Category Archives: English

Disk encryption in Linux (II): Easy encryption with EncFS

Sometimes you don’t want to encrypt all of your files. You just have some important data you’d like to keep protected, but your other files are not confidential at all and you don’t care if someone steals your Firefox bookmarks or your .procmailrc.

In those cases encrypting a whole disk or even a single partition might be too complicated (you don’t want to mess with partitions), or it could make your system too slow. There are other alternatives. A classical approach is to encrypt your important files using a tool like GnuPG. While this method works perfectly, it’s not the most convenient approach when you have, say, dozens of different files to encrypt.

EncFS is a cryptographic filesystem that transparently encrypts a whole directory tree. Data is always kept encrypted in a regular directory within an existing filesystem, and you have to mount that directory using EncFS in order to see its contents. Thus, once mounted, encrypted files can be accessed through this virtual filesystem just like any other file: you can edit, copy, rename and erase them just like you would do with any other file.

One of the main problems of EncFS is that each file stored maps to an encrypted file, so even though the file names and contents remain protected, anyone with access to your hard disk can see how many files you have, the directory structure, the metadata and even the approximate size of each file. If that’s not a problem for your needs, EncFS is a good piece of software and it’s very easy to install, set up and use.

Disk encryption in Linux (I): Introduction

This post is the first in a series dedicated to disk encryption in Linux-based operating systems, namely Debian GNU/Linux 3.1 (sarge), but all these tips should be useful for other systems too.

As portable mass storage devices (such as USB flash drives, external hard disks or even laptops) are becoming more and more popular there’s a growing need to keep all this data secure in case a device is stolen (of course to keep your files secure you should also back up them, but that’s a different subject I will not cover here).

Disk encryption is a complex issue: there are plenty of encryption algorithms and disk format standards. New systems appear each year and old ones become deprecated. All these systems vary in speed, complexity, security and even stability. To put things worse, most disk encryption systems are not compatible to each other and are usually limited to one specific operating system.

There’s a wikipedia article about disk encryption software that can serve as a quick overview of some of the most popular systems available.

In this series of posts I’ll write about some of the most basic forms of encryption to cover the usual needs. I’d like to note that I’m not writing about user programs that encrypt files manually, such as GnuPG or some ZIP compressors. I’ll just cover methods that encrypt filesystems on the fly, that is, once set up you don’t need to care when you change your data: it will be encrypted automatically as you write it to disk.

I hope you’ll find these articles useful. Comments and criticism are welcome.

The Last.fm player and radio stations

As some of you might already know, Last.fm is an online community based on musical tastes. You have to create an account (it’s free), install a plugin on your music player and your program will send statistics of the music you play in your computer to Last.fm.

Then you will be able to see what is the music you listen to the most, view recommendations, users with musical tastes similar to yours (called neighbours), create communities, blog, and many other things.

Besides this, Last.fm also offers personalized online radio. Using a free player downloadable from its website you can listen to many radio stations, including things like:

  • Music your neighbours listen to.
  • Music similar to a given artist/band.
  • Music recommended to you by Last.fm
  • Music tagged with a given tag.

The streaming quality is good (MP3 at 128kbps) and you can skip any track, and tell the player which songs you love the most and which songs you don’t want to hear anymore.

The player is very small and nice, and it is released under the GNU GPL license (you can access the Subversion repository too), so congratulations to the Last.fm people.

Besides the official player, a number of other compatible third-party players are out, such as Last Exit (GTK+) and Shell.FM (console). Recent versions of Amarok can also play Last.fm radios.

The official Last.fm player is available in Debian etch (testing). If you want to install it in a Debian sarge, you can use a backport. Just add 'deb http://www.backports.org/debian/ sarge-backports main' to your sources.list and run 'apt-get -t sarge-backports install lastfm'.

Acrobat Reader and the decimal comma problem

When printing a PDF file, Acrobat Reader creates a Postscript and sends it to the printer spooler (or, optionally to a file). Nothing new here, as it’s a common way for Unix programs to print files.

However, I found that under certain circumstances the Postscript file was corrupt: it could not be printed or opened with Ghostscript, because it showed instead an “undefined command” error.

Looking deeper into the problem I found that the corrupt file had its decimal numbers separated by a comma instead of a dot. The comma is the decimal separator in many locales, but decimal numbers in Postscript files must be separated by a dot.

Investigating a bit more I found that this problem shows when the Postscript file uses vector primitives, and that’s why the problem appears to occur randomly.

So the problem is that Acrobat Reader relies incorrectly on the locale settings to create a Postscript file. This should be a trivial bug to fix, but as Acrobat Reader is closed software you have to live with it if you want to use this software (fortunately free PDF readers are constantly improving).

There’s a quick workaround, however. As /usr/bin/acroread is really a shell script that lauches the real binary, you can add a export LC_NUMERIC=C at the beginning of the file and solve the problem. This bug is already fixed in some unofficial Debian packages.

Hope it helps.

User-mode Linux and skas0

User-mode Linux (UML) is a port of Linux to its own system call interface. In short, it’s a system that allows to run Linux inside Linux.

UML is integrated in the standard Linux tree, so it’s possible to compile an UML kernel from any recent kernel sources (using ‘make ARCH=um‘).

Traditionally, UML had a working mode which was both slow and insecure, as each process inside the UML had write access to the kernel data. This mode is known as Tracing Thread (tt mode).

A new mode was added in order to solve those issues. It was called skas (for Separate Kernel Address Space). Now the UML kernel was totally inaccessible to UML processes, resulting in a far more secure environment. In skas mode the system ran noticeably faster too.

To enable skas mode the host kernel had to be patched. As of September 2006, the latest version of the patch is called skas3. The patch is small but hasn’t been merged in the standard Linux tree. The official UML site has a page about skas mode that explains all these issues more thoroughly.

However, by July 2005 a new mode was added to UML in Linux 2.6.13 called skas0 (which, for some reason, isn’t explained in the above page). This new mode is very close to skas3: it provides the same security model and most of its speed gains. The main difference is that you don’t need to patch the host kernel, so you can use a skas-enabled UML in your Linux system without having to mess with the host kernel. The patch is explained in the 2.6.13 changelog or in this article.

A skas0-enabled kernel boots like this:

Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Checking advanced syscall emulation patch for ptrace...OK
Checking for tmpfs mount on /dev/shm...OK
Checking PROT_EXEC mmap in /dev/shm/...OK
Checking for the skas3 patch in the host:
  - /proc/mm...not found  
  - PTRACE_FAULTINFO...not found
  - PTRACE_LDT...not found
UML running in SKAS0 mode 
...

mpg123 is back!

After several years of halted development, the classical mp3 player mpg123 is back. Original author Michael Hipp stopped working on it around year 2000, but now Thomas Orgis has continued its development and finally the first beta releases from the new version are out!

mpg123 was one of the first mp3 players for Unix systems, and it was famous for its low CPU requirements. Even nowadays it’s probably the most resource-efficient mp3 player available. The core of mpg123 was also used for mp3 decoding in many other programs, such as XMMS.

Last but not least, mpg123 is licensed under the LGPL. This is good news, since older versions of this software had a non-free open-source license (well, this is actually not news as the license changed some years ago during the development hiatus, but AFAIK this is the first version released as free software).

It’s good to see old friends back again 😉

Won’t you miss me?

Syd Barrett

It’s awfully considerate of you to think of me here
And I’m most obliged to you for making it clear
That I’m not here

And I never knew the moon could be so big
And I never knew the moon could be so blue
And I’m grateful that you threw away my old shoes
And brought me here instead dressed in red

And I’m wondering who could be writing this song

I don’t care if the sun don’t shine
And I don’t care if nothing is mine
And I don’t care if I’m nervous with you
I’ll do my loving in the Winter

And the sea isn’t green
And I love the Queen
And what exactly is a dream?
And what exactly is a joke?

Syd Barrett (06/Jan/1946 – 07/Jul/2006)

An effervescing elephant …

Open source software keeps going strong! Elephants Dream is a short film (about 11 min.) made with open source software and freely available for everyone!

Elephants Dream is the world’s first open movie, made entirely with open source graphics software such as Blender, and with all production files freely available to use however you please, under a Creative Commons license.

Congratulations to all the authors!!

Hotswapping code in Java

A nice feature present in the latest JVM versions is the ability to hotswap a class: that is, to modify a class from a running application without having to restart it. This obviously helps to speed up the development process.

Eclipse takes advantage of this feature (it’s called Hot code replacement), and its users claim that it’s one of the best reasons to use this IDE. However, as it’s really a feature of the JVM, you can use it too without needing to use Eclipse at all. For example, Netbeans has it too, and it’s named Apply code changes.

But what happens if you don’t use an IDE with this feature? No problem. David Kavanagh has written a Hotswap task for Ant, so you can replace your running code from the command line and benefit from this feature from within Emacs or whatever editor you like.

Good hotswapping!