observantTrapezium

I’m proud to be incompatible with Apple

I do for work but not for my self hosting operation, I don’t think it makes sense at least in my case. My recommendation is not to use full disk encryption on a home server, but to encypt specific directories as needed (I use fscrypt on an ext4 file system).

I’ll check out sli.dev, I’ve been using Reveal.js for years now and highly recommend, I love how hugely customizable that is, but one issue for perfectionists is that it’s relatively hard to perfectly convert to a PDF, these days I use DeckTape that does a decent job. I used to be one of those nerds that used LaTeX (Beamer) but fell out of love with it.

Some time ago I tried Abrechnung and it was quite good actually.

When you run out of local storage…

If you have a single node, external USB storage is 100% fine. Even if you have more machines, if you don’t actually need a massive amount of storage, you can share that external drive as NFS.

Sounds doable, will need a bit of scripting, but I don’t really get the use case.

Arch on desktop since 2020, RH-flavoured on servers.

Used Kubuntu from 2012ish to 2020, distro-hopped in the decade before that.

The fundamental difference between GPG encryption and encrypted partition is that of asymmetric vs. symmetric encryption. Whether you mount encrypted storage or decrypt a file with GPG, there’s some “effort” in putting in the passphrase and in both cases the system’s keyring is briefly aware of it and the plaintext is saved to memory (volatile, unless you have encrypted swap or other edge cases).

Asymmetric encryption is not normally used for personal stuff but mostly to exchange material with one party holding the private key, and other having access to the public key (which is public). Of course you can act as both parties if you like. If you do, keep in mind:

1. Asymmetric encryption algorithms may be vulnerable to quantum computing attacks in the coming years. There are quantum-resistant algorithms, but to my understanding they are not necessarily quantum-proof and could potentially be broken in the more distant future.
2. If you do choose to use GPG, make sure that the plaintext never touches the disk, for example save it to /dev/shm before encryption.
3. You can also protect your private key with a passphrase.

Personally I use Joplin. On the clients it’s secure because the database is saved on encrypted storage secured by my login phrase. On the server it’s secure by Joplin encrypting the files saved to WebDAV storage. Is it 100% safe? Probably not, but probably good enough to stop all but a nation-state level actor.

I use Baïkal for card and cal and Apache for webDAV, they provide all the features I need and were easy enough to set up, never tried alternatives.

I wonder how many countries’ laws every Linux distribution violates by existing (e.g. North Korea, Turkmenistan) but these bozos at Arch Linux 32 don’t proactively block.

That is the way. I just don’t understand open source projects that have no ties to regions where these dumb regulations exist blocking users from said region. Why is it your problem? If California (for example) wants to block your website, let it be their problem.

+1 for the headphone jack

Personally I don’t go with full disk encryption for backups. I use Borg that encrypts its repositories on a plain ext4 partition, and the key is saved in the config file (wrapped in passphrase of course). Obviously it just moved the problem of what to do with the passphrase… I also have Vaultwarden (with a separate backup mechanism).

Hey, hope you are recovering from this ordeal. I attribute some of the oddities in your post to panicked writing, but it would be great if you can clarify these points:

listed as .BRM for windows 6

What does that mean?

As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone

What do you mean base part of KDE? Did they delete more than just the home directory?

because since they schroot, none of those processes were available to me to view

Why wouldn’t you be able to view processes running in schroot? Doesn’t it use the same pid namespace and uses the same /proc as the init process?

I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage

You wrote in a comment “that was the server farm rooted into me”. Why do you think that is the case?

Also, it’s not quite clear what the screenshots are meant to show. The first two are a list of files in your home directory, showing it’s not empty. So did they wipe everything or not? How are we supposed to know what those files are and what you expect should be there… And then the other screenshots are of you trying to recover files from the disk image.

I understand if you don’t, but do you actually have any evidence of an attack? Like cellphone video of the screen while you are seeing suspicious activity on Wireshark? I can definitely understand being more concerned with minimizing the damage once you realize files are being deleted than gathering evidence. But can you for example fish out that .dll file from the disk image?

Had to think about it… The answer is nowhere. I built my digital life around Linux for 23 years.

I have elaborate Procmail rules that sort out the mail. It’s not a very modern solution and the syntax is quite horrible, but it works quite well.

I think that’s the issue. It’s xhost + if I remember correctly.

No, secondary clipboard Ctrl+v paste is a Windowsism

It could also be that the app is looking at parameters other than the hash (which would probably be that of the certificate authority rather than the domain’s certificate), like the CN, which is potentially fakeble. You can also try to mess with the APK file, maybe find the strings associated with the certificate check and replace them. I won’t fault the app’s authors for making such a check though, MITM is so easy to do without certificate validation.

I use Linux on my work computer