Backing up encrypted and compressed VM snapshot to Azure Cloud

For some time now I was thinking about a good backup solution for our root server. We are using our hard drives in RAID0 mode which means that the two hard drives are not mirrored. Therefore we could use the complete 5TB space. In this scenario, complete data loss is quite likely from time to time, in case one of the two hard drives gets corrupted.
One way to solve this issue is a remote backup of the single vm images. Using LVM it’s possible to take a snapshot from a running virtual machine image. So we can safely compress and transfer the image at a specific state.
Since my home server wouldn’t have enough space to store the backup, I was looking for a cheap “cloud storage”. Besides Amazon AWS there’s also Microsoft Azure. The price per gigabyte is quite good for a low latency and low redundancy option. To register at Azure you’ll need a valid credit card. After that, you can test the service in trail mode for free.

Create backup

Transferring large files to Azure is a bit tricky. I had difficulties using the offical client software called azcopy. I found an other version of this tool, an not yet released preview: azcopy-v10. Using this version, I was able to copy bigger files with 500gb+ successfully. I created an AUR package, so it is easy to install in ArchLinux.
Together with LVM and GnuPG, I combined several commands, so that I could compress, encrypt and transfer the VM snapshot at once in a single step :D Considering the active image you want to backup is called “mail” and resides in a volume group “vg0”. You can create a snapshot with this command:
lvcreate -s -n mail_snap -L 20G /dev/vg0/mail

Install azcopy-v10 and start the transfer:
pacaur -S azcopy-v10
pv -cN source /dev/vg0/mail_snap | gpg --batch --passphrase "my_secret_password" --symmetric --compress-algo zlib | azcopy cp "https://myaccount.blob.core.windows.net/mycontainer/mail_$(date +"%Y-%m-%d").img.gpg?sas"

This is what the command does:

  • With the command pv, we are piping the contents of the snapshot to gpg and we’ll have an additional progress bar in our terminal.
  • GPG is encrypting the snapshot with a specific passphrase, which you’ll have to define. Please note that this usage is considered unsafe because you should never type or provide your passwords in plain text. Please consult the gpg manual on how to setup asymetric encryption for better security. Further, gpg is using zlib to compress the archive.
  • The last part in this chain is azcopy, which will read our encrypted and compressed data stream from STDIN. There you’ll have to define the URL to your storage account on Azure, the destination filename and the one time session key called SAS. This information can be found in the Azure portal where you can create your blob storage account.

SAS Token inside the Azure portal


After the transfer is complete, you can remove the snapshot from LVM:
lvremote /dev/vg0/mail_snap

Restore backup

To restore a backup, just use azcopy as well:
azcopy cp "https://myaccount.blob.core.windows.net/mycontainer/mail.img.gpg?sas" /mnt/playground.img.gpg
gpg -o /mnt/playground.img -d /mnt/playground.img.gpg

Gpg will ask for the passphrase you specified before.

Auto-update Android apps with F-Droid & Yalp Store

I consider auto updates of userland software as an important and also convenient security feature, easpecially on mobile platforms. As far as I know this is already the default behaviour for Android systems with Google Play Store preinstalled.

Some time ago I switched from Play Store to the open-source F-Droid market which offers many good free and open-source apps as an alternative. Since I couldn’t yet find a good replacement for Scout, Soundhound etc. I also used the open-source app Yalp store to fetch these apps and updates from Google without requiring Gapps or a Google account.

Usally third-party apps or installation files (apks) can be installed without the need of “rooting” (acquiring super user permissions) the phone. But you have to explicitly grant permissions for every single installation or update. If you want to automate these steps, you have to install Yalp store and F-Droid as system apps.

F-Droid Privileged Extension

Instead of installing the usual F-Droid apk, you can also flash F-Droid as a so called “privileged extension“. It comes as a zip file which you can obtain here. Put this zip file on your mobile phone storage and reboot into your phones recovery mode. In my setup I was using the recovery app TWRP which has to be installed manually on a rooted phone. Unfortunately rooting a phone and installing a recovery app is a difficult step which I’ll cannot cover here. If you already have TWRP or something similar installed, I recommend you to do a full system backup before flashing anything. In recovery, select and install the F-Droid privileged extension zip file.
After rebooting back into your Android, you have to change following settings inside F-Droid to enable auto-updates:

  • Enable expert mode
  • Enable privileged extension
  • Enable auto-update, e.g. in an interval of every day
  • Automatically install apps in background

Yalp store auto-update

Yalp store is using a different technique to obtain system permissions. It relies on a backend which, once accepted by the user, will grant super user (short “su”) rights to Yalp store. Instead on relying on closed-source third party apps, I would recommend the offical su addon provided by LineageOS since version 15.1. This “addonsu”-zip file has also to be flashed within your recovery mode. Once installed you have to enable root permissions for apps in the Android developer menu (see here how you can enable and access it).

In the Yalp store settings, you have to enable auto-update:

  • Installation method: Use root permissions
  • Enable: Install apps as soon as download is finished
  • Search for updates: E.g. daily
  • Enable: Auto download available updates
  • Enable: Automatically install new updates (root)

I also activated the automatic whitelist feature so that auto-updates are only installed for apps managed by Yalp store.

After that everything should work flawlessly and you should be notified when an app has been updated in the background.

Changelog

  • 26.07.18: Changed Yalp Store root method to offical su-addon of LineageOS 15.1
  • 20.05.18: Changed Yalp Store SuperSU dependency to open source alternative Superuser app.

Sandbox and torify Signal messenger on Linux

Most of the popular Linux distributions don’t offer any sandboxing or anonymization capabilities and it can be quite difficult to find a good solution. In this post I’m going to describe how I manged to sandbox the messenger app Signal and tunnel all it’s traffic through the anonymization network Tor.

All the tool you need are already in the Archlinux repositories:
pacaur -S firejail tor signal
Firejail is a kind of wrapper around sandboxing capabilities of the Linux kernel. It ships with profiles for various applications, including a profile for Signal.

To launch Signal in a sandboxed environement, just prepend the command firejail like this:
firejail signal-desktop
If you try to share files with someone, you’ll notice that your local files aren’t available anymore to Signal. One of the few “shared” and real directories left is the Signal configuration directory in ~/.config/signal. All files in there will be preserved, even after you close the sandbox. As a lazy workaround I’ll temporarily move files into this directory if I want to share them via Signal.

To isolate the sandbox from your local network and tunnel all traffic through Tor is a bit more difficult. First of all, we have to create a virtual networking bridge with an own subnet:

Somehow assigning the IP with the systemd network profile was not successfull so I further used this service file to manually set the address:

Now start and enable the services to make these changes persistent:
systemctl start systemd-networkd bridge-set-addr
systemctl enable systemd-networkd bridge-set-addr

We also need to enable IP forwarding for the tornet network bridge:

In the Tor configuration, we have to enable the a local port to which we can route our internet traffic:

It is than useful to autostart Tor at boot time:
systemctl start tor
systemctl enable tor

Run following Iptable rules as root
inet_interface=wlp3s0
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p tcp -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p udp --dport=53 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o ${inet_interface} -j MASQUERADE
iptables -t nat -A PREROUTING -i tornet -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A PREROUTING -i tornet -p tcp -j DNAT --to-destination 127.0.0.1:9040
iptables -A INPUT -i tornet -p tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i tornet -p udp --dport 5353 -j ACCEPT

And save the routing table state to the main configuration file:
iptables-save > /etc/iptables/iptables.rules
systemctl start iptables
systemctl enable iptables

I also had to use the program ifplugd to prevent firejail from removing the IP address after closing the sandbox:
pacaur -S ifplugd
So ifplugd will always reassign an IP to the network bridge if you start the sandbox again:

Enable and start ifplugd:
systemctl start ifplugd@tornet
systemctl enable ifplugd@tornet

You can now run Signal sandboxed and in an isolated network where all traffic is going through Tor:
firejail --net=tornet signal-desktop
Signal won’t have any connection if the Tor daemon isn’t running or when Tor is blocked in your network. You can also use the program arm to check if all traffic is going through Tor.

I’m not entirely sure if DNS queries are also anonymized in this setup but according to the original how-to by kargig this should also be the case.

It is important to note that this setup just adds an extra layer of security and anonymity in using Signal. If you strongly rely on anonymity you should consider using Tails or SubgraphOS as pointed out by the security researcher x0rz. His blog post also explains how to register Signal with a fake mobile number to use it pseudonymously.

Download an installation medium directly to your flash drive


For a longer time I was looking for a more direct and faster method to setup my Linux installation medium on an USB flash drive. Usally one would download an ISO image and wait for it to finish before copying to the drive. Both tasks could take some time, depending on your internet connection and USB speed.
Considering you’ll doing both at the same time, downloading and writing the image, you could save half the time. It took a while for me to figure out, that one of my favorite downloading tools for the command line, Aria2, could do exactly this job. It will download your file, supporting different protocols (sftp, https, bittorrent), and write it directly to any block device.
Of course not every installation image could be written directly without any modifications and thus will be bootable, but my favorite Linux distributions support this feature (e.g. ArchLinux, Ubuntu).
In this example, we’re going to download the most recent Archlinux iso using a Bittorrent magnet link (get the newest magnet link from here). Further we select only the iso-file in the torrent and write it to our flash drive at /dev/sdc:
aria2c "magnet:?xt=urn:btih:2d3b3d65b369ba519292dd8ce420afe95120df1e&dn=archlinux-2018.01.01-x86_64.iso&tr=udp://tracker.archlinux.org:6969&tr=http://tracker.archlinux.org:6969/announce" --select-file=1 --index-out=1=sdc --dir /dev --allow-overwrite=true --file-allocation=none --save-session=/tmp/tmp.aria2
We can also download a “*.torrent”-file to memory and start downloading it’s contents:
aria2c "http://torrent.ubuntu.com/xubuntu/releases/bionic/release/desktop/xubuntu-18.04-desktop-amd64.iso.torrent" --select-file=1 --index-out=1=sdc --dir /dev --allow-overwrite=true --file-allocation=none --save-session=/tmp/tmp.aria2 --follow-torrent=mem
Caution: Running this code with root is dangerous when you’re unsure about the destination path of your block device. You could easly overwrite, for example, your system partition, brick your system or lose important data!

Aria2 will start downloading the installation medium and write it directly to your installation medium :) The cool thing is, as long as you keep Aria2 open and your flash drive inserted, the iso will still be seeded from your device.

Stopwatch module for py3status

Whenever you use a tiled window manager like Dwm, Awesome or i3 on your linux desktop, you might also want to replace or modify the default behaviour of the status bar. Usually you’ll display some common information like date, battery level or informations about your network connection.

Compared to the quasi standard program i3status, you can also use py3status as an external program to generate the status bar text. It has even more modules you can use to display additional statistics or functions. One thing I was missing, was the ability to easily track time so I modified the included timer module and transformed it into a stopwatch.

You can run or pause the stopwatch with a left click and reset it with a right mouse click. That’s all … very easy but also very useful ;) You can check out the source code here or just wait until module gets upstream.