To change the SoftHSM cryptographic storage User / SO pin, assuming that you already know the existing pin.
SO pin:pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --login --login-type so --change-pin
User pin:pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --login --login-type user --change-pin
* replace the –module value with the path to libsofthsm2.so
for a different slot use --slot <slot_id> , you could get slot info from: softhsm2-util --show-slot
2to3 is provided by platform-python-devel in Redhat/CentOS 8yum install platform-python-devel
SVN_SSH="ssh -i <path_to_key>" <svn_command>
for example:SVN_SSH="ssh -i id_ecdsa_foobar" svn up
It is really annoying when spotlight does not return the right search results. To perform a re indexing execute following commands in terminal as root.sudo -s
mdutil -a -i off
launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
mdutil -a -i on
To set up cryptographic volumes, you need to back up the data first and restore data after the encryption is setup.rsync -Pav <source/> <backup_destination/>
Once the backup is completed, install cryptsetupsudo apt install cryptsetup
Create the encrypted partitionsudo cryptsetup --verbose --verify-passphrase luksFormat <device_name>
Provide passphrase once prompted, you could use fdisk -l to find the correct device.
Open the encrypted devicesudo cryptsetup luksOpen /dev/vdb1 vdb1 # the device name was vdb1 in my case
This will prompt the passphrase to open the device
Create the required file systemmkfs.ext4 /dev/mapper/vdb1
You could remove the ext4 reservation if not requiredtune2fs -m 0 /dev/mapper/vdb1
Create mount directorymkdir /mnt/secondary
Mount the devicemount /dev/mapper/vdb1 /mnt/secondary
To switch from master to a branch or branch to another without merge.git branchster
*ma$ git fetch origin <new_branch>
$ git checkout
Branch legacy set up to track remote branch legacy from origin.
Switched to a new branch ‘new_branch'
$ git pull
$ git branch* new_branch
master
Move or rename a file, a directory, or a symlink
# clone the repogit clone <repo-url>git mv <source_file_or_directory> <destination>git status # will show the change detailsgit commit -am "comment_for_the_change"git push # push changes to repo
DNSSEC with BIND and native PKCS#11 support (BIND & SoftHSM)
Bind 9.10.0-P1 supports the native PKCS#11 mode, instead of the openssl based PKCS#11. You can either compile it with (./configure --enable-native-pkcs11 \) or install prebuilt packages.
--with-pkcs11=provider-library-path
Upon writing this blog, Fedora 23, has built-in bind-9.10.3-7.P2 and SoftHSM (Software based HSM)
SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface
Install the required packages
# dnf install bind-chroot bind-pkcs11 softhsm bind-pkcs11-utils
bind-chroot-32:9.10.3-7.P2.fc23.x86_64
bind-pkcs11-9.10.3-7.P2.fc23.x86_64
softhsm-2.0.0rc1-3.fc23.x86_64
bind-pkcs11-utils-9.10.3-7.P2.fc23.x86_64
Initialize the SoftHSM repository
# softhsm2-util --init-token 0 --slot 0 --label softhsm
enter the user and security pin
Generate the keys (Key Signing Key and Zone Signing Key)
You may use the algorithm and key size depends on your requirement.
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_ksk
Enter Pin:
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_zsk
Enter Pin:
# pkcs11-list
Enter Pin:
object[0]: handle 2 class 2 label[12] 'sample_ksk' id[0]
object[1]: handle 3 class 2 label[12] 'sample_ksk' id[0]
object[2]: handle 4 class 3 label[12] 'sample_zsk' id[0]
object[3]: handle 5 class 3 label[12] 'sample_zsk' id[0]
Create a pair of BIND9 key files using dnssec-keyfromlabel-pkcs11 utility, since we are using pkcs#11 backend the label must be pkcs#11 uri format. Don’t know how safe it is to store the pin on the file system, but yes we have to create a text file with the HSM pin. Not sure if the dnssec-keyfromlabel can prompt for the pin.
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -f KSK -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46938.key
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -l 'pkcs11:object=sample_zsk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46939.key
The resulting files can be used to sign the zone, as per the BIND documentation – “Unlike the normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an identifier for the private key which remains stored within the HSM. Signing with the private key takes place inside the HSM.”
Include the keys in zone file or specify the key path on the named configuration.
echo "$INCLUDE Kexample.com.+005+46938.key" >> example.com.zone
echo "$INCLUDE Kexample.com.+005+46939.key" >> example.com.zone
Signing the zones
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
# head example.com.signed
; File written on Mon Jan 18 16:02:19 2016
; dnssec_signzone version 9.10.3-P2-RedHat-9.10.3-7.P2.fc23
Reference: BIND 9 Administrator Reference Manual
https://ftp.isc.org/isc/bind/cur/9.10/doc/arm/Bv9ARM.ch04.html
SoftHSM documentation