katrinafyi

luks-tpm2-dracut-systemd-cryptenroll.md

This documents how to add a TPM2-backed key to an existing LUKS root partition, first done with EndeavourOS in June 2023. In particular, it covers the dracut (instead of mkinitcpio) and systemd-cryptenroll (instead of clevis). Previously, we used clevis but this was slow to act while booting.

1. Have a LUKS partition using LUKS2. If you're using LUKS1, this can be upgraded with sudo cryptsetup convert --type luks2 /dev/nvme. If you've previously used clevis, this may leave metadata which breaks the upgrade. This can be removed with sudo luksmeta nuke -d /dev/nvme.
2. Add the tpm2-tss module to dracut by creating /etc/drcaut.conf.d/tpm.conf with the following content:

leesh3288

Sandbox Escape in vm2@3.9.19 via Promise[@@species]

Summary

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.

Proof of Concept

xgp

openapi: 3.0.2
info:
  title: Keycloak Account API
  version: 20.0.3
  description: |
    Derived from the code at https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java
components:
  securitySchemes:
    access_token:
      type: http

utkuozdemir

#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

PVCS=(
  "src-kubeconfig1/src-ctx1/src-ns1/src-pvc1:dest-kubeconfig1/dest-ctx1/dest-ns1/dest-pvc1"
  "src-kubeconfig2/src-ctx2/src-ns2/src-pvc2:dest-kubeconfig2/dest-ctx2/dest-ns2/dest-pvc2"
  "src-kubeconfig3/src-ctx3/src-ns3/src-pvc3:dest-kubeconfig3/dest-ctx3/dest-ns3/dest-pvc3"
)

zOrg1331

Intro

This note describes how to connect two networks/devices/VMs over public network using Wireguard with Layer 2 support (ARP, IPv6 link-local, etc).

This can also be achieved using SSH and its "tap" tunnel, however, it does not provide the same level of latency and bandwidth as full-blown VPN such as Wireguard.

In addition, this note describes how to tunnel Wireguard over TCP connection. This may be of use if you encounter firewall in-between so, for instance, you can use TCP port 443 only.

Objective

MaxXor

Encrypted Btrfs storage setup and maintenance guide

Initial setup with LUKS/dm-crypt

This exemplary initial setup uses two devices /dev/sdb and /dev/sdc but can be applied to any amount of devices by following the steps with additional devices.

Create keyfile:

dd bs=64 count=1 if=/dev/urandom of=/etc/cryptkey iflag=fullblock
chmod 600 /etc/cryptkey

giannivh

#!/usr/bin/env bash

set -e
set -u
set -o pipefail

show_help() {
cat << EOF
Usage: $(basename "$0") <options>
    -h, --help       Display help

MawKKe

#!/usr/bin/env bash
# 
#    Author: Markus (MawKKe) ekkwam@gmail.com
#    Date: 2018-03-19
#
#
# What?
#
#    Linux dm-crypt + dm-integrity + dm-raid (RAID1) 
#

ThomasLeister

#!/bin/sh

libressl_version=libressl-2.5.1
libressl_archive=${libressl_version}.tar.gz

if [ -f ${libressl_archive} ]
then
	:
else
	wget -O ${libressl_archive} https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${libressl_archive}

jkullick

# stop active raid
mdadm --stop /dev/md[01]

# destroy partition table on hdds
dd if=/dev/zero of=/dev/sda bs=1M count=512
dd if=/dev/zero of=/dev/sdb bs=1M count=512

# create new partition table
sgdisk -og /dev/sda