.
HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!
NOTE: Your suspend/resume capabilities will not be affected.
Do you want to proceed with encrypting your swap? [y/N]: y
INFO: Setting up swap: [/dev/sdc1]
* Stopping remaining crypto disks...                                          
* cryptswap1 (busy)...                                                        
* cryptswap2 (stopped)...                                               [ OK ]
* Starting remaining crypto disks...                                          
* cryptswap1 (running)...                                                    
* cryptswap2 (starting)..
* cryptswap2 (started)...                                               [ OK ] 
Now your /proc/swaps looks different:
laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/mapper/cryptswap2                  partition 3875832 0 -2
Also an entry has been added to fstab:
user@laptop:~$ grep cryptswap /etc/fstab
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/cryptswap2 none swap sw 0 0
Notice that it did not preserve the priority setting. You can fix this for your current session by doing:
user@laptop:~$ sudo swapoff /dev/mapper/cryptswap2
user@laptop:~$ sudo swapon -p 32767 /dev/mapper/cryptswap2
user@laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/mapper/cryptswap2                  partition 3875832 0 32767
And fix it for your next reboot forward by changing the entry in /etc/fstab to:
/dev/mapper/cryptswap2 none swap sw,pri=32767 0 0


Sources:
http://www.arsgeek.com/2008/07/24/readyboost-for-linux-a-quick-how-to/
http://www.logilab.org/29155
http://www.brighthub.com/computing/linux/articles/37236.aspx
Posted by at No comments:
Labels:

Sunday, November 27, 2011

Inexpensive Remote Backup with Synology DS110j

I wanted an offsite backup of my important data (~200GB), with more control and lower recurring cost than a service like dropbox. The Synology DS110j is an inexpensive, but full-featured, network-attached storage (NAS) device. It runs a Linux kernel with BusyBox utilities. I used it to set up a low-power remote rdiff-backup target. I like rdiff-backup because it provides the best features of a mirror and an incremental backup.

Hardware
Synology DiskStation DS110j 1-Bay NAS - $149.99 at Amazon.com
Seagate Barracuda Green ST1500DL003 1.5TB 5900 RPM internal hd - $129.99 at Newegg.com

Power Profile
I measured the power usage in various modes with a KillAWatt.
ModePower (Watts)
Standby (entered automatically after ~10 minutes of no activity)5.1
Active w/o disk activity10.1
During backup10.9

Initial Setup
Follow included instructions to install hd and DiskStation Manager software.

Enable SSH
Use the web interface to enable ssh. I like to change the ssh port from the default. I've found that in practice, this cuts down almost all automated ssh-based hack attempts. To change this setting, ssh to the box as root (same pw as admin in the web interface), then edit DS:/etc/ssh/sshd_config to add the setting:
Port ####
(whatever port you want to use). Also add to SOURCE:/root/.ssh/config
Host DS # whatever the DS hostname is
    Port ####
After any change to sshd settings, you'll need to restart the ssh server. You can do this through the web interface by disabling and then re-enabling ssh.

Enable Automated Login
My backup runs as a cron job in the middle of the night, so it needs to be able to ssh login to the DS without prompting for a password. Public key authentication is the way to do this.

In my setup, I am backing up one source to multiple destinations (one local rdiff-backup and the DS for off-site rdiff-backup). Therefore, I prefer to put the rdiff-backup config on the source and push rather than pull my backups. Follow these instructions, where A is the SOURCE side (initiating the rdiff-backup session), and B is the DS side. I used the root account on both sides.

Suppose there are multiple remote hosts for which you want automated logins. You can reuse the same key pair, or set up multiple pairs. Assuming the latter case, rename the private key to something like id_rsa_synology (should also rename public key similarly so you remember which keys are part of the same pair). Also add to SOURCE:/root/.ssh/config (under the DS host section):
IdentityFile /root/.ssh/id_rsa_synology
You may also need to explicitly enable public key authentication on the DS. Again in DS:/etc/ssh/sshd_config:
PubkeyAuthentication yes           
AuthorizedKeysFile      .ssh/authorized_keys
Install Package Manager
Synology uses a package manager called ipkg. Install it by following these instructions.

Install rdiff-backup

Setup Non-interactive Environment
When rdiff-backup connects to the DS over ssh, it is a non-interactive session. This mode omits a lot of the environment setup that normally happens when you log in interactively. In particular, the PATH is different:
Interactive:
DiskStation1> echo $PATH
/opt/bin:/opt/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/syno/bin:/usr/syno/sbin:/usr/local/bin:/usr/local/sbin

Non-interactive:
root@local:~# ssh nas1 'echo $PATH'
/usr/bin:/bin:/usr/sbin:/sbin:/usr/syno/bin
The critical difference in this case is that /opt/bin is missing in the non-interactive path. rdiff-backup requires the rdiff-backup executable to be in the path on the remote side. To set the path for non-interactive ssh sessions, add to DS:/etc/ssh/sshd_config
PermitUserEnvironment yes
and create DS:~/.ssh/environment containing
PATH=/opt/bin:/opt/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/syno/bin
DiskStation Hostname
Assuming you don't have a static IP to assign to your DS, you can use dynamic dns to maintain a consistent hostname by which you can reach it. This is functionality is built in to the DS web interface.

Conclusion
Now just park the DS at a friend/family member's house, and viola, 1.5TB of online, offsite, secure storage, with no recurring costs for several years. You'll probably have to set up port forwarding on the router that the DS is connected to, so you can connect to it from the outside. Just use the same port you set up for sshd.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)