Using Cloud storage safely – encrypt & sync with Ubuntu

The advent of “The Cloud” has meant that there are now services available on the internet for many of the tasks which traditionally would have been tackled by systems within your company or home.

One of the most basic is the storage of files on the internet which synchronise with a folder on your computer.  Although there are many examples, I am going to use a free 5Gb Ubuntu One (U1) account to keep my secret files backed up offsite.

When it comes to backups, there are a couple of issues that need to be addressed.

1. If you backup to an external hard-drive, what happens if someone steals it?  Do they get access to your personal information?
2. What if the house burns down? Do you lose both the original store of that information on the PC as well as the “safe” backup on the external hard drive in the same room?

I suspect that for most people the answer to both of those questions is yes.  It does not need to be and GNU/Linux allows you to fix these issues relatively easily.  I don’t know whether it can be done on Microsoft Windows or Mac OSX, you’re on your own there. 🙂

I have a PC with Ubuntu 11.10 “Oneiric Ocelot” installed.  As usual, I have a “home” folder for my own account but because there is no encryption on those files by default, anyone who gets their hands on my PC or external hard drive can read my files.

So this is what I did…

Install the package ecryptfs-utils with support for encfs to add an encrypted folder under your home folder called “Private”.

Open up a terminal window and execute the following command

sudo apt-get install ecryptfs-utils encfs

Then run the following command to create the Private folder

ecryptfs-setup-private

This will ask you for your login password/passphrase and will then create for you a mount passphrase which you should record somewhere as it is the key to decrypting your secure data in future.

(Hint, don’t just stick it in a text file in the same folder. Nature has a way to stop this sort of behaviour a.k.a. “Natural Selection”.  You could backup the folder ~/.ecryptfs as it contains the mount passphrase wrapped up by your login password.)

At this point there is a folder called “Private” in your home folder which looks much like all the other folders.  The difference however, is that every file or folder you place in there becomes encrypted and stored in a hidden folder called “.Private” (note the initial fullstop/period in that name).

In fact, the data is ONLY stored in that .Private folder and it is your mount passphrase that decrypts it and allows you to interact with the files through the Private folder. The .Private folder is what you can safely store out on the internet because nobody can decrypt it without your mount passphrase.  What we will do next is synchronise this folder to be stored out on a cloud file storage service.  I’ve chosen UbuntuOne but you could just as easily use Dropbox

Now this is where the fun starts…

Sign-up for an UbuntuOne account

or Dropbox here (using my referral)

Ubuntu One software is already included with Ubuntu, for other services you will need to install some software e.g. Dropbox client software.

Launch the Ubuntu One software from the Unity launchbar on the left of your screen in Oneiric. Once you have logged in, you will see that the “Ubuntu One” folder in your Home folder is automatically synchronised.  Now I am sure that the nice people at Canonical would not sift through your files or that they’d make a technical error that allowed your files to be seen by all and sundry on the internet.  But with this approach, we don’t have to worry.

In the Ubuntu One software, you need to add the .Private folder (the one starting with the period, remember?) which contains encrypted gobbledygook so that it gets synchronised from your PC to your 5Gb Ubuntu One (U1) account. To accomplish this, right click on the folder in Nautilus (the normal file explorer in Ubuntu) and choose the menu option for Ubuntu One to “Synchronise This Folder”.

If you like, you can login to the U1 website to check the progress of the upload.

Once that is completed synchronising, you will have your files safe and secure on the cloud in case you lose your primary source of those files.  Every time you edit one of those files or add another, they will immediately be encrypted and synchronised with that U1 account.

The mount passphrase is essential in getting access to that data so DO NOT SHARE OR LOSE IT.

If you want to retrieve that data on another Ubuntu machine, then merely setup U1 as before using the same account details. You will probably need to click the checkbox in the U1 software, “Cloud Folders” tab for the .Private folder to be downloaded to this new machine. (CAUTION: It is not necessary to perform the step earlier to create the Private folder on this second machine using ecryptfs-setup-private.  In fact, if the Private folder already exists on this second machine, don’t do this because encryption is already setup and you’re probably overwriting some other encrypted data.)

Give it some time to synchronise and run the following command in a terminal

sudo mount -t ecryptfs ~/.Private ~/Private

Enter your mount passphrase and you should be able to see your data in the Private folder.

Some additional things to note.

If you need more than the free 5Gb, you can pay for more storage.

Software clients exist for many operating systems (Windows, Android smartphones etc) but you will need a means to decrypt the data when you want to read or edit it. This guide assumes that we are only using Ubuntu 11.10.  Hint: For Android check out the boxcryptor application with a Dropbox account as it has encfs support and is well integrated with Dropbox.  I prefer to use free software and will keep an eye out to promote an Android solution in future.

I hope this helps explain how to protect yourself from data theft or loss by using readily available cloud services.  If you require further explanation, please let me know and I will try to clarify.

AMD video problems in Ubuntu 11.10 Oneiric Ocelot

I’ve had some issues with graphics in Oneiric Ocelot since the Alpha pre-releases.

There were issues with the AMD proprietary driver (“fglrx”) for both my 5770 and 5870 graphics cards and, since I would always prefer to use free software, I decided to revert to the free Radeon driver that does have some 3D support now.

The problem is that, even after removing the proprietary AMD driver, some residual issues still persist that stop the radeon driver from working properly.

The trick is to reinstall a few components after removing all the fglrx packages.  Then remove the xorg.conf file.

That was enough for me, I now have my dual monitor setup back in action with the compiz wobbly-windows effect that I like.

In a terminal, try these commands one-by-one and then reboot.

sudo apt-get remove --purge fglrx fglrx_* fglrx-amdcccle* fglrx-dev* xorg-driver-fglrx
sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon
sudo apt-get install xserver-xorg-video-ati
sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core
sudo mv /etc/X11/xorg.conf /etc/X11/xorg.conf.backup

 

The free software radeon drivers wins over the proprietary AMD software.

For more help with getting AMD cards working try reading this excellent guide for Natty.

Disable sound on login to Ubuntu 11.10 Oneiric Ocelot

There does not appear to be a simple way to do this through the user interface but this terminal command will do it.

gsettings set org.gnome.desktop.sound event-sounds false

Upgrading from ext3 to ext4 in Ubuntu

If you have installed Ubuntu recently you will find that ext4 is the standard format used for creating filesystems. However, if you upgraded from an older version of Ubuntu you may be still using ext3.

The following instructions show how to upgrade the filesystem format with the data still in place. I am presuming you have a backup of your data in case this goes completely pear-shaped.

First confirm that you are using ext3 by typing the following command in a terminal window (Go to Applications menu, Accessories, Terminal)

sudo df -Th

One of the lines that showed up for me was

/dev/sdb1     ext3   241263968  93827044 137632456  41% /media/mirror

Now download, create and boot from a Ubuntu live CD so that none of your hard drives are in use.  Choose the 32-bit option of the latest version (ver 10.10 at time of writing) of Ubuntu.

Then restart the machine with this newly created CD and again confirm the name of the device you want to upgrade from ext3 to ext4.

sudo df -Th

Before making the change in format, let’s check the disk for any errors

sudo e2fsck -fDC0 /dev/sdb1

When that completed, we make the change from ext3 to ext4 with

sudo tune2fs -O extents,uninit_bg,dir_index /dev/sdb1

The only thing left to do is to edit the fstab file so that the filesystem loads with ext4

The fstab file will be on the drive that you use to boot the PC in the /etc directory.  Although not in my example here, this may be the drive you just modified.

We need to mount the drive that is used for booting (I assume it is sda1 here)

sudo mkdir /mnt/sda1
sudo mount -t ext4 /dev/sda1 /mnt/sda1

Now edit the fstab file

sudo nano /mnt/sda1/etc/fstab

Look for the line which contains your recently changed drive (sdb1 for me) and alter the format from ext3 to ext4 and hit control-x to exit.  Then hit the Y key to accept the changes and hit enter to replace the old fstab file.

Now it’s just a matter of restarting for the drive to be reloaded with ext4.

Free graphics card by earning bitcoins

Well, here’s the plan.

I’ve just bought a Powercolor ATI Radeon HD 5770 for AUD$127 from msy.com.au in Ultimo, Sydney yesterday.

This is a good quality graphics card that is below the current 6000 series cards in terms of performance but cheap at the price.

What I plan to do is earn enough money from it to cover the cost within 2 months!

How is that to be achieved? By “GPU mining”.

With the advent of OpenCL support, the newer graphics cards can be instructed to use the onboard graphics chip (known as the “GPU”) to focus on intensive mathematical tasks and free up the main system CPU to do other things.  The GPU is designed for this sort of work so it’s an ideal way to get the most out of the hardware you have purchased.

Ok, here’s where the money comes in.  Bitcoin is a form of virtual currency that is managed by a network of connected computers on the internet that talk to each other at a peer level to manage the transfer of bitcoins from one party to another.  The transfer is anonymous in that you know the identifier of the party you are dealing with but not who they are. There are businesses that are accepting bitcoins as a form of payment. The computers in the bitcoin network belong to any individual that is interested in partaking in the bitcoin economy.

My computer is now one of them.

Every now and again, one of the nodes (i.e. computers) in the network creates some new bitcoins (50 at a time to be precise).  The more processing power you have, the more likely you are to create a block of 50. By adding this graphics card, I have increased my processing power for bitcoin generation by about 150 times and should create 50 within 8 days on average according to the bitcoin calculator. I am processing at 155 Mhash/sec now.

There are markets to swap bitcoins for USD through paypal transactions which at time of writing show that 1 bitcoin is near to USD$1.  I will earn USD$50 per week on that basis which will pay for the card in under a month but I’m being conservative by aiming for 2 months. There has been a significant rise in the relative value of a bitcoin in the past 6 months which is a critical factor in this plan.

In order to get things running on Ubuntu 10.10 64-bit “Maverick Meerkat”, I had to download and install the proprietary version of the ATI driver (10.11 is the best for performance currently) for my card.  It chose the radeon driver by default which does not provide the OpenCL support required. Also, I chose ATI since their performance for mining is far, far better than Nvidia’s.

It was necessary to also get the ATI Stream SDK 2.1 from here.  This provides the OpenCL libraries.

I also downloaded this to get the correct ICD files installed under /etc/OpenCL/vendors

This how-to for Maverick Meerkat and also this link were invaluable in getting to this point.

Having achieved that little success, now we need to get the bitcoin software and also the Diablo GPU miner software.

You should ensure that the bitcoin server is running rather than the actual user interface (see below).

In a terminal window, run the following

sudo gedit ~/.bitcoin/bitcoin.conf

and put in any values for rpcuser and rpcpassword

rpcuser=myself

rpcpassword=somethingsecret

Then you need to run the bitcoin server with

bitcoind -server

Now finally you need to run the Diablo miner making sure that it knows where the ATI Stream SDK OpenCL library is. (find it with sudo find / -name libOpenCL.so) and using the path to where you downloaded the miner along with the username and password you put into the bitcoin.conf earlier.

export LD_LIBRARY_PATH=~/Downloads/ati-stream-sdk-v2.1-lnx64/lib/x86_64/

./DiabloMiner-Linux.sh -u myself -p somethingsecret -w 64 -f 10

This should then show the current processing in terms of khash/sec.  Mine is between 150,000 and 160,000.

Now to sit back and see if I improve on my free 0.05 bitcoins in the next 8 days (UPDATE: First 50 bitcoins arrived this morning, 27/02/11 4:14:49 AM, after about 15 days of processing)

Oh, and if you do manage to get some coins and fancy giving them away, my bitcoin wallet is 1Cfdc5DHMABv27eyQ9xcrnuynQmx9dRXTg

Host your domain with Google Apps – you@yourcompany.com

For those who have never done it, and those who are paying too much for it, there is an easy and inexpensive way to get your own registered domain name hosted for email so that you have an email address like bob@hiscompany.com

The trick to this is to use Google Apps and a domain registrar (I use godaddy.com as registrar in this example as it’s cheap and they’re one of the biggest on the internet).

First things first.  You need to decide on a domain name you want.

Go to godaddy.com, search for the domain name you want and follow the prompts to checkout and purchase. There should be sufficient instruction on their website on how to purchase.

Once that has been accomplished, you will be able to login and configure the domain so that email is hosted by Google Apps. This allows you to access your email from anywhere without any further concern for backups or uptime.

Sound good?  Then let’s get started.

In the godaddy interface, you login so that you can see your account (link to “My Account” in top right of screen on their current website layout).  This will show you your newly registered domain in a list.  Click on the “Advanced details” next to your domain name e.g. yourcompany.com.

On this screen, it is the “Total DNS” section you need to change.  Click on “Total DNS Control” to bring up the screen to edit these values.

There will be two settings shown under the MX section. These relate to email and need to be deleted by clicking on the red cross to the right.  Then we add three new ones in this MX section to point us to Google Apps email.

Click on “Add New MX Record” and enter these values (Note there is a period/fullstop after each of the names below.  TTL value is left at default of 1 hour)

Host Name – Goes to Address – Priority

@ – aspmx.l.google.com. – 10

@ – alt1.aspmx.l.google.com. – 20

@ – alt2.aspmx.l.google.com. – 30

@ – aspmx2.googlemail.com. – 40

@ – aspmx3.googlemail.com. – 50

Next we want to alter the CNAMES section so that mail.yourcompany.com points to the Google Apps email website.  To do this we, delete the current CNAME Alias called “mail” and create a new one of the same name with these settings…

Alias Name – Points to Hostname

mail – ghs.google.com

This should be it for setting up the domain, now we need to configure the Google Apps side to accept these emails for us.

Click on http://www.google.com/a

Click on the “Apps Editions” and choose the “Standard” which is free and allows up to 50 email addresses to be created.

Click on the “Get Started” button.

Now you can enter an existing domain name (bought from godaddy above) e.g. “yourcompany.com”.

Choose Administrator, as you control the domain, and then “Get Started”.

Next complete the screens with your personal details to register with Google Apps and you will eventually get to a page that talks about how you can confirm to Google Apps that you really own the domain.  You have 7 days to confirm this or this Google Apps account will be deleted.

To confirm ownership,  login to Google Apps and it will prompt you to verify ownership.

Choose  the first option “Add a DNS record to your domain’s configuration” and choose godaddy.com (assuming that’s who you registered with) from the drop down list .

Step-by-step instructions will be displayed on what is required.  You will need to login to godaddy.com and go to the “Domain Manager” (from the left-hand menu) and create a TXT record for the domain by clicking on “Total DNS Control”.

There is a button half-way down the screen on the right hand side called “Add New TXT Record”.  Click that and add the details that Google Apps indicated for the TXT Value and leave the TXT Name blank.

Finally, click on the “Verify” button at the bottom of the Google Apps page and you’re done!!!

There are options to create user email accounts but that is outside the scope of this little setup exercise and should hopefully be self-explanatory if you follow the on-screen instructions.

Also, it is worth noting that any editing of the domain settings through the godaddy.com site takes some time to be replicated around the internet. Don’t be dismayed immediately if you cannot see the fruits of your labour. If it is still not working a couple of days later, you have my permission to be dismayed.

NOTE: Once you are configuring your Google Apps account, you should enable the SSL checkbox under “Domain Settings”.  This makes your email communications encrypted even if you use http://mail.yourcompany.com

Good Luck 🙂

Downloading repo keys from behind a corporate firewall

Corporate firewalls commonly block port 11371 which launchpad PPA’s use for their keys.

It is possible though to get these through the normal port 80 for web traffic using the format below (replace the last reference to reflect the key you want to download)…
gpg --keyserver hkp://keyserver.ubuntu.com:80 %%recv-keys 0A5174AF

Using a USB modem for wireless 3G internet with Ubuntu 10.04 “Lucid Lynx”

Many of these devices contain their own software to work with Windows.
If you use them with a Windows machine, they act like a USB flash key containing the software and will install the necessary drivers.
Once this is done, they switch into a different mode of operation and act like a modem from then on.
This is not required in Ubuntu so we just need to make sure the modem skips that first stage. It’s a very simple fix actually but will involve getting an internet connection through another means first i.e. home internet, wifi at a cafe, a friend’s place etc

Open a Terminal window (under the Applications menu, Accessories).
Type the following to install what you need

sudo apt-get install usb-modeswitch

This will ask you for your password in order to install the software.
Once it is completed, you can just insert the USB modem again and connect using the Network Manager applet near the top right hand corner of the screen.
From here it depends on the internet provider that the USB modem relates to but it should get you a good deal closer to getting it working.

Webmin on a server running Ubuntu 10.04 “Lucid Lynx”

If you have an old PC lying around, why not put it to good use as a server?

Download Ubuntu 10.04 Server edition in 64-bit or 32-bit versions depending on how old your server is.  64-bit is recommended if the PC will accept it.

Once downloaded, you use .iso file to burn a CD.  Then boot from the CD to install Ubuntu Server on your machine.

This is an install that does not have the usual graphical user interface which can scare people off but it has its benefits.  You use the power of the machine only for its intended purpose e.g. acting as a file server, a DHCP or a DNS server.

Once it has been installed successfully and the network connection is verified to be working, it is quite feasible to remove the display monitor and to deal with the server across your network from now on.  A key tool in this approach is Webmin.

To install run the following command line

sudo apt-get install webmin

Once that completes, you will be able to install updates, configure the machine, add extra server components, get alerts when things are going awry on the server etc

To harness all this incredible power, point your browser (Firefox, Chrome etc) at …

https://yourservername:10000

As an example, once you have installed it, go to the menu on the left hand side, choose “Webmin Configuration” and then the “Upgrade Webmin” icon.

This will upgrade you up to the latest version available from the webmin site.

Then try this to keep track of all software updates that are available for your server…

On the same “Webmin Configuration” Screen, choose “Webmin Modules” icon and then the button to the right of “Standard module from www.webmin.com“.

Select “package-updates” from the list and follow the instruction to install it. (It may be already installed but this shows you how to get other modules should you be interested in adding new functionality to webmin).

It is also necessary to install another package which is not installed by default in order for the list of packages to work as expected.  Run this command line.

sudo apt-get install apt-show-versions

Now, you can have Webmin check for updates every hour and let you know via email if your server has important updates ready to be applied.  This is better than automatically configuring the server to apply updates blindly in case something breaks. You can then choose a suitable occasion to perform the updates when you have time to rectify any issues that may occur.

Click on the System menu on left-hand-side of Webmin screen and choose “Software Package Updates”. In there you can set your schedule for checking updates and where to send the email.

I recommend to check every hour and “Just notify” of available updates.  This screen is fairly self-explanatory.

Webmin has everything you need to remotely control your server and circumvents the need to run a graphical user desktop environment on that machine saving precious processing time particularly on older machines. It also makes the configuration,  monitoring and management of that server easier to perform remotely so it can be hidden away in some dark recess of your home or office.  This is a good thing if the machine is an ugly beast from the last century with a noisy fan and a hideous disfigurement like my server, “quasimodo”.

Inexpensive 802.11n Wifi USB with Ubuntu 10.04 Lucid Lynx

UPDATE: it may be possible to get this working with two simple lines. Tested as working under Ubuntu 10.10 “Maverick Meerkat”.

In a terminal window try the following and then reinsert the USB wireless N adapter.

cd /lib/firmware
ln -s RTL8192SE RTL8192SU

END UPDATE

 

I bought this relatively cheap USB wireless N adapter online but it did not work when initially inserted using Ubuntu 10.04 Lucid Lynx.

Now I cannot determine the speed as my Wireless Access point is actually on Wireless g (54Mbps) but this is what I did to get it working.

From the CD that came with the adapter, I copied off the file containing the Linux driver and then copied only the firmware to the appropriate location for Ubuntu to be able to utilise it.

(Assuming the CD is visible at /media/WLAN_6.58/)

Open a terminal window (from the Applications menu, Accessories), then type each line as shown below followed by Enter key each time.

mkdir ~/tmpwifidriver

cd ~/tmpwifidriver

cp /media/WLAN_6.58/USB-11N_RTL8191\&8188/Linux/rtl8192su_linux_2.6.0002.0708.2009.tar.gz ~/tmpwifidriver/

tar xvf rtl8192su_linux_2.6.0002.0708.2009.tar.gz

sudo cp -r ./rtl8192su_linux_2.6.0002.0708.2009/firmware/RTL8192SU/ /lib/firmware/

Just delete the temporary folder now to cleanup

rm -rf /home/tony/tmpwifidriver/

Then just insert the wifi USB adapter and click on the icon for Network Manager in the top right of the screen.  You should be able to see any nearby wireless hotspots.

For the record, my wifi adapter looks like this when queried with lsusb

Bus 001 Device 010: ID 0bda:8172 Realtek Semiconductor Corp.

A bargain for only $16!!