Encrypt initrd hook: resume support without LVM

Arch supports resume from encrypted volumes, but only if you encrypt everything in a LVM volume and use it for both the system and the swap.
Personally I do not like LVM that much, and in general it's a layer of complexity that should not be required for encryption..
So I modified a little the "encrypt" hook, and added support for resume.
The needed kernel options are the same as for the "encrypt" and "resume" hooks. no modification needed there.
For the swap partition you specify the encrypted partition or encrypted UUID, the script handles the rest.
basically it adds this checks:
if a luks swap partition is found, then decrypt, update "resume=" variables and try to resume.
if the swap partition is not encrypted it tries to resume anyway.
tries to use the same keyfile for both root filesystem and swap.
if keyfile fails, revert to password.
tries to use the same password for both swap and root filesystem. If it fails it asks for another password.
The only thing left to test is the tuxonice resume from file feature, which should work, but I haven't tested it yet, and I need some help there 'cause there might be a problem, like opening twice the encrypted partition or something like that.
You can find the modified hook (I call it "encrypt_resume") here:http://pastebin.com/mShQU7JD
If you don't want to substitute your "encrypt" hook remember to copy the encrypt install script.
# cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt_resume
Comments? Tuxonice file testers?

Similar Messages

[SOLVED] Encrypted install without LVM

I always installed my encrypted systems without LVM, on Debian, Ubuntu and openSUSE. Basically my partition scheme is:
/boot
/swap
/home
I've been trying to run the system for 2 days without success.
After install+reboot, a password is asked for the "main" disk (configured on /etc/default/grub) and then everything hangs. I press Ctrl+C then after being asked for the root password (and typing it) I can log in and manually mount the other partitions, but no DE can load.
I'll put my install scheme so you can understand better, and, if requested, I can upload my conf files such as grub, mkinitcpio etc.
Install process:
# loadkeys br-abnt2
# modprobe dm-crypt
# cfdisk
After creating all partitions:
# cryptsetup -c twofish-xts-plain64 -y -s 512 luksFormat /dev/sdaX
# cryptsetup luksOpen /dev/sdaX cr_sdaX
# mkfs.ext4 /dev/mapper/cr_sdaX
# mkswap /dev/mapper/cr_sda3
# swapon /dev/mapper/cr_sda3
# mkfs.ext4 /dev/sda1
# mount /dev/mapper/cr_sda2 /mnt
# mkdir /mnt/boot
# mkdir /mnt/home
# mount /dev/sda1 /mnt/boot
# mount /dev/mapper/cr_sda4 /mnt/home
# nano /etc/pacman.d/mirrorlist
# pacstrap /mnt base base-devel
# genfstab -L -p /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
# nano /etc/locale.gen (same locales as the 1st time)
# locale-gen
# nano /etc/locale.conf
# nano /etc/vconsole.conf (KEYMAP=br-abnt2)
# ln -s /usr/share/zoneinfo/Brazil/East /etc/localtime
# mkinitcpio -p linux
# nano /etc/mkinitcpio.conf
Now I edit '/etc/mkinitcpio.conf' and add 'keymap' and 'encrypt' to the HOOKS line, right before 'filesystems' and then rebuild the image.
# echo junior > /etc/hostname
# passwd
# pacman -S grub
# grub-install /dev/sda
Now, in '/etc/default/grub' I edit the line 'GRUB_CMDLINE_LINUX=”"' to 'GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda2:main”' then I run:
# grub-mkconfig -o /boot/grub/grub.cfg
#exit
#umount -R /mnt
#reboot
Now, after install, the system asks me for the /dev/sda2 password, it says it's clean, than hangs. I press Ctrl+C, it says I can continue/rescue/etc, I type my root password and then mount the other partitions.
Funny thing is that it can't mount /home and after I mount it manually it tries to continue to boot, but hangs again. Then again I press Ctrl+C and I log in as root. I also isntalled xorg/nvidia/xfce to see if it loads after manually mounting the partitions but no success, I have to start it manually.
So, if any of you successfuly installed Arch with an encrypted FS w/o a LVM = PLEASE!! HELP!
Regards.
Last edited by Amarildo (2013-09-25 17:00:25)

mr.MikyMaus wrote:Do you have "root=/dev/mapper/cr_sda2" set as a kernel boot parameter?
Yes, although I think the ro option should be changed to rw:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/cryptroot ro"
I got to the point where it asks me for the / password and then for /home too, but it hangs there, home is not being mounted nor swap. I'm on the system now but as root and with xfce.
For some reason I can't upload my files so I post them here.
PS: The GRUB file (/etc/default/grub) was not posted entirely since I only edited the last line of what's being pasted here.
GRUB
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/cryptroot rw"
mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES="piix ide_disk reiserfs"
MODULES="dm_mod ext4"
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=""
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS="base"
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS="base udev autodetect block filesystems"
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS="base udev block filesystems"
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS="base udev block mdadm encrypt filesystems"
## This setup loads an lvm2 volume group on a usb device.
# HOOKS="base udev block lvm2 filesystems"
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block keymap encrypt filesystems keyboard fsck"
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""
crypttab
# crypttab: mappings for encrypted partitions
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
home_crypt /dev/mapper/cr_sda4 none luks,allow-discards
# data1 /dev/hda3 /etc/mypassword2
# data2 /dev/hda5 /etc/cryptfs.key
swap_crypt /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/hdb7 none
EDIT: Updated my files, but still /home is not being monted
[root@junior ~]# cryptsetup status /dev/mapper/cryptroot
/dev/mapper/cryptroot is active and is in use.
type: LUKS1
cipher: twofish-xts-plain64
keysize: 512 bits
device: /dev/sda2
offset: 4101 sectors
size: 125849109 sectors
mode: read/write
[root@junior ~]# cryptsetup status /dev/mapper/cr_sda4
/dev/mapper/cr_sda4 is inactive.
Last edited by Amarildo (2013-09-25 12:14:38)

How can I grant users the ability to pause/resume printing without a "print operators group" password.

Greetings,
We are running 10.8.5 on 30 machines in an active directory environment (graphics lab). The clients are experiencing a persistant error when pausing or resuming print jobs. Each time something is paused, it requires an administrator password to resume the job. Administrators are not always present so designers are locked out of all of the printers until we come in (or remote in) to authenticate.
I spoke with Apple today and they said they would not support active directory accounts and that the account must be edited by the department that created the account because the restrictions come from the Active Directory account preferences.
On the other hand, I ALSO read that I can edit this in the CUPS interface or modify it with the terminal command below, locally.
dseditgroup -o edit -u admin_name -p -a user_name -t user _lpadmin
"dseditgroup" adds the user_name to a group (in this case, _lpadmin).
And admin_name is the name of your administrator's account.
a) Must this be modified on the Active directory account or CAN I modify this on the local machine via CUPS or terminal?
b) If so, how would I grant users the ability to resume printing without an admin password?
c) If not, exactly what must be modified in the active Directory account to allow pause/resume without an admin password.
I have seen a terminal command that adds users to the print operatiors group (Ipadmin) and I have seen some info on editing the CUPS interface, If i must edit the CUPS interface to allow this, can anyone point to detailed instructions on how to make this change.
I also saw info on editing the CUPS interface but the suggestion lacked details as to how and how to return to default if it does not work.
I also saw a post with these suggestions below but without detail as to how one would carry this out.
/etc/cups/cupsd.conf
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
*#Require user @SYSTEM*
*Require valid-user*
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
*#Require user @AUTHKEY(system.print.operator) @admin @lpadmin*
*Require valid-user*
Order deny,allow
</Limit>
/etc/authorization
+The system.print.operator key is new to Snow Leopard and seems to control resuming and pausing a printer queue among other things.+
<key>system.print.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>staff</string>
<key>shared</key>
<true/>
</dict>
<key>system.print.operator</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>staff</string>
<key>shared</key>
<true/>
</dict>
I have read all posts on this subject and I still am not clear on how to proceed, please assist.
Thanks in advance,
V

Hello again. For AD environments you can run the following command on each workstation:
sudo dseditgroup -o edit -n /Local/Default -u localadmin -p -a "Domain Users" -t group _lpadmin
This command assumes you are typing this interactively on the machine. Obviously change localadmin to the Mac's local admin's name. When running you will be prompted for password twice. Once to elevate permissions (sudo) and once to validate you are localadmin.
If you are using Apple Remote Desktop (or JAMF or other management suite), you can push this command out while embedding the localadmin's password.
sudo dseditgroup -o edit -n /Local/Default -u localadmin -P yourpass -a "Domain Users" -t group _lpadmin
Please note, if your password uses special characters (/-\) this may fail over ARD.
In Mavericks, AD groups are cached once they are referenced. If you are dealing with a lot mobile users (laptops) you might want to replace Domain Users with everyone
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

'The account requires encryption which is not supported' after 3.1 upgrade

HELP!
Upgraded to 3.1 and got the following regarding my Exchange email from work:
POLICY REQUIREMENT
The account XXXX requires encryption which is not supported on this iPhone.
(Disable)
Help. What does this mean?
Do I need to go back to 3.0? Why would they change something to 3.1 to not make it work with my Exchange server.
Is there something I need to change or fix on my phone?... really dont want to go back to 3.0 (and don't even know how to)
Help please

Got the same thing.
My guess is there is an indication from the Enterprise Exchange server that data encryption is required, given that corporate suits are so enamored with being paranoid.
WIth 3.0, that indication was ignored, but in 3.1 it is apparently checked, and since the iPhone 3G does not support encryption (3GS does) it fails and the account is disabled.
I will talk to my IT dept. tomorrow, but I don't expect any sympathy. But, I don't really care as it's my phone and the company doesn't pay for it.
If you have a company-issued phone you probably should not update without your IT permission...

I have a new ipad. I can't get support without my serial number. Ipad won't turn on. I ordered it from Target so I have no receipt. I can't get telephone help without serial number. What to do?

I have a new ipad. I can't get telephone support without my serial number. The ipad won't turn on. I order it from Target and there is no serial number on the invoice. How can I get telephone help without serial number? Please help!

The Serial Number is on the back of your iPad.

Is it possible to perform network data encryption between Oracle 11g databases without the advance security option?

Is it possible to perform network data encryption between Oracle 11g databases without the advance security option?
We are not licensed for the Oracle Advanced Security Option and I have been tasked to use Oracle Network Data Encryption in order to encryption network traffic between Oracle instances that reside on remote servers. From what I have read and my prior understanding this is not possible without ASO. Can someone confirm or disprove my research, thanks.

Hi, Srini Chavali-Oracle
As for http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-ds-12c-1898873.pdf?ssSourceSiteId… ASO is mentioned as TDE and Redacting Sensitive Data to Display. Network encryption is excluded.
As for Network Encryption - Oracle FAQ (of course this is not Oracle official) "Since June 2013, Net Encryption is now licensed with Oracle Enterprise Edition and doesn't require Oracle Advanced Security Option." Could you clarify this? Thanks.

How to resume downloads without starting a fresh?

how to resume downloads without starting a fresh to down load the same file?
i want a way that it can continue from where it was interms of big file size.

Yes, a pain! I was downloading a Apple Developers video of size 707MB and reached 699MB when I briefly lost my Internet connection .... restarted from zero!! Ahhhrrrr ..... other download apps. inc. Safari keep a cache, why doesn't iTunes. More stupidity from Apple.

Resume support

Hi,
how can we know that aFTP server supports resume from java program.Can we read some header??
FTP command REST can be sent on command line.but how can we do that thru java code???
i want to use FTP client to add FTP functionality to my download client. so i chose enterprise technologies' edtFTPj. it is very simple.but i want to make ftp downloads multithreaded.
so i need to get contentlength,resume support from a FTP server.
Plz give me suggestions.I posted this yesterday too i didnt get any reply.
Thank u

There is also a link to RFC 959 which seems to say that RESTART is a command which skips over a certain portion of the file.
Mostly I was trying to point out that pkwooster seems to think that most ftp servers do not support resume.
I've never done this, but I would see if I could make it work through some kind of existing ftp client befoire I started writing it in Java.
If it works in an ftp client, you could get some kind of ip logger to see what is being passed and then emulate that.

What encryption algorithims does JCE support?

What encryption algorithims does JCE support?

you can find out what your jce supports with something like
--- clip ---
public class listCrypto {
public static void main(String[] argv) throws Exception {
     if ( 0 == argv.length ) {
     System.err.println("usage: java listCrypto Signature");
     return;
     System.out.println(java.security.Security.getAlgorithms(argv[0]));
--- end clip ---
-hugh

Community/xen without support for LVM

Hello Fellows,
Have tried XEN on Archlinux but run into troubles rigth after install.
Have set up my system with LVM for easy resizing and things like this, but when I try to boout my XEN-Kernel he drops me o a shell.
The Message is:
ALERT! /dev/sda2 does not exist. Droping to a shell!
I've tried to recompile the package with ABS but haven't get a working module for LVM (Module is dm_mod).
Anyone have solution for this?
...:::R3G4RD5:::...
nIcE

fukawi2 wrote:
nicebloom wrote:The Archlinux Stock Kernel doesn't come with the modules or the abbility to use raid or lvm subsystem.:(
Yes it does.
Try using the 'mdadm' hook in /etc/mkinitcpio.conf then rerun mkinitcpio
But mdadm is not dm_mod, or?
and the mdadm hook isnt the lvm2 hook, or?
And if i want tu use LVM my mkinitcpio.conf looks like this:
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES="piix ide_disk reiserfs"
MODULES="scsi_mod ahci"
# BINARIES
# This setting includes, into the CPIO image, and additional
# binaries a given user may wish. This is run first, so may
# be used to override the actual binaries used in a given hook.
# (Existing files are NOT overwritten is already added)
# BINARIES are dependancy parsed, so you may safely ignore libraries
BINARIES=""
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in anyway. This is useful for config files.
# Some users may wish to include modprobe.conf for custom module options,
# like so:
# FILES="/etc/modprobe.conf"
FILES=""
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'modload' may be used in place of 'udev', but is not recommended
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
# This setup specifies all modules in the MODULES setting above.
# No raid, lvm2, or encrypted root is needed.
# HOOKS="base"
# This setup will autodetect all modules for your system and should
# work as a sane default
# HOOKS="base udev autodetect pata scsi sata filesystems"
# This is identical to the above, except the old ide subsystem is
# used for IDE devices instead of the new pata subsystem.
# HOOKS="base udev autodetect ide scsi sata filesystems"
# This setup will generate a 'full' image which supports most systems.
# No autodetection is done.
# HOOKS="base udev pata scsi sata usb filesystems"
# This setup assembles an pata raid array with an encrypted root FS.
# Note: See 'mkinitcpio -H raid' for more information on raid devices.
# HOOKS="base udev pata raid encrypt filesystems"
# This setup loads an lvm2 volume group on a usb device.
# HOOKS="base udev usb lvm2 filesystems"
HOOKS="base udev autodetect pata scsi sata usb fw net usbinput keymap lvm2 filesystems"
...:::R3G4RD5:::...
nIcE
Last edited by nicebloom (2009-06-17 14:36:42)

OpenSSL bf-cbc encrypted Keyfile HOOK for LUKS

I modified the this HOOK that maxim_ posted here. That dose not work.
https://bbs.archlinux.org/viewtopic.php … 05#p947805
This one uses Blowfish in CBC mode instead of AES-256.
The password is hashed 1000 times with Whirlpool.
gen-cryptkey adds a a Salt to the encrypted keyfile
https://github.com/tdwyer/bfkeyfile
/lib/initcpio/hooks
#!/usr/bin/ash
run_hook ()
local encfile decfile iteration attempts prompt badpassword dev arg1 arg2 retcode password passwordHash
if [ "x${bfkf}" != "x" ]; then
encfile="/enc_keyfile.bin"
decfile="/crypto_keyfile.bin"
iteration=1000
attempts=5
prompt="Enter password: "
badpassword="Password incorrect"
dev="$(echo "${bfkf}" | cut -d: -f1)"
arg1="$(echo "${bfkf}" | cut -d: -f2)"
arg2="$(echo "${bfkf}" | cut -d: -f3)"
if poll_device "${dev}" "${rootdelay}"; then
case "${arg1}" in
*[!0-9]*)
mkdir /mntkey
mount -r -t "${arg1}" "${dev}" /mntkey
dd if="/mntkey/${arg2}" of="${encfile}" >/dev/null 2>&1
umount /mntkey
rm -rf /mntkey
dd if="${dev}" of="${encfile}" bs=1 skip="${arg1}" count="${arg2}" >/dev/null 2>&1
esac
fi
if [ -f "${encfile}" ]; then
while true; do
read -rsp "${prompt}" password
i=0
while [ ${i} -lt ${iteration} ]; do
password=`echo -n "${password}" | openssl dgst -whirlpool -hex 2> /dev/null | cut -d ' ' -f 2`
i=$(( ${i} + 1 ))
done
openssl bf-cbc -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}" >/dev/null 2>&1
retcode="$?"
if [ "${retcode}" != "0" ]; then
echo -e "\n${badpassword}\n"
attempts=$(( ${attempts} - 1 ))
[ "${attempts}" == "0" ] && echo "Keyfile could not be decrypted" && break
else
break
fi
done
rm -f "${encfile}"
else
echo "Encrypted keyfile could not be opened. Reverting to 'encrypt' hook."
fi
fi
/lib/initcpio/install
#!/bin/bash
build() {
add_binary /usr/bin/openssl
add_runscript
help ()
cat<<HELPEOF
This hook allows for an openssl (bf-cbc) encrypted keyfile for LUKS.
It relies on standard 'encrypt' hook providing decrypted '/crypto_keyfile.bin' for it.
You must use gen-cryptkey create the encrypted enc_keyfile.bin
The password is hashed with Whirlpool 1000 times
Then your password Hash is used to encrypt the keyfile
mkinitcpio.conf:
MODULES: add ext4 vfat or whatever the type of filesystem the keyfile is on
HOOKS=" ... bfkf encrypt ... filesystems ..."
Kernel Parameters:
There is no need for cryptkey=
Two options are supported:
1) Using a file on the device:
bfkf=<device>:<fs-type>:<path>
2) Reading raw data from the block device:
bfkf=<device>:<offset>:<size>
Example: /etc/default/grub
GRUB_CMDLINE_LINUX="bfkf=/dev/sdb1:ext4:/keyfile.bin cryptdevice=/dev/sda2:root"
HELPEOF
# vim: set ft=sh ts=4 sw=4 et:
/usr/bin/gen-cryptkey
#!/bin/bash
# GPLv3
# Thomas Dwyer
# tomd.tel
iteration=1000
create_msg='Create: gen-cryptkey create'
decrypt_msg='Decrypt: gen-cryptkey decrypt PATH_TO_KEYFILE'
main () {
action=$1
if [ -z $action ]; then
echo -e "Usage:\n$create_msg\n$decrypt_msg"
elif [ $action == "create" ]; then
crypt
elif [ $action == "decrypt" ]; then
if [ -z $2 ]; then
echo -e "Usage:\n$create_msg\n$decrypt_msg"
else
decrypt $2
fi
else
echo -e "Usage:\n$create_msg\n$decrypt_msg"
fi
exit 0
crypt () {
encfile="enc_keyfile.bin"
echo "$encfile encrypted keyfile will be created"
echo ''
read -rsp "Enter password: " password
password1=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
echo ''
read -rsp "Enter password Again: " verify
password2=`echo -n "$verify" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
if [[ "$password1" == "$password2" ]]; then
for (( i=1; i<=$iteration; i++ )); do
password=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
done
dd if=/dev/urandom bs=1k count=256 | openssl bf-cbc -pass pass:"${password}" -salt -out "${encfile}"
else
echo "Passwords did not match"
fi
decrypt () {
encfile=$1
decfile="crypto_keyfile.bin"
echo "$encfile Will be decrypted to crypto_keyfile.bin"
echo ''
read -rsp "Enter password: " password
for (( i=1; i<=$iteration; i++ )); do
password=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
done
openssl bf-cbc -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}"
main $@
Last edited by hunterthomson (2013-01-01 00:01:20)

Well, it is working now, so feel free to use it.
If you do use it, make darn sure to keep "at least" 3 backups of the keyfile on 3 different devices.
You will also want to leave your passphrase enabled until you are sure the keyfile is working as it should.
However, I am not going to use this anymore and will no longer be working on it. I will subscribe to this thread and answer any questions. I don't really see a whole lot of added security in this, and it would be kind of a pain to use a keyfile in a Live CD/USB. I think it is good enough to make use of the --iter-time flag when using luksFormat or luksAddKey. It was a fun ride learning how to write this hook for initcpio
Note: Anyone who wants to write a hook should install busybox and symlink /usr/local/bin/ash to it for testing the HOOK script. The HOOKS use busybox ash not 'sh' nor 'bash', and ash is strange. If your HOOK script has an error you will get a kernel panic.
Last edited by hunterthomson (2012-12-31 23:57:24)

Lookup the transactionManager for suspend/resume support in BMT

Hi,
We are trying to implement a suspend and resume transaction mechanism within Bean Managed Transaction Demarcation.
Since the UserTransaction does not provide the suspend/resume APIs, we need access to the TransactionManager implementation.
Is it recommended to lookup the transactionManager by:
(TransactionManager)ic.lookup("javax.transaction.TransactionManager");
Can anyone state if this is the best approach?
Is it standard with any J2EE implementation?
Thanks,

I guess, you might be using stateless session beans. Since, stateful session beans do not support reentrancy, this scenario should not be applied to SFSB.
If you slightly modify you scenario, things might work without suspend and resume.
methodA(){
utx.begin();
// do some thing
SessionContext.getEJBObject().methodB();
// dom some thing
utx.commit();
method B() {
utx.begin();
// do something
utx.commit();
ABove scenario, might work because, methodB() call will be intercepted by the container and in BMT, any incoming transaction will be suspended. You could give it a try.
regards
sankar

How do I get apple support without an AppleCare protection plan?

So I recently had a problem with my Apple ID while still under AppleCare, and it turned out that AppleiD was saved with .con instead of .com. I was told to make a new Apple ID and use this new one for everything, and so I did. I forgot my password for that old .con AppleID and forgot that that AppleID was still used for my iCloud account, so it won't register to try for resetting or retrieving my password. My phone was restored last week and I can't back up my iPhone without my password and I was able to fix it by talking to a support representative, but without AppleCare, I cannot do so.
Can anyone help me with this, please?!?!

You do not need an Apple Care plan to speak to Apple Care agents for assistance with Apple ID issues. You need an Apple Care plan when you wish to speak to Apple Care about hardware issues regarding Apple hardware products, such as a Mac or an iPad.

How can I config a yum plublic repository for VM support without paying ?

Please see:
yum plublic repository
I'm a bit confused with the options for support/updates. There is an option to get a VM support, which includes support, and a ULN subscription. There is also the option in the pricing guide to just get the ULN subscription, which is 1/3 the cost. Could I not get updates for OVM server/manager that way? I don't currently care to get support. I just want the updated binary RPMs.
I'm actually just trying to evaluate OVM 3.1.1 and so far it's junk because of several storage related issues I'm running in to. However, based on forum posts, I think most of those have been patched, but not released to the general public. How am I supposed to make an informed decision without committing $$$?
M.

There was some NFS issue that was resolved. I don't have details available at this minute, but off the top of my head I started to create a virtual disk for a new VM, and it timed out after 10minutes. Even though it times out, it does actually create the image file, and that part is done nearly instantly, so I don't know why the timeout after 10 minutes. However, even though the image file is created it doesn't appear usable in the manager.
The storage is on an NFS server connected via direct 10GbE. This worked fine in 3.0.3, when I tested that version.
Based on the above post, my plan for now is to subscribe to ULN, and get/apply the updates, then post specific questions/details regarding the issue (unless it magically disappears with the patches).
Thanks,
M.

Is it possible to do multiple ssids and encryptions on an autonomous AP without vlans?

I got a customer who just has autonomous APs. They are upgrading from 1210s to 1262s. They are currently running a config that is wide open with no authentication or encryption and using a VPN tunnel on the wireless clients for security. They want to switch to using WPA2/PSK with the new APs. They have existing clients that have to continue to work during the upgrade to the new APs. They run 3 shifts so it is a 24 hr operation with no downtime. What I was thinking would be to configure the 1262 with multiple SSIDs, one with their existing settings and one with the new. Then I could swap the APs one at a time and it would only impact service for a short period of time while I was mounting the new AP. Then once all the new APs are installed I could transition the clients over to the new SSID and encryption then disable the old SSID once all the clients are switched over. I've done this before with a WLC but not with an autonomous APs. The only config examples I can find uses VLANs. This customer is not using VLANs. Is there anyway to use multiple SSIDs with different encryption on a single radio on an autonomous 1262 without VLANs?
The site has about 30 APs and 100 clients. Yes I know a controller would be preferred for a site of this size but that is a question for sales and why they didn't see them a controller. I just get stuck with what they sell them.
thanks

Hi Don,
Im afraid on the autonmous platform you can not map multiple WLANS to a single vlan.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Encrypt initrd hook: resume support without LVM

Similar Messages

Maybe you are looking for