Cipher and Digest

Similar Messages

• HTML links in Vibe Feed and digest e-mails do not work on GW 8.0.3client

  I have GroupWise 8.0.3hp1 on NetWare 6.5.8 and a Vibe 3.3 install on
  SUSE 11 (the downloadable Vibe demo virtual machine from Novell's site).
  I have recently started upgrading GroupWise clients on Windows 7 PCs
  (64bit), and have been testing Vibe. I have run into a problem with
  HTML links in GW clients not working on PCs where the GW client has been
  upgraded.
  This problem occurs using the GroupWise 8.0.3hp2 and 8.0.3hp3 clients,
  but does not occur on a 8.0.2hp2 client, so it appears to be GroupWise
  client related. I haven't tested any other client versions.
  1. When using the GW 8.0.3 client, if I select any of the "Novell Vibe
  OnPrem", "Favorites", or "My Teams" folders, I can see the Vibe Feed
  display showing entries for sites I'm following. But clicking on the
  links in these entries does nothing, so I cannot use the Vibe Feed to go
  directly to files, profiles, etc. The same Vibe Feed links from the
  Vibe web browser interface or from a GW8.0.2hp2 client works fine.
  2. If I have e-mail digest notifications setup to let me know when
  changes are made to a folder or file in Vibe, the e-mails are delivered
  to me just fine. But once again, none of the links in the e-mails work
  when using the GW8.0.3 client. Clicking on them does nothing. If I
  look at the e-mail message source, I can copy-and-paste the URLs
  directly into a browser and they work fine, so the URLs themselves are
  correct. Again, these links work fine if I use the GroupWise WebAccess
  or a GW8.0.2hp2 client.
  Is the GW 8.0.3 client is blocking these HTML links? I receive no
  notification from the client asking whether to "unblock" any
  links/scripts/images when viewing messages with these Vibe links.
  Any suggestions for getting these to work on GW 8.0.3 client?
  Thanks,
  -Greg
  former e-mail for posting:
  [email protected]

  Greg,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Caesar Cipher and non printing ascii

  I am writing a program to implements the caesar cipher. For the program I am using ASCII code so my encryption algorithm is:
  c = (p + k) mod 128
  The only problem is, is that depending on the characters being encrypted and depending on the key I use some of the characters are encrypted to non-printing ascii characters such as 'del'.
  So my code reads in the plain text from a file converts each character to ascii, encrypts each character using the key. It then writes the encrypted ascii values to a file as text (i.e. the character equivalent of the ascii).
  If I do then encounter a non-printing ascii value it is written to the file as a square shape. Is there any way I can get around this?
  Thanks for your help on the matter.
  Wallace

  Modify your encryption function so that it only covers those ASCII values that print, i.e. you need to implement the mod and + function yourself so that only good ASCII characters are considered.

• Cipher and Keytool

  Hello,
  I'm fairly new to crypto and could use some help. I'm attempting to use a self signed certificate as the basis for a cipher in order to encrypt some objects sent over a stream from a servlet to a client. After hitting a few different exceptions (Cannot find any provider supporting ..., etc), I listed out the default (1.4.2) security providers and their properties. As far as I can discern from the properties, it seems that only the SunJCE provider supports a cipher. Am I incorrect? Given the 1.4.2 default providers (I cannot add another provider, e.g. BC), is there a keyalg/sigalg combination I can use with keytool that will generate a certificate that can be used for Cipher.getInstance() and cipher.init()? Below is a snippet:
  CertificateFactory factory = CertificateFactory.getInstance("X.509");
  this.certificate = factory.generateCertificate(certificateStream);
  this.cipher = Cipher.getInstance(this.certificate.getPublicKey().getAlgorithm());
  this.cipher.init(Cipher.ENCRYPT_MODE, this.certificate);
  CipherOutputStream cipherOutputStream = new CipherOutputStream (outputStream, this.cipher);
  Thanks,
  Bob

  Hi,
  First of all, use RSA for your key/certificate and you'll be able to encrypt with it. Second, I believe the RSA encryption implementations that are generally available allow only one block of data to be encrypted at a time. It's probably best, therefore, to use "key wrapping" mode. In this mode, each time you execute a transaction, you create a random symmetric key (SecretKey). First, you use a Cipher in WRAP_MODE with your public RSA key (certifcate) to wrap() the SecretKey, sending the output to the recipient. Then, you use a new Cipher in ENCRYPT_MODE with the SecretKey to encrypt your data. The recipient uses the RSA private key in UNWRAP_MODE to unwrap() the SecretKey, then uses the unwrapped key with a new Cipher in DECRYPT_MODE to decrypt the data.

• Cipher- and TLS configurations for SSTP VPN Client

  Hi!
  We use TMG to terminate our SSTP VPN's.
  TMG is configured to use TLS1.0 and 1.2 and ECDHE SHA 256/384 based ciphers.
  If I connect to some of our published web services from my Win7/8/8.1, the web browser is using TLS1.2 and latest ciphers.
  If I connect to the same TMG with SSTP VPN (and capture data to get these results), the Windows VPN uses TLS 1.0 and basic SHA handshake (naturally, since TLS 1.2 isn't kicking in).
  Can someone tell me, does SSTP VPN use schannels or is there some other place where i should enable TLS1.2 to get the latest protection levels also to our VPN solution?
  .. Or is this a TMG thing? :)
  Antti
  Antti Laatikainen IT Security Manager Santen Europe

  Hi,
  To enabling TLS 1.2 in TMG, please refer to this article:
  TMG 2010 and enabling TLS 1.2
  http://gnawgnu.blogspot.com/2011/09/tmg-2010-and-enabling-tls-12.html
  In addition, Antti, I can only help you on this since I am not the professional on TMG and TSL.
  To better help you, I suggest contacting the TMG support:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. 
  Thank you for your understanding.
  Kate Li
  TechNet Community Support

• Can't connect Windows 8.1 Enperprise to Windows Server 2012 Essentials. Get a Digest Login page and then a Blank with HTTP 404 Error page. Need help!

  Hi,
  I have make a new and clean install of Windows Server 2012 R2 Essentials on my office network server and then i made a new and clean install of Windows 8.1 Enterprise version on one of my office desktops.
  After all VPN and Anywhere Access where setup on the server i when to a PC that is inside my office network and browse on Internet Explorer to the URL to connect this PC to the server and make it part of the domain.
  But when i browse to the http://MYSERVERNAME/connect im not getting the Windows Server page with the option to download the windows connector. Instead i get a login pop-up saying "iexplore" and "digest". I try to create a user on the server
  and use that user login details on this login box, but even then, the only thing i get is a blank page saying a HTTP Error 404.
  So can someone please help me on this? Any advice on how to solve this problem in order to show the normal Windows Server connect page? 
  Thanks

  Hi,
  Based on your description, please refer to following operations and troubleshoot this issue. Then check if
  can help us to narrow down the cause of this issue.
  Please type
  http://server-IP-address/connect in IE. Then check if encounter the same issue.
  On the Windows Server 2012 R2 Essentials, please open Internet Information Services (IIS) Manager. Navigate to Sites, then right click Default Web Site and select
  Edit Bindings… In Site Bindings, select Port 80 and click “Edit…” button. Would you please provide a screenshot of the Edit Site Binding (Port 80) that you can see?
  Then please click
  Connect which in the list of Default Web Site. In the mid panel, select
  .NET Authorization Rules and double click it. Then please check if all users were allowed.
  By the way, would you please provide a screenshot of the login page when you browser
  http://servername/connect? It may help me to understand this issue clearly.
  Meanwhile, please logon a problematic client computer and navigate to the path: C:\ProgramData\Microsoft\Windows
  Server\Logs folder. Then check if there is Computerconnector log file. If there is, please check it if can find some clues. (Please note: the log file is a hidden file. Please open Control Panel, select Folder Options, select View tab and check Show hidden
  files, folders and drives. Then you will be able to find the log file.)
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Same Algo for Key and Cipher recommended?

  Hi,
  Can I use different algos for the key i want to use for a cipher and the cipher itself or
  is it mandatory to use the same algo for both?
  I don't found any answer for this simple question.
  regards,
  Olek

  Olek wrote:
  Hi,
  No - but who said that this is complete sensless?If it made sense then there would be no need to create a SecretKey object for a particular algorithm. AES requires a 128 bit or 192 bit or 256 bit key so how can a 56 bit DES key be used with AES? Simple logic.
  If using the JCE you had tried to use a DES key in AES then you would quickly have found out that an exception gets thrown in the init() method. A very simple 3 line test harness. This would have taken you no more than 5 minutes to cobble together. Much quicker than asking in this forum but ...
  The Key and the Cipher are two independent things for a non
  high skilled crypto veteran.What logic makes Key and Cipher independent? 1 minute of thought after 15 minutes with the most elementary cryptography tutorial would make you understand this.
  I wouldn't aks if this is clear like 1 + 1 = 2 - is this clear!? ;)Obvious it is not clear but I do know that insecure and faulty cryptography results from people not studying cryptography. I do not mean that one must know all about all aspect of cryptography but one should have done significant background reading, especially with regards to the type of cryptography one is using.
  How much background study have you done Olek?
  >
  Olek

• System encryption using LUKS and GPG encrypted keys for arch linux

  Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
  Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
  Update: 2013-01-13: Updated the hook files using the corrections by Deth.
  Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
  I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
  Intro
  Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
  Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
  Conventions
  In this short guide, I use the following disk/partition names:
  /dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
  /dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
  /dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
  Credits
  Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
  Guide
  1. Boot the arch live cd
  I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
  2. Set keymap
  Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
  3. Wipe your discs
  ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
  Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
  shred -v /dev/sda
  shred -v /dev/sdb
  4. Partitioning
  Fire up fdisk and create the following partitions:
  /dev/sda1, type linux swap.
  /dev/sda2: type linux
  /dev/sda3: type linux
  /dev/sdb1, type linux
  Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
  5. Format  and mount the usb stick
  Create an ext2 filesystem on /dev/sdb1:
  mkfs.ext2 /dev/sdb1
  mkdir /root/usb
  mount /dev/sdb1 /root/usb
  cd /root/usb # this will be our working directory for now.
  Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
  6. Configure the network (if not already done automatically)
  ifconfig eth0 192.168.0.2 netmask 255.255.255.0
  route add default gw 192.168.0.1
  echo "nameserver 192.168.0.1" >> /etc/resolv.conf
  (this is just an example, your mileage may vary)
  7. Install gnupg
  pacman -Sy
  pacman -S gnupg
  Verify that gnupg works by launching gpg.
  8. Create the keys
  Just to be sure, make sure swap is off:
  cat /proc/swaps
  should return no entries.
  Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
  Choose a strong password!!
  Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
  Note that the default cipher for gpg is cast5, I just chose to use a different one.
  9. Create the encrypted devices with cryptsetup
  Create encrypted swap:
  cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
  You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
  Important: From the Cryptsetup 1.1.2 Release notes:
  Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
      if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
        as normal binary file and no new line is interpreted.
      if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
        stop after new line is detected.
  If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
  gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
  gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
  Check for any errors.
  10. Open the luks devices
  gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
  gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
  If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
  11. Start the installer /arch/setup
  Follow steps 1 to 3.
  At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
  Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
  Select DONE to start formatting.
  At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
  Start step 6 (Install packages).
  Go to step 7 (Configure System).
  By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
  Edit /etc/fstab:
  /dev/mapper/root / ext4 defaults 0 1
  /dev/mapper/swap swap swap defaults 0 0
  /dev/mapper/var /var ext4 defaults 0 1
  # /dev/sdb1 /boot ext2 defaults 0 1
  Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
  Go to step 8 (install boot loader).
  Be sure to change the kernel line in menu.lst:
  kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
  Don't forget the :root suffix in cryptdevice!
  Also, my root line was set to (hd1,0). Had to change that to
  root (hd0,0)
  Install grub to /dev/sdb (the usb stick).
  Now, we can exit the installer.
  12. Install mkinitcpio with the etwo hook.
  Create /mnt/lib/initcpio/hooks/etwo:
  #!/usr/bin/ash
  run_hook() {
  /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
  if [ -e "/sys/class/misc/device-mapper" ]; then
  if [ ! -e "/dev/mapper/control" ]; then
  /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
  fi
  [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  # Get keyfile if specified
  ckeyfile="/crypto_keyfile"
  usegpg="n"
  if [ "x${cryptkey}" != "x" ]; then
  ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
  ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
  ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
  if poll_device "${ckdev}" ${rootdelay}; then
  case ${ckarg1} in
  *[!0-9]*)
  # Use a file on the device
  # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
  if [ "${ckarg2#*.}" = "gpg" ]; then
  ckeyfile="${ckeyfile}.gpg"
  usegpg="y"
  fi
  mkdir /ckey
  mount -r -t ${ckarg1} ${ckdev} /ckey
  dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
  umount /ckey
  # Read raw data from the block device
  # ckarg1 is numeric: ckarg1=offset, ckarg2=length
  dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
  esac
  fi
  [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
  fi
  if [ -n "${cryptdevice}" ]; then
  DEPRECATED_CRYPT=0
  cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
  cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
  else
  DEPRECATED_CRYPT=1
  cryptdev="${root}"
  cryptname="root"
  fi
  warn_deprecated() {
  echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
  echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
  if poll_device "${cryptdev}" ${rootdelay}; then
  if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  dopassphrase=1
  # If keyfile exists, try to use that
  if [ -f ${ckeyfile} ]; then
  if [ "${usegpg}" = "y" ]; then
  # gpg tty fixup
  if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
  cp -a /dev/console /dev/tty
  while [ ! -e /dev/mapper/${cryptname} ];
  do
  sleep 2
  /usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
  dopassphrase=0
  done
  rm /dev/tty
  if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
  else
  if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
  dopassphrase=0
  else
  echo "Invalid keyfile. Reverting to passphrase."
  fi
  fi
  fi
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  #loop until we get a real password
  while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
  sleep 2;
  done
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  elif [ -n "${crypto}" ]; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  msg "Non-LUKS encrypted device found..."
  if [ $# -ne 5 ]; then
  err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
  err "Non-LUKS decryption not attempted..."
  return 1
  fi
  exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
  tmp=$(echo "${crypto}" | cut -d: -f1)
  [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f2)
  [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f3)
  [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f4)
  [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f5)
  [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
  if [ -f ${ckeyfile} ]; then
  exe="${exe} --key-file ${ckeyfile}"
  else
  exe="${exe} --verify-passphrase"
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  fi
  eval "${exe} ${CSQUIET}"
  if [ $? -ne 0 ]; then
  err "Non-LUKS device decryption failed. verify format: "
  err " crypto=hash:cipher:keysize:offset:skip"
  exit 1
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  else
  err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
  fi
  fi
  rm -f ${ckeyfile}
  fi
  Create /mnt/lib/initcpio/install/etwo:
  #!/bin/bash
  build() {
  local mod
  add_module dm-crypt
  if [[ $CRYPTO_MODULES ]]; then
  for mod in $CRYPTO_MODULES; do
  add_module "$mod"
  done
  else
  add_all_modules '/crypto/'
  fi
  add_dir "/dev/mapper"
  add_binary "cryptsetup"
  add_binary "dmsetup"
  add_binary "/usr/bin/gpg"
  add_file "/usr/lib/udev/rules.d/10-dm.rules"
  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
  add_runscript
  help ()
  cat<<HELPEOF
  This hook allows for an encrypted root device with support for gpg encrypted key files.
  To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
  to your BINARIES var in /etc/mkinitcpio.conf.
  HELPEOF
  Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
  MODULES=”ext2 ext4” # not sure if this is really nessecary.
  BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
  HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
  Copy the initcpio stuff over to the live cd:
  cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
  cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
  cp /mnt/etc/mkinitcpio.conf /etc/
  Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
  Now reinstall the initcpio:
  mkinitcpio -g /mnt/boot/kernel26.img
  Make sure there were no errors and that all hooks were included.
  13. Decrypt the "var" key to the encrypted root
  mkdir /mnt/keys
  chmod 500 /mnt/keys
  gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
  chmod 400 /mnt/keys/var
  14. Setup crypttab
  Edit /mnt/etc/crypttab:
  swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
  var /dev/sda2 /keys/var
  15. Reboot
  We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names.  I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
  Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
  Last edited by fabriceb (2013-01-15 22:36:23)

  I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
  Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
  any idea ?
  #!/bin/bash
  # This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
  # prereqs:
  # EFI "BIOS" set to boot *only* from EFI
  # successful EFI boot of Archboot USB
  # mount /dev/sdb1 /src
  set -o nounset
  #set -o errexit
  # Host specific configuration
  # this whole script needs to be customized, particularly disk partitions
  # and configuration, but this section contains global variables that
  # are used during the system configuration phase for convenience
  HOSTNAME=daniel
  USERNAME=user
  # Globals
  # We don't need to set these here but they are used repeatedly throughout
  # so it makes sense to reuse them and allow an easy, one-time change if we
  # need to alter values such as the install target mount point.
  INSTALL_TARGET="/install"
  HR="--------------------------------------------------------------------------------"
  PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
  TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  FILE_URL="file:///packages/core-$(uname -m)/pkg"
  FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
  HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
  # Functions
  # I've avoided using functions in this script as they aren't required and
  # I think it's more of a learning tool if you see the step-by-step
  # procedures even with minor duplciations along the way, but I feel that
  # these functions clarify the particular steps of setting values in config
  # files.
  SetValue () {
  # EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
  VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
  sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
  CommentOutValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
  UncommentValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
  # Initialize
  # Warn the user about impending doom, set up the network on eth0, mount
  # the squashfs images (Archboot does this normally, we're just filling in
  # the gaps resulting from the fact that we're doing a simple scripted
  # install). We also create a temporary pacman.conf that looks for packages
  # locally first before sourcing them from the network. It would be better
  # to do either *all* local or *all* network but we can't for two reasons.
  # 1. The Archboot installation image might have an out of date kernel
  # (currently the case) which results in problems when chrooting
  # into the install mount point to modprobe efivars. So we use the
  # package snapshot on the Archboot media to ensure our kernel is
  # the same as the one we booted with.
  # 2. Ideally we'd source all local then, but some critical items,
  # notably grub2-efi variants, aren't yet on the Archboot media.
  # Warn
  timer=9
  echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
  echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
  while [[ $timer -gt 0 ]]
  do
  sleep 1
  let timer-=1
  echo -en "$timer seconds..."
  done
  echo "STARTING"
  # Get Network
  echo -n "Waiting for network address.."
  #dhclient eth0
  dhcpcd -p eth0
  echo -n "Network address acquired."
  # Mount packages squashfs images
  umount "/packages/core-$(uname -m)"
  umount "/packages/core-any"
  rm -rf "/packages/core-$(uname -m)"
  rm -rf "/packages/core-any"
  mkdir -p "/packages/core-$(uname -m)"
  mkdir -p "/packages/core-any"
  modprobe -q loop
  modprobe -q squashfs
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
  # Create temporary pacman.conf file
  cat << PACMANEOF > /tmp/pacman.conf
  [options]
  Architecture = auto
  CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
  CacheDir = /packages/core-$(uname -m)/pkg
  CacheDir = /packages/core-any/pkg
  [core]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  [extra]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  #Uncomment to enable pacman -Sy yaourt
  [archlinuxfr]
  Server = http://repo.archlinux.fr/\$arch
  PACMANEOF
  # Prepare pacman
  [[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
  [[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
  ${PACMAN} -Sy
  ${TARGET_PACMAN} -Sy
  # Install prereqs from network (not on archboot media)
  echo -e "\nInstalling prereqs...\n$HR"
  #sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
  UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
  ${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
  # Configure Host
  # Here we create three partitions:
  # 1. efi and /boot (one partition does double duty)
  # 2. swap
  # 3. our encrypted root
  # Note that all of these are on a GUID partition table scheme. This proves
  # to be quite clean and simple since we're not doing anything with MBR
  # boot partitions and the like.
  echo -e "format\n"
  # shred -v /dev/sda
  # disk prep
  sgdisk -Z /dev/sda # zap all on disk
  #sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
  sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
  #sgdisk -a 2048 -o /dev/mmcb1k0
  # create partitions
  sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
  sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
  sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
  #sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
  # set partition types
  sgdisk -t 1:ef00 /dev/sda
  sgdisk -t 2:8200 /dev/sda
  sgdisk -t 3:8300 /dev/sda
  #sgdisk -t 1:0700 /dev/mmcb1k0
  # label partitions
  sgdisk -c 1:"UEFI Boot" /dev/sda
  sgdisk -c 2:"Swap" /dev/sda
  sgdisk -c 3:"LUKS" /dev/sda
  #sgdisk -c 1:"Key" /dev/mmcb1k0
  echo -e "create gpg file\n"
  # create gpg file
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
  echo -e "format LUKS on root\n"
  # format LUKS on root
  gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
  echo -e "open LUKS on root\n"
  gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
  # NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
  # NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
  # make filesystems
  # following swap related commands not used now that we're encrypting our swap partition
  #mkswap /dev/sda2
  #swapon /dev/sda2
  #mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
  echo -e "\nCreating Filesystems...\n$HR"
  # make filesystems
  mkfs.ext4 /dev/mapper/root
  mkfs.vfat -F32 /dev/sda1
  #mkfs.vfat -F32 /dev/mmcb1k0p1
  echo -e "mount targets\n"
  # mount target
  #mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
  mount /dev/mapper/root ${INSTALL_TARGET}
  # mount target
  mkdir ${INSTALL_TARGET}
  # mkdir ${INSTALL_TARGET}/key
  # mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
  mkdir ${INSTALL_TARGET}/boot
  mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
  # Install base, necessary utilities
  mkdir -p ${INSTALL_TARGET}/var/lib/pacman
  ${TARGET_PACMAN} -Sy
  ${TARGET_PACMAN} -Su base
  # curl could be installed later but we want it ready for rankmirrors
  ${TARGET_PACMAN} -S curl
  ${TARGET_PACMAN} -S libusb-compat gnupg
  ${TARGET_PACMAN} -R grub
  rm -rf ${INSTALL_TARGET}/boot/grub
  ${TARGET_PACMAN} -S grub2-efi-x86_64
  # Configure new system
  SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
  sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
  SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
  #following replaced due to netcfg
  #SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
  # write fstab
  # You can use UUID's or whatever you want here, of course. This is just
  # the simplest approach and as long as your drives aren't changing values
  # randomly it should work fine.
  cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sda1 /boot vfat defaults 0 0
  /dev/mapper/cryptswap none swap defaults 0 0
  /dev/mapper/root / ext4 defaults,noatime 0 1
  FSTAB_EOF
  # write etwo
  mkdir -p /lib/initcpio/hooks/
  mkdir -p /lib/initcpio/install/
  cp /src/etwo_hooks /lib/initcpio/hooks/etwo
  cp /src/etwo_install /lib/initcpio/install/etwo
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
  cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
  cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
  # write crypttab
  # encrypted swap (random passphrase on boot)
  echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
  # copy configs we want to carry over to target from install environment
  mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
  cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
  mkdir -p ${INSTALL_TARGET}/tmp
  cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
  # mount proc, sys, dev in install root
  mount -t proc proc ${INSTALL_TARGET}/proc
  mount -t sysfs sys ${INSTALL_TARGET}/sys
  mount -o bind /dev ${INSTALL_TARGET}/dev
  echo -e "umount boot\n"
  # we have to remount /boot from inside the chroot
  umount ${INSTALL_TARGET}/boot
  # Create install_efi script (to be run *after* chroot /install)
  touch ${INSTALL_TARGET}/install_efi
  chmod a+x ${INSTALL_TARGET}/install_efi
  cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  echo -e "mount boot\n"
  # remount here or grub et al gets confused
  mount -t vfat /dev/sda1 /boot
  # mkinitcpio
  # NOTE: intel_agp drm and i915 for intel graphics
  SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
  SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
  SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
  mkinitcpio -p linux
  # kernel modules for EFI install
  modprobe efivars
  modprobe dm-mod
  # locale-gen
  UncommentValue de_AT /etc/locale.gen
  locale-gen
  # install and configure grub2
  # did this above
  #${CHROOT_PACMAN} -Sy
  #${CHROOT_PACMAN} -R grub
  #rm -rf /boot/grub
  #${CHROOT_PACMAN} -S grub2-efi-x86_64
  # you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
  # even omit the cryptdevice altogether, though it will wag a finger at you for using
  # a deprecated syntax, so we're using the correct form here
  # NOTE: take out i915.modeset=1 unless you are on intel graphics
  SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
  # set output to graphical
  SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
  SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
  SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
  # install the actual grub2. Note that despite our --boot-directory option we will still need to move
  # the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
  grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
  # create our EFI boot entry
  # bug in the HP bios firmware (F.08)
  efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
  # copy font for grub2
  cp /usr/share/grub/unicode.pf2 /boot/grub
  # generate config file
  grub-mkconfig -o /boot/grub/grub.cfg
  exit
  EFI_EOF
  # Install EFI using script inside chroot
  chroot ${INSTALL_TARGET} /install_efi
  rm ${INSTALL_TARGET}/install_efi
  # Post install steps
  # anything you want to do post install. run the script automatically or
  # manually
  touch ${INSTALL_TARGET}/post_install
  chmod a+x ${INSTALL_TARGET}/post_install
  cat > ${INSTALL_TARGET}/post_install <<POST_EOF
  set -o errexit
  set -o nounset
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  # root password
  echo -e "${HR}\\nNew root user password\\n${HR}"
  passwd
  # add user
  echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
  groupadd sudo
  useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
  passwd ${USERNAME}
  # mirror ranking
  echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
  cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
  mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
  sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
  rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
  # temporary fix for locale.sh update conflict
  mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
  # yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
  echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
  echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
  # additional groups and utilities
  pacman --noconfirm -Syu
  pacman --noconfirm -S base-devel
  pacman --noconfirm -S yaourt
  # sudo
  pacman --noconfirm -S sudo
  cp /etc/sudoers /tmp/sudoers.edit
  sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
  # power
  pacman --noconfirm -S acpi acpid acpitool cpufrequtils
  yaourt --noconfirm -S powertop2
  sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
  sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
  # following requires my acpi handler script
  echo "/etc/acpi/handler.sh boot" > /etc/rc.local
  # time
  pacman --noconfirm -S ntp
  sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
  # wireless (wpa supplicant should already be installed)
  pacman --noconfirm -S iw wpa_supplicant rfkill
  pacman --noconfirm -S netcfg wpa_actiond ifplugd
  mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
  echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
  # make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
  sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
  sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
  echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
  echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
  echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
  # sound
  pacman --noconfirm -S alsa-utils alsa-plugins
  sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
  mv /etc/asound.conf /etc/asound.conf.orig || true
  #if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
  # video
  pacman --noconfirm -S base-devel mesa mesa-demos
  # x
  #pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
  #yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
  #TODO: cut down the install size
  #pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
  # TODO: wacom
  # environment/wm/etc.
  #pacman --noconfirm -S xfce4 compiz ccsm
  #pacman --noconfirm -S xcompmgr
  #yaourt --noconfirm -S physlock unclutter
  #pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
  #pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
  #pacman --noconfirm -S ghc
  # note: try installing alex and happy from cabal instead
  #pacman --noconfirm -S haskell-platform haskell-hscolour
  #yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
  #yaourt --noconfirm -S xmobar-git
  # TODO: edit xfce to use compiz
  # TODO: xmonad, but deal with video tearing
  # TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
  # switching to cabal
  # fonts
  pacman --noconfirm -S terminus-font
  yaourt --noconfirm -S webcore-fonts
  yaourt --noconfirm -S fontforge libspiro
  yaourt --noconfirm -S freetype2-git-infinality
  # TODO: sed infinality and change to OSX or OSX2 mode
  # and create the sym link from /etc/fonts/conf.avail to conf.d
  # misc apps
  #pacman --noconfirm -S htop openssh keychain bash-completion git vim
  #pacman --noconfirm -S chromium flashplugin
  #pacman --noconfirm -S scrot mypaint bc
  #yaourt --noconfirm -S task-git stellarium googlecl
  # TODO: argyll
  POST_EOF
  # Post install in chroot
  #echo "chroot and run /post_install"
  chroot /install /post_install
  rm /install/post_install
  # copy grub.efi file to the default HP EFI boot manager path
  mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
  mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
  cp /root/root.gpg ${INSTALL_TARGET}/boot/
  # NOTES/TODO

• Encrypting a message digest

  Hi I'm trying to encrypt a message digest using RSA Encryption. For some reason when the encrypted message digest is decrypted it does not match the original. If this is hard to follow the following code illustrates this point:
  String input = "Testing message";
  MessageDigest hash = MessageDigest.getInstance("SHA1");
  hash.update( input.getBytes() );
  generator.initialize(512, random);
  KeyPair pair = generator.generateKeyPair();
  Key pubKey = pair.getPublic();
  Key privKey = pair.getPrivate();
  cipher.init(Cipher.ENCRYPT_MODE, privKey); // encrypt
  byte[] cipherText = cipher.doFinal( hash.digest() );
  // now decrypt
  cipher.init(Cipher.DECRYPT_MODE, pubKey);
  byte[] plainText = cipher.doFinal(cipherText);Here the byte array plainText does not match the original message digest from hash.digest() Any help on how to correct this problem would be great.
  thanks
  -B
  Edited by: BenWhethers on Dec 13, 2007 12:49 PM
  Edited by: BenWhethers on Dec 13, 2007 12:50 PM

  You don't provide testable code so I have made a guess as to the missing code and for me the decrypted digest is the same are the original.
          Cipher cipher = Cipher.getInstance("RSA");
          SecureRandom random = new SecureRandom();
          KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
          String input = "Testing message";
          MessageDigest hash = MessageDigest.getInstance("SHA1");
          hash.update( input.getBytes() );
          generator.initialize(512, random);
          KeyPair pair = generator.generateKeyPair();
          Key pubKey = pair.getPublic();
          Key privKey = pair.getPrivate();
          cipher.init(Cipher.ENCRYPT_MODE, privKey); // encrypt
          byte[] digest = hash.digest();
          byte[] cipherText = cipher.doFinal( digest );
          // now decrypt
          cipher.init(Cipher.DECRYPT_MODE, pubKey);
          byte[] plainText = cipher.doFinal(cipherText);
          System.out.println(Arrays.equals(plainText,digest ));

• CUPC – Unable to go into deskphone control mode and unable to chat

  Home Lab – learning Presence
  CUCM 9
  CUPS 9 (not 8.6 as virtually all of the help and discussion forums, documents, etc are for)
  CUPC 8.6 (3 copies running on 3 different laptops)
  4 users configured in CUCM for Presence capabilities
  No LDAP integration
  Current status:
  Presence indicators for phones works fine, no issues
  3 users can log into their CUPC clients and Presence information from their own associated deskphone displays correctly (ie if User 1 takes his deskphone offhook, the CUPC for User 1 shows as “On the Phone”
  Users can place phone calls with each other by typing the DN in the “Search for name or number” field
  I have two different issues that I have not been able to solve all day – they may be related to each other.
  The first issue:  I am unable to go into deskphone mode.  Although the checkbox is visible – it appears to be greyed out and clicking in it does nothing.
  The second issue:  I am unable to start a chat session.  I highlite a contact (that I manually entered), right click, and select chat.  I get an error message that says “Failed to start conversation.  Invalid parameter”
  I have scoured the Cisco site for docs and most of them pertain to CUPS 8.6 and not 9.  There is a difference in that v9 does not have the Application -> IP Phone Messenger selection.
  My current configs:
  CUCM
            4 application users – CUPS-AXL (with Stand CCM SuperUsers permissions), CUPS-Deskphone, CUPS-CTIGW, and CUPS-PhoneMSG (all with Standard CTI Allow control of all devices).
            3 end users – From top to bottom, all users have passwords and digest credentials.  Under Service Settings, all users have the “Enable user for Unified CM IM and Presence” checked.  This is the replacement for the assigning license capabilities from version 8.6.  Also under Service Settings, all users have a UC Service Profile assigned.  The UC Service Profile has two UC service settings – a Presence and IM Profile and a CTI Profile.  Under Device Information – all user have been associated to two different devices (their hardphone and the CUPC client).  Under the Directory Number Association portion – each user has their own primary line selected from the drop down box.  Under the Permissions Information section - each user has Standard CCM End Users and Standard CTI Enabled permissions.
            Devices – each user has a 7960 hard phone and a CUPC.  For each device (both types) at the Device Level -> Owner User ID, Protocol Specific Information -> BLF Presence Group, SUBSCRIBE CSS are all set.  Under the line for each device (both types) – Allow control of device from CTI is checked, in the Associated Devices window is the MAC and UPC<name> of the devices, Under Users Associated with Line is the correct user
            Under System –> Application Server,  the CUP server is configured.
            Under System -> Licensing, all users and devices are licensed.  There is no Capabilities Assignment in version 9
  CUPS
            Under Diagnostics -> System Troubleshooter -> all green except for the things not configured, LDAP, 3rd party, etc
            User Management -> End User -> are licensed for IM and Presence and have Microsoft RCC enabled.  They also show 2 devices
            Under Application – this is where its different from v8 to v9.
            Application -> Legacy Clients -> Settings.  I have set the TFTP server IP to the CUCM
            Application -> Legacy Clients -> CCMCIP Profile.  I created a new profile, set the Primary and Secondary CCMCIP Host to be the IP Address of the CUCM Publisher.  For Server Certification Verfication, I selected Any Certificate from the drop down.  I assigned this profile to all 4 of my users.
            Application -> Microsoft RCC settings.  Application status = on.  For Application Username and password, I have tried using CUPS-Deskphone and CUPS-CTIGW with their appropriate passwords.  There is not difference in using either one of them.  CUCM address is address of my Pub.  I assigned this Microsoft RCC service to all 4 of my users.
  So, as I said, I have been working on this all day today burning my fingers and my mouse up on Google.  To no avail.
  Any ideas anyone?
  Jeff

  Update –
            Well, I finally bit the bullet and stood up a MS AD domain in my lab.
            I integrated CUCM into the LDAP and imported the users from LDAP
            I also stood up a DNS server.
            I reconfigured CUPS to the new domain, joined all of the endpoint laptops to the domain, and retested.
            Same place as I was before with the deskphone mode – however, my ability to IM is fixed (as was expected).
            Using CUPS, I am not able to go into deskphone control mode.  The option box is still greyed out.
            However, I installed Jabber for Windows on the same laptops.
            In Jabber, I am able to select the option at the bottom of the window to use my deskphone for calls, and then I can move it back to the Jabber client.
            So, anyone have any ideas why CUPC refuses to let me go into deskphone control mode?
            All features and functions of the JFW work great.  No problems.
  Jeff

• I am having problems donloading and editing .asx files

  I am trying to edit some video that can only be downloaded in .asx format. It is drm-ed. I may just have to contact the poeple I am partenring with that I need the original video files but I will need to do this with many of the cliebts that I am partnering with. Not only will it become a nuisance and make my business move as though stuck in the mud...it makes it hard for me to trumpet the relative merits of Apple anything electronic in the world if I have to get parralel or something so that I can run (gasp) Windows.
  Please help!
  If there is another section I should post this in let me know. i figured Fimal Cut would be where the most knowledgeable amble about.

  FCE is video editing application. ASX are not video files, they're metadata information. By the sound of it you haven't downloaded the video files at all. ASF is a Windows format used for streaming, not for download.
  The ASX Format
  ASX (Advanced Stream Redirector) files are not media files, but metafiles.
  Metafiles provides information about files. ASX files are plain text files used to describe multimedia content:
  <ASX VERSION="3.0">
  <Title>Holiday 2001</Title>
  <Entry>
  <ref href="holiday-1.avi"/>
  </Entry>
  <Entry>
  <ref href="holiday-2.avi"/>
  </Entry>
  <Entry>
  <ref href="holiday-2.avi"/>
  </Entry>
  </ASX>
  The file above describes three multimedia files. When the ASX file is read by a player, the player can play the files described.
  Advanced Systems Format (formerly Advanced Streaming Format) is Microsoft's proprietary digital audio/digital video container format, especially meant for streaming media. ASF is part of the Windows Media framework.
  The format does not specify how (i.e. with which codec) the video or audio should be encoded; it just specifies the structure of the video/audio stream. This is similar to the function performed by the QuickTime, AVI, or Ogg container formats. One of the objectives of ASF was to support playback from digital media servers, HTTP servers, and local storage devices such as hard disk drives.
  ASF is based on serialized objects which are essentially byte sequences identified by a GUID marker.
  The most common filetypes contained within an ASF file are Windows Media Audio (WMA) and Windows Media Video (WMV). Note that the file extension abbreviations are similar in name to the codecs of the same name but are different things.
  ASF files can also contain objects representing metadata, such as the artist, title, album and genre for an audio track, or the director of a video track, much like the ID3 tags of MP3 files.
  Files containing only WMA audio can be named using a .wma extension, and files of only audio and video content may have the extension .wmv. Both may use the .asf extension if desired.
  Certain error-correcting techniques related to ASF are patented in the United States (United States Patent 6,041,345 Levi, et al. March 21, 2000) by Microsoft. Although the format is publicly documented by Microsoft, its license limits implementations to closed-source development projects only. Apple's iTunes software (for Windows) now has the capability to convert WMA files to any iTunes-supported format.[1]
  The ASF container provides the framework for digital rights management in Windows Media Audio and Windows Media Video. An analysis of an older scheme used in WMA reveals that it is using a combination of elliptic curve cryptography key exchange, DES block cipher, a custom block cipher, RC4 stream cipher and the SHA-1 hashing function.
  ASF files have MIME type application/vnd.ms-asf or video/x-ms-asf. (Advanced Stream Redirector (ASX) files also have MIME type video/x-ms-asf.)
  ASF container-based media is usually streamed on the internet either through the MMS protocol or the RTSP protocol.

• [FIX] Darker prints and color shifts when printing from Lightroom 2

  Hi,
  The problem :
  When printing RAW or TIFF files from LR2, you get a printer output that
  is much darker than it should be and that presents various color shifts.
  I'm using an Epson Stylus Pro 3800 with the latest Windows driver
  (6.50 - which is rather old by the way). The workaround described below
  works for me under Windows XP SP3. It should also probably work with
  other systems/printers/drivers. Use at your own (minor) risk.
  The "official" procedure for printing from LR is as follows:
  1. Do not let the printer manage colors and select "Other..." from the
  profile dropdown list and select the ICC/ICM paper/printer profile that
  you want to use.
  2. Click on Print... in LR which opens the Print Settings dialog.
  3. Select the options you need and the paper you're using.
  4. **Disable the color management from the driver's side** (in Epson's
  drivers, "Mode | Custom | No Color Adjustments").
  5. Print
  Unfortunately, **this doesn't work** for many of us and this produces a
  print that is dark and has color shifts as mentioned above. Note that
  the same image prints correctly from QImage or Photoshop CS3 (that is,
  the printer output corresponds to what you see on your calibrated
  display).
  Apparently, although color management has been (allegedly) disabled in
  the driver, there's something wrong between LR and the driver which
  makes that *both* LR and the driver are still trying to manage colors.
  In other words, the "No Color Adjustements" option of the driver doesn't
  seem to work with LR.
  The workaround (found after hours of hair pulling and paper and
  expensive ink wasting):
  In step #4,
  1. Instead of selecting "No Color Adjustments", set Mode to "Custom |
  ICM
  2. Click Advanced...
  3. Check "Show all profiles".
  4. Select Driver ICM (Advanced)"
  5. Set **both** the "Input profile" and the "Printer profile" fields to
  the very same profile that you specified in LR.
  That is, if you specified Pro38 PGPP (Premium Glossy Photo Paper) in LR,
  then also select Pro38 PGPP in both "Input Profile" and "Printer
  Profile". This has actually the same effect has disabling color
  management in the driver (what "No Color Adjustements" should normally
  take care of).
  That's it. When printing, you'll get exactly the same color results as
  when printing from QImage or Photoshop. No more dark prints. No more
  color shifts.
  One might think that the bug is in the Epson driver but in that case,
  QImage would have the very same problem. So I tend to think that the bug
  is on the Lightroom side.
  Note: Although Photoshop CS3 produces a correct printer output, it
  demonstrates the same problem as LR when using the "Match Print Color"
  option for soft proofing. But in that case, only the preview colors are
  wrong. The printer output is ok. Which also tends to demonstrate that
  Adobe has the problem, not Epson. Or maybe both... :-) .
  Don't ask me why some users have the problem and other don't.
  Hope this helps.
  Patrick Philippot
  MainSoft Consulting Services
  www.mainsoft.fr

  A sincere thank you for your reply, Michael. Sorry about the "it just doesn't make sense" shortcut. I have been trying to solve this issue since LR 1.1, spending dozens of hours on different trials and digesting everything written on this forum and the B9180 forum about color management and double profiling. My shortcut was a summation of my experience (and my frustration) but doesn't really advance the conversation. Here are some data that should be more useful in diagnosing the problem.
  I am running Windows XP SP2. I calibrate my monitor monthly with the Spyder. The reason I suspect this may be an issue of double profiling is because the results (moderately strong magenta overlay plus an increase in contrast) match what more knowledgeable people than I on this forum describe when double profiling occurs. Perhaps I shouldn't presume it is double profiling, and follow Patrick Philippot's lead in naming the problem "color shifts." Patrick does refer in post #2 of this thread, however, to obvious double profiling.
  I certainly do have a successful and consistent print method. With PS CS3, and either my Epson 1280 or my HP B9180, the output is almost always dead on. Here is how I do it. In PS from the print dialog box, under color handling I always choose "Photoshop manages colors." Then under printer profile I select the profile designated by the manufacturer for a particular paper/printer combination. Then in the printer driver I disable printer control of color. With the Epson I check the box "Off (No Color Adjustment)." With the B9180 I choose the option "Application Managed Colors." While I sometimes may tweak the final output, these procedures have served me well with PS for several years.
  Contrasted with my positive PS experience, my experience with LR printing has been inconsistent. I regret having to be so imprecise but truly sometimes LR produces accurate results that match the calibrated monitor, but most of the time it does not. I use standard procedures with LR that parallel the PS ones described above. In LR's printing panel, under color management, I specify the correct profile, just as I did for PS. Then in the printer driver I use the same procedures I use with PS. Most of the time the prints have the magenta overlay and too much contrast.
  BTW, the inconsistent LR printing only takes place with my HP B9180. I have never had any problem with off-color LR prints with my Epson 1280. Again, I emphasize that I have standard procedures that always work with PS (no matter which printer) and LR (but only with the Epson).
  Unfortunately the LR printing problems are intermittent. Some of the time (perhaps 20%) LR produces fine prints in the B9180, indistinguishable from PS prints. When LR is printing well, it will continue to print fine until "something happens" and the output shows the color shift. This means I do not get a random sequence of good-bad-good-bad prints, but rather good-good-x factor-bad-bad-bad. Ths problem is that I do not know what this "x factor" is. Once, when LR was giving me accurate output, I simply changed the default printer (Control Panel-Printers and Faxes) from the B9180 to my Samsung 1430 laser; immediately afterwards the LR output colors shifted. Did LR react to this change in default printers? Another time I had good LR printing success with version 1.2 but ran into the problems described above when I upgraded to version 1.3.
  Sorry for the long post. I am hoping that someone will see something that I am missing and provide a hint. I think, though, that Patrick is correct when he states, "I tend to think that the problem is with LR. After all, similar issues (obvious double profiling) are observed only in LR but with various printers."

• Why is it that, in HTML documents, other browsers treat both forward and backward slashes the same whether used in local or Internet file names, whereas Firefox only treats them the same in local (PC) names but differently in Internet file names?

  I've tested this using several versions of Firefox (from 3.6 to 10.?) under both Windows XP and Windows 7.
  Using either a backward slash (\) or a forward slash (/) in an <A HREF="..\home.htm"> link works fine when testing the document locally; but after installing it online the backward slash is no longer recognized as a file separator.
  While the mistake was mine, the inconsistent treatment of the two slashes made it impossible to catch the problem until it was installed, resulting in a badly mangled website. Competing browsers (such as Internet Explorer and Google Chrome) don't have this problem.

  see http://bbs.archlinux.org/viewtopic.php?id=9107 to use a different cipher and improve speed. might help.
  btw are you sure the stuttering is due to pure CPU and not (disk) IO, or a combination of both? look at wait times in top. maybe tweaking your schedulers might help.
  also you can take a look at AFP (netatalk package) as an alternative. who knows, might help you.
  by the way, did you try webdav?

• Problem in encryption and decryption

  hello everyone..
  I'm a new bee in this forum.I don't know weather it is the right place to put my query or some other place.I saw in this forum people putting up their problems regarding the java development.So i came up with my problem.
  I'm working on a web application using jdk1.5,struts 1.1,apache tomcat5.5 and mysql5.2.For user registering and loging i'm using a encryption /decryption code to encrypt the password to the database and decrypt it back during userid and password verification in the code.The code of the encryption/decryption is as follows...
  import java.util.Random;
  public class Crypt
       String key = "uy67jwq98JWPOI99dj9021032amiet";
       public String strencrypt(String str)
            String result="";
            int i = 0, current = 0;
            Random r = new Random();
            current = r.nextInt(30);
            if(current<10)     result = "0";
            result = result + current;
            if(((key.charAt(current)+ "").hashCode() + str.length()) < 10)
                 result = result + "0";
            result = result + (char)((key.charAt(current)+ "").hashCode() + str.length());
            while(i<str.length())
                 result = result + ( (char)( ((str.charAt(i)+"").hashCode()) + ((key.charAt(current++)+"").hashCode()) ) );
                 if(current==key.length())     current=0;
                 i++;
            while(i<key.length())
                 result = result + ( (char) ((r.nextInt(30)) + ((key.charAt(current++)+"").hashCode())) );
                 if(current==key.length())     current=0;
                 i++;
            return result;
       public String strdecrypt(String str)
            int current=0, len = 0, i = 0, header = 3;
            String result="", slen = "";
            current = Integer.parseInt(str.substring(0,2));
            slen = "" + (str.charAt(2)+"").hashCode();
            len = (Integer.parseInt(slen)) - ((key.charAt(current)+"").hashCode());
            i = header;
            while(i<(header + len))
                 result = result + ( (char) ((str.charAt(i)+ "").hashCode() - ((key.charAt(current++)+"").hashCode())) );
                 if(current == key.length())
                 current=0;
                 i++;
            return result;
  But the problem that i'm facing is regarding the the database mysql5.2 is installed in two operating system ie windows xp and windows 2000 server.When i try to connect my web application to the windows xp installed database mysql5.2 and try creating a new user and then try to login ,the loging fails.Even i have found out the reason.The above pasted code couldn't decrypt properly.Heres what i get when i System.out.println(""); the data retrived from the database...I'm pasting it also...
  s retriving from db=16l&#9574;&#9616;&#8976;?��??7pmofv??A?l?rNCdhhLAK
  password coming from welcome.jsp=gtplpune
  c.strencrypt(password)=14A��&#9560;&#9555;&#8976;��?LH7}?te???HG&#8962;??QFUkPj]
  c.strdecrypt(s)=gtp&#9788;pu&#9788;&#9792;
  encryption mismatch
  see that teh password coming from welcome/jsp is gtplpune
  and the password after decryption comingh from database is gtp&#9788;pu&#9788;&#9792;....
  where u can see some letter such as l,n,e could not be decrypted or in some other format....So the code is unable to validate teh user.....
  But teh strange thing is that when i'm using the mysql5.2 installed in windows 2000 server everything seems to work fine.There no problem in encryption or decryption and everything works fine...So anyone of you have any idea what can be the raeson for it.And what can be the probable solution to it.I'm waiting for ur replies which i guess will help me out.
  Thank you
  sabyasachi

  It's a shame nobody above gave you the correct.
  answer.
  You shouldn't encrypt passwords and store them in a
  database at all..
  You should digest them and store the digests,
  and digest whatever the user enters in the password
  field and compare the digests.
  The way you have it now is a major security
  problem.
  Hey i didn't know this..I encrypted the password in base 64 format and then store it in mysql db..then i retrive it frm db in encrypted format and then decrypt it and then match it when the user logs in..well thanks for ur approach..i will now try using the digest as u mentioned..well i'm not aware of it so i need to study this first...

• Upgrade issues making me want to uninstall and just keep original....anyone else that frustrated?

  Ok, I upgraded yesterday.
  i am NOT happy
  I never had an error with the original and have had more than one error each time I tried to us LR today.
  I see there are a whole lot of posts about errors... so many I can not even read and digest all of it.
  Anyone else considering just dumping it until the bugs are worked out?

  After updating to 1.1, LR will not even open.
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: lightroom.exe
  Application Version: 1.1.0.0
  Application Timestamp: 4677e8e1
  Fault Module Name: MFC80U.DLL
  Fault Module Version: 8.0.50727.42
  Fault Module Timestamp: 4333b572
  Exception Code: c0000005
  Exception Offset: 00025135
  OS Version: 6.0.6000.2.0.0.768.3
  Locale ID: 1033
  Additional Information 1: e908
  Additional Information 2: 7f7f97d16e03043725405a2314900061
  Additional Information 3: 45c4
  Additional Information 4: 1ceb82faae26b2794d216ba50f2dee23
  Core 2 Duo
  2 GB RAM
  Vista Home Premium
  RAID 0 SATA drive array