paimonpagodeiro

Unlocking LUKS full disk encryption with a USB key

Use case

It is being used to boot up a headless system running debian12 (bookworm)

Prepare USB

Prepare a USB containing a file keyfile which contains a password to open the LUKS partition. The UUID of the USB will be used. In this example case it is 69A0-9BE4.

edit traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  dot: # <- ADD THIS
    address: ":853"  # <- ADD THIS

Setup Immich via Docker Compose with WAF, CDN, DDoS protection, no port forwarding and automated image resizing

In this guide, we are using the docker compose setup that is recommended by the Immich team. Once everything is configured and running in your local network, we can expand on it.

The first recommended step is to use Cloudflare Tunnel to make your local instance globally available. This is free and you benefit from the native DDoS protection, WAF and CDN from Cloudflare. The cloudflared daemon basically makes an outgoing connection to Cloudflare and makes the designed interfaces available on the internet, without granting access to undesired parts of the network.

Start off by creating a Cloudflare account, going into the "Zero Trust" portion of the account and add a new tunnel.

For directly installing Debian Sid not supported by the Debian installer, namely:

Single LUKS2 encrypted partition which contains the full installation
Single BTRFS filesystem (integrated home partition)
Encrypted swapfile in BTRFS subvolume (supports laptop suspend but not hibernate)
Uses systemd-boot bootloader (instead of Grub2, also optional rEFInd instructions)
Minimal Gnome install (plus instructions for any other DE you wish)
Proper user groups for common security tools like sudo-less Wireshark, etc...
Optional removal of crypto keys from RAM during laptop suspend
Optional configurations for laptops (including fingerprint readers)

How set up a server for YubiKey authentication

These steps were made for Ubuntu 20.04 LTS and tested with a Yubikey 5 NFC.

Based on:

Steps

Simple guide for fulldisk encryption with Proxmox and ZFS native encryption

Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).

If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.

Steps:

PGP Bootable USB Flash Drive Creation and Operation

Create a bootable USB flash drive for generating and managing PGP keys. The keys will be generated and stored, encrypted, on the drive but then also transferred to Yubikeys for general use. Unless a Yubikey is lost or damaged, use of the flash drive should be extremely limited, if it is used at all.

A master certifying and signing (CS) key will be created, then sub-key signing (S), encrypting (E), and authenticating (A) keys will be created and signed by the C key. The C key will be archived with a password to the flash drive as well as transferred to a Yubikey 4. The SE&A sub keys will also be archived to the flash drive as part of the C key

	#!/bin/bash
	# Automatically compile and install FFMPEG with NVIDIA hardware acceleration on Debian
	# Based on https://www.tal.org/tutorials/ffmpeg_nvidia_encode
	# Verified working on Debian 10 and 11

	# Abort on error
	set -e

	suite=stable

	You're going to need a Google Developer's Account: https://console.developers.google.com/

	https://console.cloud.google.com/projectselector2/home/dashboard?authuser=2&organizationId=0&supportedpurview=project


	You'll need to know what you want your Portainer URL to be.

	Create a Project
	Enter a Project Name and click "Create"
	APIs & Services


	@media (prefers-color-scheme: dark) {
	:root {

	--main-bg: #000000;
	--dark-bg: #000000;
	--light-bg: #000000;

	--main-font: #FFFFFF;
	--light-font: #FFFFFF;