Categories
DNSSEC Linux OpenDNSSEC SoftHSM

Change SoftHSM SO / USER Pin

To change the SoftHSM cryptographic storage User / SO pin, assuming that you already know the existing pin.
SO pin:
pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --login --login-type so --change-pin
User pin:
pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --login --login-type user --change-pin
* replace the –module value with the path to libsofthsm2.so

for a different slot use --slot <slot_id> , you could get slot info from: softhsm2-util --show-slot

Categories
Linux

install 2to3 redhat 8

2to3 is provided by platform-python-devel in Redhat/CentOS 8

yum install platform-python-devel

Categories
Linux Subversion Version Control

svn checkout / update with custom key

SVN_SSH="ssh -i <path_to_key>" <svn_command>

for example:
SVN_SSH="ssh -i id_ecdsa_foobar" svn up

Categories
MAC OS X

MAC OS X re index spotlight search

It is really annoying when spotlight does not return the right search results. To perform a re indexing execute following commands in terminal as root.
sudo -s
mdutil -a -i off
launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
mdutil -a -i on

Categories
Encryption file system Information Security Linux Linux Mint ubuntu

Encrypt secondary disk – Linux

To set up cryptographic volumes, you need to back up the data first and restore data after the encryption is setup.

rsync -Pav <source/> <backup_destination/>

Once the backup is completed, install cryptsetup
sudo apt install cryptsetup

Create the encrypted partition
sudo cryptsetup --verbose --verify-passphrase luksFormat <device_name>
Provide passphrase once prompted, you could use fdisk -l to find the correct device.

Open the encrypted device
sudo cryptsetup luksOpen /dev/vdb1 vdb1 # the device name was vdb1 in my case
This will prompt the passphrase to open the device

Create the required file system
mkfs.ext4 /dev/mapper/vdb1

You could remove the ext4 reservation if not required
tune2fs -m 0 /dev/mapper/vdb1

Create mount directory
mkdir /mnt/secondary

Mount the device
mount /dev/mapper/vdb1 /mnt/secondary

Categories
git Linux MAC OS X

#git switch to branch without merge on local repo

To switch from master to a branch or branch to another without merge.

git branch
*ma
ster

$ git fetch origin <new_branch>

$ git checkout
Branch legacy set up to track remote branch legacy from origin.
Switched to a new branch ‘new_branch'

$ git pull

$ git branch
* new_branch
master

Categories
git Linux MAC OS X

git # move directory or file

Move or rename a file, a directory, or a symlink

# clone the repo
git clone <repo-url>
git mv <source_file_or_directory> <destination>
git status # will show the change details
git commit -am "comment_for_the_change"
git push # push changes to repo

Categories
BIND DNSSEC Linux

DNSSEC with BIND 9.10 and native PKCS#11

DNSSEC with BIND and native PKCS#11 support (BIND & SoftHSM)

Bind 9.10.0-P1 supports the native PKCS#11 mode, instead of the openssl based PKCS#11. You can either compile it with (./configure --enable-native-pkcs11 \
--with-pkcs11=provider-library-path
) or install prebuilt packages.

Upon writing this blog, Fedora 23, has built-in bind-9.10.3-7.P2 and SoftHSM (Software based HSM)

SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface

Install the required packages

# dnf install bind-chroot bind-pkcs11 softhsm bind-pkcs11-utils

bind-chroot-32:9.10.3-7.P2.fc23.x86_64
bind-pkcs11-9.10.3-7.P2.fc23.x86_64
softhsm-2.0.0rc1-3.fc23.x86_64
bind-pkcs11-utils-9.10.3-7.P2.fc23.x86_64

Initialize the SoftHSM repository
# softhsm2-util --init-token 0 --slot 0 --label softhsm
enter the user and security pin

Generate the keys (Key Signing Key and Zone Signing Key)

You may use the algorithm and key size depends on your requirement.
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_ksk
Enter Pin:
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_zsk
Enter Pin:

# pkcs11-list
Enter Pin:
object[0]: handle 2 class 2 label[12] 'sample_ksk' id[0]
object[1]: handle 3 class 2 label[12] 'sample_ksk' id[0]
object[2]: handle 4 class 3 label[12] 'sample_zsk' id[0]
object[3]: handle 5 class 3 label[12] 'sample_zsk' id[0]

Create a pair of BIND9 key files using dnssec-keyfromlabel-pkcs11 utility, since we are using pkcs#11 backend the label must be pkcs#11 uri format. Don’t know how safe it is to store the pin on the file system, but yes we have to create a text file with the HSM pin. Not sure if the dnssec-keyfromlabel can prompt for the pin.

# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -f KSK -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46938.key
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -l 'pkcs11:object=sample_zsk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46939.key

The resulting files can be used to sign the zone, as per the BIND documentation – “Unlike the normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an identifier for the private key which remains stored within the HSM. Signing with the private key takes place inside the HSM.”

Include the keys in zone file or specify the key path on the named configuration.

echo "$INCLUDE Kexample.com.+005+46938.key" >> example.com.zone
echo "$INCLUDE Kexample.com.+005+46939.key" >> example.com.zone

Signing the zones
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked

# head example.com.signed
; File written on Mon Jan 18 16:02:19 2016
; dnssec_signzone version 9.10.3-P2-RedHat-9.10.3-7.P2.fc23

Reference: BIND 9 Administrator Reference Manual
https://ftp.isc.org/isc/bind/cur/9.10/doc/arm/Bv9ARM.ch04.html
SoftHSM documentation