One thing to consider regarding security: fully encrypting a vServer might seem… senseless, as the host operator can easily copy the whole memory of the VM while running and extract the key this way. True. There is no way around this fact. My reason for wanting a fully encrypted system is more of the way that I want to be sure that the data is encrypted on the storage system. I want to protect from being unable to ever fully wipe the persistent data from disk in case I cancel the VM, the VM gets moved to a new host, or a failed disk is sent in to the manufacturer. For me, this is a compromise I can accept. YMMV.

You can also try this HOWTO under VirtualBox with the System Rescue CD ISO images. Actually, that’s where I verified all steps are working.

So, let’s dive into the fun of the HOWTO. BEWARE! THIS TUTORIAL WILL WIPE ALL DATA ON YOUR VSERVER! I TAKE NO RESPONSIBILITY IF YOU LOSE DATA!  IT MIGHT ALSO NOT WORK FOR YOU. USE THIS AT YOUR OWN RISK!

The following steps will partition the disk, setup LVM and LUKS, install Ubuntu 12.04 and prepare the system for reboot. Most parts can be copied line-by-line. Please beware that there are some parts in this tutorial that needs to be adjusted: UUIDs of partitions, hostname, username, and most important: network setup.

The following steps were performed for my Hetzner VQ7 instance directly after ordering it:

1. Reboot into Rescue System.

2. Partition the disk using cfdiskd /dev/sda or fdisk /dev/sda, whichever you prefer.
You need two paritions, sda1 with about 256MB, which needs to be marked bootable and which later will be mounted as /boot and /dev/sda2 which should be the rest of the disk. This will be the LUKS container, which will then ultimately host the LVM with all other partitions.

3. Create LUKS container on /dev/sda2:

apt-get install cryptsetup

cryptsetup luksFormat /dev/sda2

At this point you need to confirm that you really want to wipe all data on /dev/sda2 and then enter your encryption password, twice. Use a secure password here! Your entire encryption depends on this password.

4. Open the LUKS container and initialize an LVM volume group on the decrypted partition:

cryptsetup luksOpen /dev/sda2 sda2_decrypt

vgcreate vg-encrypted /dev/mapper/sda2_decrypt

5. Create swap and root partitions in LVM and create file-systems:

lvcreate -L 2G -n swap vg-encrypted
lvcreate -L 10G -n root vg-encrypted

mkfs.ext2 /dev/sda1
mkswap /dev/vg-encrypted/swap
mkfs.ext4 /dev/vg-encrypted/root

I normally tend to only use the space I will likely need in short-term for root, as on LVM and with ext4 you can always re-size the file-system even while the file-system is mounted. Keeping unallocated space in the volume-group provides more flexibility, like being able to add other partitions on demand, or cool features like LVM snapshots which can be quite handy for doing crash-consistent backups of the host.

6. Record UUIDs of partitions
You will need them later on:

blkid /dev/sda1 /dev/sda2 /dev/vg-encrypted/root /dev/vg-enrypted/swap

This will output something similar to the following:

/dev/sda1: UUID="e789d69e-1a90-492d-8a1e-1f719a3b754e" TYPE="ext2"
/dev/sda2: UUID="f25ad69c-5c6e-4f35-b305-a8b193d58111" TYPE="crypto_LUKS"
/dev/vg-encrypted/root: UUID="d9f21bd7-508b-4404-916e-50fcc6b73f12" TYPE="ext4"
/dev/vg-encrypted/swap: UUID="e4c91de1-ad8d-4e05-9cee-2803d45840a2" TYPE="swap"

I will use this UUIDs for the rest of this HOWTO, be sure to replace them with your’s, wherever they are used below.

7. Mount target system for debootstrap

mkdir -p /mnt/ubuntu && \
mount /dev/vg-encrypted/root /mnt/ubuntu && \
mkdir /mnt/ubuntu/boot && \
mount /dev/sda1 /mnt/ubuntu/boot

8. Download and install debootstrap

cd
wget 'http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.42_all.deb' && \
ar x debootstrap_1.0.42_all.deb && \
cd / && \
tar xzf /root/data.tar.gz

This will download debootstrap 1.0.42 which can install Ubuntu 12.04 (Precise) and install it in root of the rescue system.

9. Bootstrap Ubuntu onto the target disk

debootstrap --arch amd64 precise /mnt/ubuntu

This will download and install the base packages for an Ubuntu 12.04 system and install it in /mnt/ubuntu, which is the root partition inside the encrypted LVM. This can take some time… Please also note that you need to bootstrap amd64 or the 32bit version, dependent of the rescue system you booted.

10. Mount / bind virtual filesystems and enter chroot

mount -t proc none /mnt/ubuntu/proc
mount -o bind /dev /mnt/ubuntu/dev
mount -o bind /sys /mnt/ubuntu/sys

cp /etc/resolv.conf /mnt/ubuntu/etc/

LANG=C chroot /mnt/ubuntu /bin/bash

11. Configure disks, network, and hostname
Attention! This are now sections that you MUST adapt for your system!

echo "
UUID=d9f21bd7-508b-4404-916e-50fcc6b73f12 / ext4 defaults,noatime 0 0
UUID=e789d69e-1a90-492d-8a1e-1f719a3b754e /boot ext2 defaults,relatime 0 1
UUID=e4c91de1-ad8d-4e05-9cee-2803d45840a2 none swap sw 0 0
proc /proc proc defaults 0 0
sys /sys sysfs defaults 0 0
" > /etc/fstab

echo MYHOSTNAME > /etc/hostname

echo "127.0.0.1 localhost
127.0.1.1 MYHOSTNAME
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
" > /etc/hosts

echo "# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.15.105
netmask 255.255.255.0
gateway 192.168.15.1
" > /etc/network/interfaces

11. Configure Ubuntu mirror
For Hetzner, you can use the following setup:

echo "# Packages and Updates from the Hetzner Ubuntu Mirror
deb ftp://mirror.hetzner.de/ubuntu/packages precise main restricted universe multiverse
deb ftp://mirror.hetzner.de/ubuntu/packages precise-updates main restricted universe multiverse
deb ftp://mirror.hetzner.de/ubuntu/security precise-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu precise main
deb-src http://archive.ubuntu.com/ubuntu precise main

deb http://security.ubuntu.com/ubuntu precise-security main
deb-src http://security.ubuntu.com/ubuntu precise-security main
" > /etc/apt/sources.list

12. Install essential packages (Kernel, OpenSSH, …)

dpkg-reconfigure tzdata

apt-get update
apt-get install aptitude openssh-server
apt-get install linux-image-generic
apt-get install cryptsetup lvm2

If you are asked where to install grub, chose /dev/sda.

13. Setup LUKS for boot

echo "# <target name> <source device> <key file> <options>
sda2_decrypt UUID=f25ad69c-5c6e-4f35-b305-a8b193d58111 none luks
" > /etc/crypttab
echo "dm-crypt" >> /etc/modules

echo "aes" >> /etc/initramfs-tools/modules
echo "aes_i586" >> /etc/initramfs-tools/modules
echo "aes_x86_64" >> /etc/initramfs-tools/modules
echo "aes_generic" >> /etc/initramfs-tools/modules
echo "dm-crypt" >> /etc/initramfs-tools/modules
echo "dm-mod" >> /etc/initramfs-tools/modules
echo "sha256" >> /etc/initramfs-tools/modules
echo "sha256_generic" >> /etc/initramfs-tools/modules
echo "lrw" >> /etc/initramfs-tools/modules
echo "xts" >> /etc/initramfs-tools/modules
echo "crypto_blkcipher" >> /etc/initramfs-tools/modules
echo "gf128mul" >> /etc/initramfs-tools/modules

update-initramfs -u -k all

13. Create a user

adduser myuser
addgroup --system admin
adduser myuser admin

14. Exit chroot, umount, and reboot
Basically we are done now. We can leave chroot, reboot the system.

When the server reboots, observe it in the console, you’ll need to enter the password anyways.

Known problems:

I have experienced that after the latest kernel update for some reasons the prompt for the password does no longer work. In this case I disabled quiet splash in /etc/default/grub.

I also currently am having an issue that the encrypted container is not recognized by the initramfs, so it falls to busybox. If I open the LUKS container there manually and scan for LVM, and then exit the busy box, boot resumes as it should.

cryptsetup luksOpen /dev/sda2 sda2_decrypt

lvm lvchange -a y

exit

Core of my setup is IRC. All my instant communication is mapped via IRC. Pretty old, but really well-working technology. Main reason here is that many of my friends and colleagues also communicate via IRC. I use irssi, which is a console client that can run within a screen session so it continues to run even when I am not in front of a terminal. The screen_away plugin takes care of setting the away status when screen is detached.

To connect my non-IRC services, I use BitlBee, which is an IRC proxy to connect to non-IRC protocols. BitlBee supports all my external protocols (ICQ & XMPP, that is). It also supports Skype via the fabulous bitlbee-skype plugin by Miklos Vajna. It requires a running Skype instance within a VNC server, though, but this is fine for me.

irssi is considered core of the setup, as it also provides the the irssi_proxy module, which enables other IRC clients to connect to this irssi instance, and when writing via this connection this is treated as if it has been entered directly into the irssi terminal. This mode is essential for my “centralized history / log file” requirement.

As connecting to the irssi_proxy module will only provide you with messages sent to you after you have connected, another layer is added: ZNC. I launch this IRC bouncer at the same machine as my irssi screen session. It connects to the irssi_proxy module and provides me with history if one of my external IRC clients connects, i.e. I am sent the history since the last time I connected to the ZNC.

My mobile devices connect to the ZNC bouncer via SSL whenever I decide to launch one of the clients. Due to my settings, I only get new messages. ZNC can be configured to send you the last n messages though, regardless where you last picked off, if you prefer that. But for me, it is primarily the “new” stuff that matters in communication (but this is of course personal taste).

On my iOS devices (iPhone, iPad) I use the Colloquy Mobile client. This is a clone of the GPL-ed Colloquy IRC client for OSX. In the App Store, it costs a few bucks, but I payed happily as this helps them in the development. There is a very nice plugin for ZNC, colloquypush, that enables push messages to Colloquy via Colloquy’s and Apple’s push servers. I have added a few patches to this open-source module, dealing with privacy (you can configure it to skip content of the messages when pushing) for sensitive communication channels (e.g. my work channel). Also I added an option that push messages are only sent while in away mode. This is where screen_away gets handy, as I only receive push messages when I am not attached to the screen session (or deliberately set myself to “away” mode in irssi). You can get colloquypush from the “official” maintainer’s github repository or mine (my “wip” branch is a few commits behind, as I am working on the Android improvements at the moment, see below).

On Android I use AndChat, which is a free (as in beer) client, but not open-source. Unfortunately there is no push functionality available at the moment, but I am working on an extension of the ZNC colloquypush module to work with a notification app I am currently developing (no estimated time of arrival, if ever).

For me, the setup provides the following benefits:

• Centralized approach with a single client which is “always on”.
• Single location for all logfiles, so I can search them using standard Linux tools.
• irssi is ncurses and I love ncurses interfaces. I get nostalgic about the old terminals.
• I can easily connect from any computer via SSH and attach to the screen session.
• I can catch up while on the go via my mobile devices.
• I receive notifications if anyone of my friends demands my attention (at least on iOS).
• Native clients on the mobile devices, they simply feel smoother than connecting to an SSH session from your slow GPRS connection.

• The OSX-like positioning of the close, minimize and maximize buttons on the left instead of the right of the window.
• The fade-out (invisibility) of other windows when using Alt-Tab for tabbing through the available windows on the current desktop.

As I tend to forget and need to Google every time I encounter a newly setup 10.04 system, I now jot down the settings to change.

For changing the window buttons:

1. Start gconf-editor.
2. Find /apps/metacity/general/button_layout.
3. Change its value to menu:minimize,maximize,close.

For changing the opacity of inactive windows during Alt+Tab window switching:

1. Start gconf-editor.
2. Find /apps/compiz/plugins/staticswitcher/screen0/options/opacity.
3. Change it to any value you like, where 100 is fully visible and 0 is totally invisible.

git config --global alias.add-commit '!git add -A && git commit'

After this, you can simply check in all new, modified, and deleted files with a simple

git add-commit -m 'My commit message'

I have aliased this command also to git ac in order to save further on typing. I never thought that this combination could be that useful, but actually I think it really is. Thanks to the questioner for bringing the idea up.

After setting up the alignment according to some tutorials I found online, I started the setup process. Shortly after starting the copy step of the installation, the whole process came to a grinding halt with filesystem errors. Looking into the kernel debug messages it seemed like SATA commands were causing errors. After checking hardware, cables and switching SATA ports, I began researching the issue and soon found that the issue might be fixed in the next firmware version of the drive. So I wanted to upgrade from 1.23 to 1.24, which could only be done in Windows…

After installing a trial of Windows 7, I finally wanted to upgrade the firmware, but the drive was not detected, but was accessible. The release notes indicated that I would need to switch to AHCI mode. After several attempts, includig a BIOS update, I realized that there was no way to do this with my old hardware, as my nForce 430 chipset simply doesn’t support it.

So my only remaining option was to simply try the kernel arguments I read to be the fix for 1.24 with the 1.23 hardware.

So, if you add the following kernel option during installation and afterwards for every boot, the disk seems to work quite well (source):

libata.force=norst

Actually, this forces the ATA driver in Linux to not issue any reset commands on the bus. I really don’t understand why this improves/fixes the problem, but it seems the device has issues when being reset on my chipset. I can also notice this that in 2 out of 3 attempts if I reboot the PC the disk is not recognized any more before I reboot again.

Despite these issues, the SSD now runs with astonishing performance with the suggested 32 head / 32 sector alignment, and a 512kB partition alignment scheme. After an initial TRIM with hdparm‘s wiper.sh I enabled -o discard for my ext4 partition and could also verify using hdparm that this results in the sectors being trimmed. Please note, that you need to manually compile and install the latest hdparm version on Ubuntu 10.10, as the included version fails with the very long free block list and doesn’t handle splitting the sectors in multiple requests. The latest version doesn’t have this issue any more.

If you tend to forget the number of times you already reset the counter, you can easily check for yourself: simply run

slmgr -dlv

to get detailed licensing information, including the number of remaining re-arms and remaining grace time.

If you want to know when exactly your grace period runs out, use

slmgr -xpr

Note: This simply gives you more time, it won’t prevent you from having to buy and/or activate Windows. Re-arming is not a bug, it works as intended and is an important tool for use in corporate environments.

The telephone number you have to set is *99#, which should be provider-independent.

The following settings are for yesss.at only:
Username: web
Passwort: web

Remember to set the APN as part of the driver’s connection string in Window’s “Device Manager” as described in the PDF.

Again, for yesss.at this is: AT+CGDCONT=1,"IP","web.yesss.at"

For this to work properly, the SIM must not have a PIN set, as otherwise the SIM will be locked and the dialer cannot dial out. For me this is ok, as it is a pre-paid card which can hardly be abused if it gets stolen, but your situation might be different, so please consider the security implications. (I suspect that it should be possible to unlock the SIM card somehow using the AT+CPIN=1234 command, but I did not research how to separate several initialization strings, as it did not work immediately.)

The solution works quite well for me, even under Windows 7. Disadvantage is that there is no way to tell the signal strength and exact mode of operation (despite the color-coded status led on the Merlin U740).

This is the first time I am aware of actual knowledge/data-loss which will occur due to the shutdown of such a service.

Update: tr.im announced that they will stay in business, due to an overwhelming response. But still, the final shutdown of such a service sooner or latter can and will happen. And even worse would be the continuation of such a service where all the URLs would be redirected somewhere else…

Given the huge amount of information hidden behind such shortened URLs, and given the popularity and number of these links, especially nowadays on Twitter, these services could see themselves being under permanent siege of hackers/crackers. Being able to manipulate hundred of thousands if not even more vastly distributed and popular URLs to point to a given site could be used for both, generating (lots of?) ad-revenue, or as a new form of DDoS-attack.

At the moment there seems to be no way around using these services (especially with services like Twitter), but in the medium/long run a solution has to be found if we don’t want to lose lots of valuable information.

• Open the Control Panel
• Select “Programs”
• Select “Turn Windows features on or off”
• Scroll through the list, select “Telnet client”
• Press OK
• Wait (for surprisingly long)

That’s it, voila, the telnet client is now installed on your Windows Vista Non-Ultimate.