Manjaro on the RPI4 with full disk encryption

July 12, 2020 13 minute read

The Raspberry PI has become more and more powerful in the recent years, maybe too powerful to be a “maker board”. The higher CPU power and availability of more memory - up to 8GB - makes it more suitable for home server usage.

The latest firmware (EEPROM) enables booting from a USB device. To enable USB boot the EEPROM on the raspberry needs to be updated to the latest version and the bootloader that comes with the operating system - the start*.elf, etc files on the boot filesystem - needs to support it.

I always try to use filesystem encryption. You’ll find my journey to install GNU/Linux on an encrypted filesystem below.

64 Bits operating systems

The Raspberry PI 4 has a 64 bits CPU, the default operating system - Raspberry Pi OS (previously called Raspbian) - for the Rasberry PI is still 32 bits to take full advantage of the 64bits CPU a 64 bits operating system is required.

You’ll find an overview GNU/Linux distributions for RPI4 below.

Using SmartCardHsm with GnuPG

May 2, 2020 4 minute read

When you want to store your GnuPG private key(s) on a smartcard, you have a few options like the Yubikey, NitroKey GPG compatible cards, or the OpenPGP. The advantage of these cards is that they support GnuPG directly. The disadvantage is that they can only store 1 or a few keys.

Another option is SmartCardHSM, NitroKey HSM is based on SmartCardHsm and should be compatible. The newer versions support 4k RSA encryption keys and can store up 19 RSA 4k keys. The older version is limited to 2k RSA keys. I still have the older version. The advantage is that you can store multiple keys on the card. To use it for GPG encryption you’ll need to set up a gpg-agent with gnupg-pkcs11-scd.

Setup a certificate authority with SmartCardHSM

April 29, 2020 13 minute read

In this blog post, we will set up a CA authority with SmartCardHSM.

When you to create internal certificate authority for internal services it’s important to protect the private key. When somebody with bad intentions gets access to the private key(s) of the signing certificate authorities, it can be used to issue new certificates. This would enable the man in the middle attacks.

Lookat 2.0.1 released

April 23, 2020 less than 1 minute read

“lookat” (or “bekijk” in Dutch) is a program to view text files and manual pages. It is designed to be more user-friendly than more conventional text viewers such as less. And supports colored manpages.

Lookat 2.0.1 is the latest stable release of Lookat/Bekijk.

ChangeLog

• BUGFIX: corrected screen refresh code. To handle non-utf8 terminals correctly.
• BUGFIX: ensure that menus are initialized before using them.
• BUGFIX: corrected type menu handling.
• BUGFIX: failed to open type enabled extentions from the commandline.

Use unbound as an DNS-over-TLS resolver and authoritative dns server

March 22, 2020 2 minute read

In previous blog posts, I described howto setup stubby as an DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

But I’m migrating away from stubby in favour of unbound.

Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

I created a docker container that can serve both purposes, although you can use the same logic without docker.

It’s available at https://github.com/stafwag/docker-stafwag-unbound.