Skip to content

Instantly share code, notes, and snippets.


Daniel Davidson da-n

  • Bath, UK
View GitHub Profile
da-n / gist:1992eb0f9e8e231f59f2b56a9ad92563
Created Jan 28, 2020
Creating Self-Signed SSL Certificate
View gist:1992eb0f9e8e231f59f2b56a9ad92563
openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key
da-n / Create encrypted
Created Aug 25, 2019
Create encrypted Zpool
View Create encrypted

Create encrypted Zpool

zpool create -o ashift=12 storage raidz2 /dev/sda /dev/sdb /dev/sdc
zpool set feature@encryption=enabled storage
zfs create -o encryption=on -o keyformat=raw -o keylocation=file:///root/storage-data.zfskey storage/data
da-n / Create a LUKS encrypted
Created Aug 25, 2019
Create a LUKS encrypted volume
View Create a LUKS encrypted

Create a LUKS encrypted volume

sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda1
sudo cryptsetup open --type luks /dev/sda1 backup
sudo mkfs.ext4 /dev/mapper/backup
sudo mount -t ext4 /dev/mapper/backup /mnt/backup
sudo umount /mnt/backup
da-n / gist:f906ca5a7e2a9c5fa7e29883b80a3be9
Created Aug 24, 2019
Unlock rootfs via SSH login in initramfs
View gist:f906ca5a7e2a9c5fa7e29883b80a3be9

unlocking rootfs via ssh login in initramfs

You can unlock your rootfs on bootup from remote, using ssh to log in to the booting system while it's running with the initramfs mounted.


For remote unlocking to work, the following packages have to be installed before building the initramfs: dropbear busybox

The file /etc/initramfs-tools/initramfs.conf holds the configuration options used when building the initramfs. It should contain BUSYBOX=y (this is set as the default when the busybox package is installed) to have busybox installed into the initramfs, and should not contain DROPBEAR=n, which would disable installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will be installed in any case; if DROPBEAR isn't set at all, then dropbear will only be installed in case of an existing cryptroot setup.

da-n /
Created Aug 24, 2019
Unlock LUKS full disk with USB stick

Configuration for passwordless root filesystem


The process of entering the passphrase at boot time will now be automated using an USB memory stick. Instead of using a passphrase , the secret key on the USB will decrypt the encrypted volumes. Connect an USB stick to the VM and locate it using the dmesg command. It is detected as /dev/sdb in my VM.

The secret key of 8192 random byte is extracted from the usb stick using the dd command.

dd if=/dev/sdb of=/root/secret.key bs=512 skip=4 count=16
View health_alarm_notify.conf
# slack ( global notification options
# multiple recipients can be given like this:
# enable/disable sending slack notifications
# Login to and create an incoming webhook. You need only one for all
da-n / zfs-load-key.service
Last active Aug 24, 2019
Import ZFS pool
View zfs-load-key.service
# This service will unlock all ZFS pools at boot time
# It should live in
# /etc/systemd/system/zfs-load-key.service
# Enable it with
# systemctl enable zfs-load-key.service
Description=Load encryption keys
View gist:7f233a62ad188e468e243bfb0626dc4b
# awcli needs to be installed with valid credentials and should be in PATH e.g. /home/USER/.local/bin
# ddns-route53 needs to be installed and should be in PATH e.g. /home/USER/.local/bin
# Add to crontab
*/5 * * * * PATH=$PATH:/home/USER/.local/bin /home/USER/.local/bin/ddns-route53 --zone-id XXXXXXXX --record-set >> /home/USER/ddns-route53.log 2>&1
da-n / gist:19001eba929ebb43d8d2fdda42b20a66
Last active Dec 13, 2017
Disable gnome keyring daemon components
View gist:19001eba929ebb43d8d2fdda42b20a66

Keybase proof

I hereby claim:

  • I am da-n on github.
  • I am da_n ( on keybase.
  • I have a public key ASBzedy5JCcCqHuCikt7AetYj9_IjmnW_-h3ftKFk-vqlQo

To claim this, I am signing this object:

You can’t perform that action at this time.