Home Home
Sign up | Login

Author Archive

Manual encryption partition setup for stronger full disk encryption

May 26th, 2017 by

When installing openSUSE or SUSE Linux Enterprise, YaST is able to configure encrypted LVM using LUKS for full disk encryption. The default configuration is aes-xts-plain64 using a 256 bit master key. However, due to how the XTC mode splits the key into two halves, this reduces the effective key size used for AES to 128 Bits.

In order to use a 512 bit key for 256 effective AES, one needs to perform manual formatting prior to installation:
cryptsetup LuksFormat --key-size 512 /dev/sda1
However the installer suffers from boo#1030299 which prevents it from writing an entry to /etc/crypttab in this instance. This results in a system that is unable to boot after installation.

The work-around is as follows: Boot into the rescue system, open the crypto device and enter the installed system as a chroot:

cryptsetup luksOpen /dev/sda1 crypto
mount /dev/mapper/system-root /mnt
for X in proc dev sys; do mount -bind /$ /mnt/$X; done
chroot /mnt

(This example assumes /dev/sda1 to be the crypto device, and an LVM VG named system with a LV named root, and no separate /boot.)

Then in the chroot, edit /etc/crypttab to have the following line:

crypto /dev/sda1 none none

See man crypttab for additional settings and options. To finalize, regenerate the initrd and reboot


A future rewrite of the YaST storage abstraction layer is planned which should address this issue.

Uninstall a patch using zypper

July 11th, 2016 by

Maintenance and security updates for the stable openSUSE Leap releases are automatically tested using OpenQA, and also receive community testing prior to release. In addition, many updates to openSUSE Leap are inherited from SUSE’s enterprise products, where they already receive thorough review, and automated as well as manual testing.

Should anything go wrong, here is how to “uninstall” an online update using zypper.

zypper in --oldpackage ` \
zypper info -t patch --conflicts openSUSE-2016-XXX | \
grep " < " | while read NAME C VERSION; do \
rpm --quiet -q --queryformat "%{name}\n" $NAME && echo "${NAME}<${VERSION}"; \

Replace openSUSE-2016-XXX with the update in question. All involved packages are installed in a prior version. This, of course, is an alternative to using Btrfs snapshots. Note that the update will be offered again.

If you want to help review proposed online updates, just check the “untested updates” repo in YaST or add one of the -test repositories to receive updates early.

mounting TrueCrypt volumes in GNU/Linux using cryptsetup

January 12th, 2014 by

cryptsetup as of 1.6, which shipped in openSUSE 13.1, is able to mount TrueCrypt volumes without the use of TrueCrypt code otherwise, which I previously noted is problematic due to it’s license, at least for inclusion in the openSUSE distribution.

Here, then, is how you mount it:

cryptsetup open --type tcrypt /var/run/media/username/volume_name encrypted_volume
mount /dev/mapper/encrypted_volume /mnt

For read only access, add --readonly and -o ro respectively. When done:

umount /mnt
cyrptsetup close encrypted_volume

See man 8 cryptsetup for all details and options.

Apache Subversion 1.8 preview packages

April 15th, 2013 by

RPM packages of what will become Apache Subversion 1.8 fairly soon are now available for testing on all current releases of openSUSE and SLE 11.

Note that in this release, serf will replace neon as the default HTTP library, to the extend that the latter is removed completely. I wrote about ra_serf before and added support for it in recent packages. You can test this now with either 1.7 or 1.8 if you are concerned about performance in your network. Please note that for servers running httpd and mod_dav_svn, increasing MaxKeepAliveRequests is highly recommended.

Update: Apache Subversion 1.8 is now released. You can find maintained packages via the software search in the devel:tools:scm:svn project. This will be part of the next release of openSUSE.

xtrabackup for MySQL

October 14th, 2012 by

If you run data-driven applications like me, you are probably already running some kind of backup and have plans for disaster recovery. I hope you are not still using SQL dumps?

I have been using Percona XtraBackup professionally for MySQL backups for a while now. Especially if your database access is highly transactional you will find it useful that you can get consistent non-blocking, non-purging backups while continuing to serve transactions. Who wants downtime anyway?

Under the hood the software will take a dirty copy of the InnoDB tablespaces on disk, and extract binary logs required to bring all of these to a specific point in time, or rather LSN, using a patched version of the mysqld binary. The preparation / restore requires applying the binary log to the files which results in MySQL tablespaces and binary log files equivalent to how they would have been with a clean MySQL shutdown.

Mixing transactional with non-transactional database engines is possible if you are willing to accept some blocking time while backing them up. If you are using MySQL replication, you can also use this to create a new slave from either a master or to clone a slave from another without downtime of either.

The upgrade to the 2.0 series adds, among other things, parallel IO and parallel compression. This requires a new streaming file format xbstream in addition the previous tar. Think of it as a tar with multiple input pipes.

I added the xtrabackup package to openSUSE, it is available in the server:database project (repo, SLE 11) right now and will also be part of the next openSUSE release.

Remember that these are only tools. Love your data and protect your business. A copy is not a backup. A backup that isn’t monitored for success is not a backup. A backup that is not proven to restore successfully is barely a backup.

Contact me if you need help setting this up.

subversion with libserf – continued

March 15th, 2012 by

Further about my work on packages for Apache Subversion with support for serf / libserf / ra_serf, that repository access module was not made default in the 1.7 release after all. Anyway, version 1.0.13 of serf is now available in devel:libraries:c_c++ with the intention of getting this into and in Factory. You will find current Apache Subversion packages with fixed conditional compilation against serf in home:AndreasStieger:serf home:AndreasStieger:branches:devel:tools:scm:svn devel:tools:scm:svn for testing.

Updated 27/05/2012: repository locations
And again after SR#122507 was accepted.

subversion with libserf

April 26th, 2011 by

I packaged subversion to built against libserf in addition to neon. This adds a second repository access module to handle http and https schemes with potential improvements. To enable, install the packages from my home repository See updated package location.

To enable, adjust your ~/.subversion/servers file:

http-library = serf

Beyond this, the package tracks the package from devel:tools:scm:svn.

license implications when packaging TrueCrypt

March 6th, 2011 by

I use an encrypted USB stick to carry credentials and data for production servers I look after when I’m on call. One requirement was portability between my work (Windows) and home (GNU/Linux) desktops, so TrueCrypt came to mind. I packaged it all up an applied some patches to fix compiler issues and warnings. The TrueCrypt license, however, is not OSI-approved, and as such the program cannot be built in the openSUSE build service (see blacklist, discussion).

I almost forgot about the whole thing until I upgraded the package for new dependencies in the upcoming release of openSUSE 11.4. I talked with people over at packman, a popular 3rd-party repository for software not included in openSUSE proper for one reason or another. We analysed the license a bit and concluded that if we shipped binaries built from non-pristine sources, the product would have to be re-branded as per the requirements of their license. I am usually pragmatic about these things as long as FLOSS and non-FLOSS licences can be adhered to, but didn’t want to go the route Debian took with Firefox et al.

We contacted the TrueCrypt developers on this issue, we’ll see what comes out of that. Until then, if someone wants to build this package, here is what you need:


irssi on freenode with SSL verification

January 30th, 2010 by

Those of you who frequent openSUSE’s support channels on freenode might be interested to know that with the ircd SSL encryption in now available. However some users had problems verifying the SSL certificate on connection when using irssi. Here is an example working server configuration section for your ~/.irssi/config:

address = "chat.freenode.net";
chatnet = "freenode";
port = "7000";
use_ssl = "yes";
ssl_verify = "yes";
ssl_capath = "/etc/ssl/certs";

suspend to disk with encrypted root file system on lvm

July 13th, 2009 by

Suspend to disk a.k.a. Hybernation doesn’t quite work when running openSUSE in an encrypted root file system and swap on LUKS on LVM, as with Ludwig Nussel’s instructions. The system is not able to resume from the swap area, because the initial ramdisk opens the lvm system before the luks. This results in only root logical volume being opened at that time, but not the swap volume. A regular boot follows.

Here’s the mkinitd boot scripts (or their symlinks, rather) in question:

$ ls -1 /lib/mkinitrd/boot

Until all this is properly supported, here is a quirk to make it work: Make the lvm2 initrd boot script depend on the luks one*.

Edit /lib/mkinitrd/scripts/boot-lvm2.sh (this is what 61-lvm2.sh points to) and change the third line from
#%depends: evms
#%depends: evms luks

Recreate the initrd.
$ cp -iv /boot/mkinitrd /boot/mkinitrd.backup
$ mkinitrd

You will notice that the symlinks were renamed now:

No try suspending to disk, you should be prompted for your luks password and resume from disk should work.

$ s2disk

*This of course assumes that you only have lvm devices inside luks, not the other way around. It’s not too hard to have both –  simply duplicate and adjust the luks script and run one instance before and one after lvm.