<joepie91>
danderson: that board did have one very unexpectedly useful feature though
<joepie91>
you could dim the power LED from the BIOS
<joepie91>
turns out to be quite handy when your PC is also in the room you sleep in, and needs to run at night, and the power LED is one of those eye-searing blue LEDs
<joepie91>
danderson: anyway I just upgraded to AM4 :P
bqv has quit [Ping timeout: 260 seconds]
<joepie91>
glorious Ryzen 3900X
<joepie91>
... unfortunately the side panel of my PC is currently not attached, due to some minor unanticipated cooling issues...
<danderson>
hah
parsley936 has quit [Remote host closed the connection]
<danderson>
Noctua NH-D15 works well for a 3900x
<danderson>
just did a build like that for a friend
bqv has joined #nixos-chat
<ashkitten>
noctua nh-d15 works well for anything
<danderson>
when in doubt, bolt the largest radiator that physically fits without torqueing the socket off the motherboard
<ashkitten>
danderson: it doesn't fit on my motherboard ;-;
<ashkitten>
gpu slot too close to the socket
<danderson>
:(
<danderson>
stoopid GPU slot
<ashkitten>
it barely fit on my previous motherboard, i had to have a slim piece of cardboard to keep the radiator from contacting the gpu
<joepie91>
danderson: yeaaaaah so I have a bit of an issue with the Noctua mount
<joepie91>
in that for whatever reason, Gigabyte didn't think to design for it
<joepie91>
so I can only mount Noctua coolers in the wrong orientation
<joepie91>
because there's some fucking caps in the way :(
<ashkitten>
i want to get a water cooler but i just have the stock cooler for now
drakonis_ has quit [Read error: Connection reset by peer]
drakonis2 has joined #nixos-chat
drakonis1 has quit [Ping timeout: 260 seconds]
<infinisil>
Oh great, youtube now shows recommendations even when you explicitly search for something..
peel has quit [Ping timeout: 240 seconds]
betawaffle has joined #nixos-chat
peel has joined #nixos-chat
<infinisil>
After like 10 search results, you can get a section "Related to your search"..
<infinisil>
And then after another 2 (?) normal search results I get a section "For you" with completely unrelated videos..??
<infinisil>
Who the hell pitched this
<samueldr>
tried it with a channel name and got results "specific" to the channel
<samueldr>
tried it with "some dummy search terms" and have search results AFAICT
liszt has joined #nixos-chat
<samueldr>
but at some point there's a thin and dim line
<samueldr>
+7 MORE
<Shados>
infinisil: yep. It keeps repeating the "for you" sections ad nauseum, and they're infuriatingly difficult to distinguish from the actual results.
<danderson>
lovesegfault: why do you have 10 keys, out of curiosity?
<lovesegfault>
I have different keys for different things
<lovesegfault>
GH, work, some remote builders, my own machines
<lovesegfault>
all have different keys
<danderson>
why though? They all end up being an identifier for you, and you'd carry them all in the same physical token if you could
<danderson>
(I'm not trying to be a jerk, genuinely trying to understand the threat model)
<bqv>
no single point of failure
<bqv>
it makes sense to me
<bqv>
i'm just too lazy to bother
<bqv>
cause then you'd have to -i ~/.ssh/blah everything
<bqv>
and not everything even supports that
<danderson>
I still don't follow. You carry all the keys together. A compromise of one ruins all of them
<danderson>
if it were separate keys, I'd get it, but I'm not seeing what you gain by having several different keypairs where the private portions are kept together
<bqv>
not necessarily - GH maybe you have on everything, but you won't e.g. have your personal machine keys on your work machine, nor your work keys on your phone, etc
<danderson>
the closest I can find is pseudonymization - you could plausibly deny that one stream of traffic for pubkey A was the same person as pubkey B
<danderson>
but that's a really narrow threat model
<danderson>
... but that only makes sense if the private keys aren't all kept in the same place. In which case yeah, makes complete sense
<energizer>
i have more than one github account, they each need a key
* cole-h
wants SoloKeys rev2 to hurry up and release already
* cole-h
can't wait for Q3-ish
<danderson>
ah yes, I forgot that dumb github limitation of one key, one user :(
<danderson>
cole-h: the solokey doesn't seem to use a secure processor?
<lovesegfault>
danderson: I only have my keys on one machine
<danderson>
I guess that's another variance in threat models, but afaict the microcontroller they use is at least vulnerable to glitching attacks
<lovesegfault>
and they all have different passwords
<danderson>
ah, gotcha. So you're effectively segmenting the access by password, I guess.
<lovesegfault>
Yeah, I also don't want to have a single fingerprint all servers see my by
<Shados>
bqv: You can use IdentityFile directives in ~/.ssh/config to specify per-host keys, which is how I deal with having a bunch of keys
<lovesegfault>
Shados: Yep, that plus IdentitiesOnly
<samueldr>
when I saw AMD I was excted, but no coreboot, and nvidia, and desktop package, that thing's not gonna sip power
drakonis2 has quit [Ping timeout: 264 seconds]
drakonis2 has joined #nixos-chat
<Ashy>
yeah
cole-h has quit [Ping timeout: 264 seconds]
cole-h has joined #nixos-chat
<cole-h>
danderson: I'm not well-versed (or at all-versed) in hardware; what is insecure about STM32L432 (I think that's what they're using in rev 1)? Is that solved by using LPC55S69 instead (which is what rev2 seems to be using)? (note that this is all jargon to me; I don't even know if these two alphanumeric strings are comparable)
<danderson>
they're not directly comparable, but they're googleable to get part numbers. The LPC part is a much more capable system.
<danderson>
however, neither are specifically security-hardened microcontrollers. They're both general purpose microcontrollers with some security features.
<danderson>
probably selected because they're cheap and readily available
<danderson>
mostly the only difference is how resistant they are to physical attacks, where you can attach an electronics lab to the chip basically
<danderson>
In particular, both parts are very likely vulnerable to power glitching, which is a technique where you deliberately cause a brown-out on the chip at a well timed moment, usually to trick the microcontroller into enabling its debug ports
<danderson>
(they're usually disabled at the factory for a production run, such that reenabling them wipes all internal storage to protect the firmware and any keys)
<danderson>
the general idea is that the state of the debug ports and debug features are stored in a chunk of non-volatile memory in the microcontroller. If you glitch the power at just the right time, you can force a mis-read of that memory
<danderson>
... which usually results in the debug ports getting enabled, at which point you can execute arbitrary code on the processor, dump its firmware, dump its internal storage (== the secret keys stored onboard)
<danderson>
there exist microcontrollers that are specifically designed for security critical applications (like credential storage), which are resistant to physical attacks like this
<danderson>
in particular for glitching attacks, a proper security processor will be monitoring all input power and clock rails for weirdness, and will force the system into a full reset if anything weird happens
<danderson>
some also have even more fancy stuff to limit their emissions (in particular, noise on the power rail can be a surprisingly good indicator of what a processor is up to)
<danderson>
or to self-destruct for even fancier attacks (iirc Google's Titan security chip has a conductive mesh embedded into the chip above the processor die, so that if you decap the chip with acid and try to connect microprobes to the die directly, you'll hit the detection grid and the chip will wipe its secrets)
<gchristensen>
afaik you can sometimes determine private keys via power-rail monitoring
<danderson>
yup, power analysis and power glitching are surprisingly powerful attacks against systems that haven't been explicitly designed to defend against them
<danderson>
anyway. That's the tradeoff the solokey folks are making. A security key that cannot resist physical attack is still very useful, depending on your threat model.
<danderson>
for most users, the major security upgrade from keys is that they can't be exfiltrated if your computer is compromised, because the dongle won't allow export of secret keys, and can require a physical presence test to execute signing ops
<danderson>
in other words, they're great at defending against drive-by malware attacks, and some kinds of targeted attacks
<cole-h>
...I should really have a threat model. Right now it's just "I want to be relatively well-protected." From what, I don't know.
<cole-h>
danderson++ Thanks for all that great information.
<{^_^}>
danderson was put on Santa's "nice" list
<cole-h>
lol
<gchristensen>
encrypt your disks, use a password manager for all your passwords, and use u2f or another 2fa where you can and you'll be in fairly good shape
<cole-h>
I'm 2/3 the way there
<energizer>
cole-h: i saw an argument recently that the standard starting point of "who am i trying to protect from" doesnt make much sense
drakonis2 has quit [Read error: Connection reset by peer]
<ldlework>
just beat the wife in some Mario Party 6 on NixOS :P
<energizer>
instead starting with "what assets am i trying to protect"
<ldlework>
"beat the wife" hmm
drakonis1 has joined #nixos-chat
<energizer>
does does nixops deploy to multiple hosts concurrently?
<energizer>
or one at a time like morph
<cole-h>
I think it's sequential, at least just from having seen the logging
<gchristensen>
it is concurrent
<cole-h>
Oh, is it?
<cole-h>
Nice.
<cole-h>
Yep, I stand corrected -- re-checked logging and that does appear to be the case :D
<energizer>
cool
<ldlework>
Anyone know how to add new udev rules or whatever
<ldlework>
jtojnar: Are you familiar with rpcs3 and how to get the controllers working?
<DigitalKiwi>
so based on discussion the other day(?) do i not want a yubikey or do i lol
<DigitalKiwi>
why can't you have multiple ssh keys on one?
<DigitalKiwi>
and why is multiple gpg key so hard
<DigitalKiwi>
or was it multiple yubikey with same gpg key
<adisbladis>
DigitalKiwi: You can have multiple SSH keys one one
<adisbladis>
on one*
<adisbladis>
Just not with the openpgp applet
<srk>
DigitalKiwi: nitrokey or another gnuk based one instead of ubi
<DigitalKiwi>
do those support gpg
<adisbladis>
srk: Nitrokey is not using an enclave, right?
<srk>
adisbladis: no
<DigitalKiwi>
is that bad
<srk>
there are few people trying to build something like atecc508 with openfpga toolchains but the attack vector moves to supply chain attacks :)
<adisbladis>
DigitalKiwi: I think that's unacceptable.
<srk>
it depends on your threat model :)
<adisbladis>
To me no enclave means it's no better than a stupid file on disk
<DigitalKiwi>
what about solokeys
<srk>
as danderson pointed out it's better than just storing your keys on disk as they can't be extracted *easily*
<DigitalKiwi>
adisbladis: what does not with the openpgp applet mean
<adisbladis>
DigitalKiwi: Speaking PKCS#11 to a Yubikey you can have many, many ssh keys
<adisbladis>
But you can only have a single gpg key
<adisbladis>
srk: Yeah, but with physical access to the key you can with relative ease extract a key
<DigitalKiwi>
oh
<DigitalKiwi>
so if i have multiple gpg key i need multiple yubikey?
<DigitalKiwi>
like i have one for github and one for other
<DigitalKiwi>
presumably email
<DigitalKiwi>
>.>
<adisbladis>
Iirc this comes down to the OpenPGP standard
<adisbladis>
DigitalKiwi: But why do you want this many keys?
<srk>
adisbladis: I wouldn't say it's easy, there are known flash readout protection attacks but afaik not for stm32l4, power analysis can be mitigated using constant time loops, glitching is not easy either
<adisbladis>
srk: Relative ease ;)
<adisbladis>
A hell of a lot easier than YKs enclave
<DigitalKiwi>
adisbladis: i'm not sure maybe i don't need them
<DigitalKiwi>
different email addresses?
<DigitalKiwi>
it's been a long time since i set it up :(
<adisbladis>
On the surface it's appealing, but I don't think it's worth the effort
<adisbladis>
DigitalKiwi: Just add additional emails to your key, that's fine.
<DigitalKiwi>
oh
<adisbladis>
Those bits are not stored on the hardware key anyway
<joepie91>
man, IRC layout in Riot is such a massive improvement
<adisbladis>
They are signed and push to a key server
<eyJhb>
joepie91: Riot as in Matrix?
<DigitalKiwi>
what happens if i need to use a key on a remote server
<joepie91>
eyJhb: yeah
<__monty__>
What's IRC layout?
<eyJhb>
Not sure if I should switch. I have been meaning to
<joepie91>
there's still plenty of visual bugs and awkward design bits, but it's still a massive improvement :P
<srk>
adisbladis: secure enclave might not be that secure either since you don't have sources :)
<adisbladis>
But to me the marketing around most "security keys" is pretty dishonest and the ones that don't have an enclave just gloss over it
<adisbladis>
Lalalala, nothing to see here
<srk>
:))
<adisbladis>
srk: These kind of things used to be my job, my view is very coloured by that.
<srk>
cool, I'm following embedded security a bit and it's not that bad compared to computers .. :D
<__monty__>
joepie91: I agree the density is nice for high volume chat.
<srk>
adisbladis: what were you working on?
<adisbladis>
srk: Enterprisey hardware security things for a blockchain startup (they got acquired by a huge enterprise later on)
<adisbladis>
Playing with expensive HSMs & phone enclaves a lot
<adisbladis>
There was enclaves everywhere as a matter of company policy
<srk>
interesting, I'm considering using atecc chips for IoT devices but I don't find them that appealing, especially documentation wise and you still can hook onto buses and sniff keys directly from there
<srk>
like xbox hax :)
<DigitalKiwi>
so is yubikey the only one with an enclave?
Jackneill has quit [Ping timeout: 256 seconds]
<clever>
adisbladis: ive been considering doing an rpi based enclave
<clever>
adisbladis: there appears to be hw support to protect certain registers/ram from access to non-secure VPU code
<clever>
its similar to arm trustzone, but it only applies to the firmware side of things, outside the arm
viric has joined #nixos-chat
<viric>
Hello gamers.
<viric>
Today I remembered a game I played a lot and I wonder if anyone knows any package flavour of it: DROD
<joepie91>
viric: I can appreciate this passage on the site: "Yes, you can have all of the source code to the engine for our commercial products, DROD: King Dugan's Dungeon, DROD: Journey to Rooted Hold, DROD: The City Beneath, DROD: Gunthro and the Epic Blunder, DROD: The Second Sky, and DROD RPG: Tendry's Tale. You just can't have all the media, i.e. the levels, in-game writing, graphics, music, sound effects, and voice samples. I
<joepie91>
tell you this so you can be discouraged now instead of later, after you've downloaded one of the archives below and spent a few hours searching through the files. "
<viric>
:)
Jackneill has joined #nixos-chat
<viric>
joepie91: I'd have to get the game files... well, we have doom forks as well.
rajivr has quit [Quit: Connection closed for inactivity]
rardiol has joined #nixos-chat
rardiol_ has joined #nixos-chat
rardiol has quit [Read error: Connection reset by peer]
armin_ has quit [Quit: Great minds discuss ideas. Average minds discuss events. Small minds discuss people.]
genevino has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis1 has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis has quit [Ping timeout: 272 seconds]
evanjs has quit [Read error: Connection reset by peer]
evanjs has joined #nixos-chat
genevino has quit [Quit: Great minds discuss ideas. Average minds discuss events. Small minds discuss people.]
leah2 has quit [Ping timeout: 260 seconds]
drakonis has joined #nixos-chat
drakonis1 has quit [Ping timeout: 246 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 272 seconds]
leah2 has joined #nixos-chat
cole-h has joined #nixos-chat
<eyJhb>
Anyone else tired of Netflix calling it a "Netflix Original", when they just bought the rights to show the show, and the dubbed the audio?
<DigitalKiwi>
no, but i don't watch netflix
drakonis has joined #nixos-chat
<samueldr>
eyJhb: I don't think it's because they dubbed the audio, considering I have "acquired" english-language videos, originals from other networks, with a "netflix original" preface
<samueldr>
or maybe it is because they dubbed it for other languages, but they serve the preface anyway in english
<joepie91>
Netflix also does coops with broadcasting companies nowadays
<samueldr>
in the specific sample size of one (1) I have, it's an original for CBS All Access
<cransom>
fleabag had the 'original' tag even though it was made by the bbc. netflix coproduced, which probably just means they also sent them a check without doing much else.
<joepie91>
cransom: in fairness, that *is* more or less the model that made Netflix successful with its originals in the first place
<joepie91>
"sounds like a neat idea, here, have a pile of money, when will it be done?"
<joepie91>
hence all the oddball stuff in their collection
<eyJhb>
Guess I need to use passphrase and have it on my disk
<ldlework>
i like that quit message
<ldlework>
oops
<eyJhb>
What? -;p
<bqv>
what does it say?
<bqv>
(i have them off)
<pie_>
oh no yo mean the time remaining scales linearly with elapsed time? :P<samueldr> however many years ago it was started
das_j has quit [Quit: killed]
ajs124 has quit [Quit: killed]
ajs124 has joined #nixos-chat
das_j has joined #nixos-chat
luc65r has joined #nixos-chat
iqubic has joined #nixos-chat
<eyJhb>
If any ZFS experts are here, then a solution to this - https://termbin.com/lpoc would be appreciated. src and dst are encrypted using the same key..
FRidh has quit [Quit: Konversation terminated!]
<gchristensen>
is zfs doing a raw send?
<elvishjerricco>
eyJhb: That's a known thing with encrypted datasets. You can't create an encrypted dataset and *then* receive into it, unlike unencrypted ones. No idea why. You'll have to make an encrypted parent dataset and let znapzend create the child dataset by setting the destination to an as-yet-uncreated dataset.
<elvishjerricco>
gchristensen: znapzend doesn't support -w. It only does unencrypted sends. So you have to trust your destination.
slack1256 has joined #nixos-chat
tokudan has quit [Remote host closed the connection]
tokudan has joined #nixos-chat
<eyJhb>
My destination is my own laptop, so if I do it like that, my encryption on my main drive is null and void. Right elvishjerricco ?
<eyJhb>
gchristensen: no idea, using znapzend module
luc65r has quit [Read error: Connection reset by peer]
<elvishjerricco>
eyJhb: I don't see how. Child datasets of encrypted datasets are encrypted by default
luc65r has joined #nixos-chat
<eyJhb>
Ah
<eyJhb>
But...
luc65r has quit [Client Quit]
<eyJhb>
What
<elvishjerricco>
eyJhb: So on the destination, have an ecnrypted dataset `foo/parent`, and tell znapzend that the destination is `foo/parent/child` and let znapzend create it
<elvishjerricco>
`child` will be encrypted because `parent` is
<eyJhb>
My rtank is set with encrypted, while znapsend created the rtank/backup/root itself
<eyJhb>
Wouldn't that setup yield the same?
<eyJhb>
Or there is a difference when the parent pool have the encrypted flag, and a dataset having it?
<elvishjerricco>
eyJhb: I'm a little confused. Which datasets did you create yourself, and which did znapzend do?
<elvishjerricco>
And which did you create encrypted?
<eyJhb>
Everything in rtank znapzend created, I only created the pool and said it should be encrypted (all childs)
<elvishjerricco>
Too bad. Guess znapzend isn't a good choice for this :/
<elvishjerricco>
syncoid/sanoid are alright
<eyJhb>
gchristensen: don't you use encrypted datasets?
<eyJhb>
Might have to look at that then..
<eyJhb>
I have no real preference as of now
<eyJhb>
Just want some backups
<gchristensen>
my destination server is not encrypted yet :(
<elvishjerricco>
eyJhb: The weird thing about syncoid is that it doesn't prune snapshots on the destination. So you can only have either all the snapshots the source has ever had, or none. I think there's a way to setup a second sanoid thing to prune it without doing anything else but I haven't gotten that far
<eyJhb>
Do you use any of those elvishjerricco ?
<eyJhb>
gchristensen: damn :(
<elvishjerricco>
eyJhb: I use znapzend and LUKS
<elvishjerricco>
One day... one day I'll use native encryption and something other than znapzend :P
<eyJhb>
I can't believe that it really doesn't support this...
<eyJhb>
The main reason this does not work, is because.... It does not support multiple keyslots
<elvishjerricco>
eyJhb: znapzend isn't the most actively developed project, and encryption is somewhat new for zfs
<eyJhb>
As far as I could read
<elvishjerricco>
eyJhb: What do keyslots have to do with it?
<eyJhb>
But from this. it says that it should work when the keys are the same
<elvishjerricco>
eyJhb: Keys and `keylocation` are not the same. If you use the same passphrase or key file on two different datasets, they'll have different keys
<elvishjerricco>
The passphrase or key file is just used to decrypt a randomly generated master key
<elvishjerricco>
That master key is the key he's referring to
<eyJhb>
Ah, so if I have them use the exact same master key, then it should work?
<eyJhb>
Is that even possible?
<elvishjerricco>
eyJhb: That would work if it were possible, but it's not
<eyJhb>
Damn it...
<elvishjerricco>
Unlike LUKS, ZFS has no concept of user interaction with the master key.
<eyJhb>
Not even if I import the dataset from the main!
<eyJhb>
?*
<pie_>
i didnt know zfs does that
<pie_>
are yo sure
<elvishjerricco>
pie_: Am I sure ZFS does a master key type thing? Yea. It'd be crazy if they didn't, and I've seen a talk describing how it's derived among other things
<elvishjerricco>
eyJhb: Not sure what you mean
<eyJhb>
If i have rtank unencrypted, import a encrypted dataset. Will it then not use the same key?
<elvishjerricco>
eyJhb: If you send a dataset without -w, it will not be encrypted on the receiver period
<elvishjerricco>
Unless it's parent is encrypted
<eyJhb>
Damn...
<elvishjerricco>
Er that's badly worded
<eyJhb>
So there is no solution because what znapzend does atm.?
<elvishjerricco>
Without -w, the stream is unencrypted. To encrypt it on the destination, the receiving dataset must be encrypted
<eyJhb>
Is there a easy fix for it ? Using -w and not creating the dataset beforehand?
<pie_>
elvishjerricco: why would it be craz...actually wait. yeah ok. some of the reasons are coming back to me.
<elvishjerricco>
eyJhb: There is no way to `receive -F` an encrypted dataset, which znapzend has to do, and znapzend currently doesn't provide support for `-w` at all, so znapzend contains no solution here
<gchristensen>
people typically don't want it to take an infinite number of hours to change the key :)
<elvishjerricco>
And you don't want two disks encrypted with the same pass to look the same. And a bunch of other reasons :P
<eyJhb>
I just want to backup my freaking datasets, to a encrypted location :(
<elvishjerricco>
eyJhb: I think it's probably possible with syncoid
<elvishjerricco>
It has a `--sendoptions` flag, which does work with `-w`
<elvishjerricco>
The snapshot history stuff gets hairier because syncoid and sanoid interact weirdly, despite being the same project
<gchristensen>
what is that other one ... like zsl or something
<elvishjerricco>
gchristensen: I don't see anything called zsl on google.
<cole-h>
Are all zfs snapshots incremental by nature?
<eyJhb>
But then I could patch znapzend to use -w in NixOS as well?
<elvishjerricco>
cole-h: Yea. ZFS is CoW, so a snapshot is just a reservation of all the blocks at the time of snapshotting
<elvishjerricco>
eyJhb: I think you'd find that rather more annoying than figuring out syncoid. You'd have to change it to not do zfs create, for instance
<cole-h>
OK. What happens when a snapshot is deleted (e.g. too old, etc)? Is that snapshotted data lost forever if it the following snapshot is different?
<elvishjerricco>
cole-h: Yea anything that was unique to that snapshot is gone when you delete the snapshot
* eyJhb
considering just waiting for a good tool, and do local snapshots on that disc for now
<cole-h>
I see. I wonder if that's how borgbackup works too...
<gchristensen>
probably yes but without the help of the filesystem already being the datastructure it wants
<elvishjerricco>
cole-h: Maybe. It'd have to be less efficient at creating the snapshot/backup though. Making things incremental without knowing the transaction id or something like it means traversing the whole fs
<elvishjerricco>
hence why zfs send/recv is like a million times faster than rsync :P
<cole-h>
OK, fair.
<cole-h>
Guess it's a good thing I keep a decent amount of znapzend snapshots...
<eyJhb>
But are they encrypted cole-h?! Are they?! :(((
<cole-h>
Of course
<cole-h>
I should eventually learn how filesystems work lol. I feel like most of my questions would be answered by doing that.
<eyJhb>
But I am then Guessing from this context, they are on the same disc :p
<elvishjerricco>
eyJhb: Or cole-h uses LUKS
<elvishjerricco>
That's what I do
<cole-h>
Yeah, they're on the same disk for now.
<eyJhb>
Just not a fan of LUKS, but I guess it works
<cole-h>
I need to get another external, since I don't want to add any more important data to my current one
<eyJhb>
elvishjerricco: LUKS both places?
<cole-h>
(See: my recent fiasco locally transferring a 400GB image over the course of 130 hours at sub-1MB/s speeds)
<eyJhb>
Because I could actually setup LUKS on my rtank drive
<eyJhb>
And then just have "unencrypted" datasets there
<elvishjerricco>
eyJhb: I've three copies of my data. Source, local backup, remote backup. All use LUKS.
<eyJhb>
Hmm.. Mine will prob be, src, local, remote
<eyJhb>
Wait
<eyJhb>
How is your local vs. remote?
<eyJhb>
Local as in same PC?
__monty__ has quit [Quit: leaving]
<gchristensen>
same building I assume
<elvishjerricco>
eyJhb: I use local to refer to same location, but yea it happens to be the same PC. Might be better to have a server at home for this stuff but I haven't had a reason to do so yet
<elvishjerricco>
Remote means across the river at my parents' house :P
<samueldr>
ugh, CLAs
<cole-h>
If only I didn't have a data cap I would definitely be able to fulfill the 3-2-1 guidelines...
<samueldr>
anyone care to look and tell me whether I understand it right that this CLA allows the projet owner to re-license code?
<eyJhb>
I would assume local to mean the same PC. Remote for me would be the same building :/
<elvishjerricco>
eyJhb: on-site and off-site are probably better terms for my setup
Jackneill has quit [Ping timeout: 240 seconds]
cjpbirkbeck has joined #nixos-chat
<eyJhb>
Most cases I assume
<eyJhb>
How do you guys manage a metered connection?
<eyJhb>
Manually stopping the service?
<elvishjerricco>
eyJhb: I don't have nearly enough data to worry about that :P
<eyJhb>
Same (I hope)
<eyJhb>
Btw. elvishjerricco luks1 vs luks2?
<eyJhb>
Trying to setup luks encryption
<elvishjerricco>
eyJhb: luks2. I'm unaware of any downsides. I've only done cursory research however
<eyJhb>
F it, let it default I guess
<eyJhb>
I can't find much
<elvishjerricco>
eyJhb: I think the choice of algorithm might be important but I don't remember the details
<elvishjerricco>
Every guide I see about encrypting a disk with luks2 always includes several specific settings; unsure if they're just redundant
<elvishjerricco>
eyJhb: Oh and if it's not too late, make sure your ZFS native encryption is using the GCM algorithm, not CCM. In 0.8.4, there's a major perf boost to choosing GCM
<cole-h>
...crap.
<eyJhb>
hahah
<cole-h>
>> zfs get encryption rpool
<eyJhb>
Let me check
<cole-h>
>> rpool encryption aes-256-ccm -
<gchristensen>
you can change it per dataset
<eyJhb>
GCM
<eyJhb>
BABY!
<eyJhb>
rpool encryption aes-256-gcm -
<gchristensen>
well, at creation time
<cole-h>
F. I did `encryption=on` because apparently `=on` chooses the best available
<elvishjerricco>
cole-h: Yea they changed the default in some version (0.8.4? Unreleased?) to GCM because of this
<cole-h>
Welp
<cole-h>
Time to reinstall lol
<gchristensen>
you don't have to reinstall
<cole-h>
I don't?
<eyJhb>
elvishjerricco: what is your timezone?
<gchristensen>
make a new dataset with the new encryption algo, and send to it
<elvishjerricco>
eyJhb: EST
<cole-h>
omg wait that's actually genius
<cole-h>
gchristensen: Except I have that set for my entire pool... if I change the setting, will it change the default for all future things?
<eyJhb>
Fair, I might ping you tomorrow for help with LUKS if I get stuck :) Got go to go bed now :)
<eyJhb>
Thanks for all the help everybody! Appreciate it as usual
<eyJhb>
elvishjerricco++ gchristensen++ cole-h++
<{^_^}>
cole-h's karma got increased to 67
<{^_^}>
gchristensen's karma got increased to 312
<{^_^}>
elvishjerricco's karma got increased to 16
<eyJhb>
Sorry for the enc cole-h </3
<cole-h>
Maybe that's why I hear audio crackling in my VM (^:
<elvishjerricco>
cole-h: Well you can't *change* the setting. You can only create new datasets with *different* settings
<cole-h>
elvishjerricco: Can I change the default, though? So any new datasets will be created with this new setting?
<cole-h>
e.g. rather than `zfs create -o encryption=aes-256-gcm` I could just `zfs create` and it will inherit that new encryption value?
<elvishjerricco>
cole-h: Not that I know of, other than making one new dataset with the different settings, and making all future datasets children of that dataset
<cole-h>
The only thing I miss from using a fs like ext4 is lsblk showing me FSAVAIL and FSUSE%
<cole-h>
(Which is easy to get to from zfs tools, yes)
<samueldr>
that CLA thing really makes me consider forking the library, and throw out a bunch from it :/
Jackneill has joined #nixos-chat
<gchristensen>
samueldr: imo that is the right response to a CLA
<samueldr>
I'd "fix" a lot of annoyances that are specific to my use case, but... do I really want to "own" a UI library?
<gchristensen>
probably not ;9
<gchristensen>
:(
<samueldr>
that's it :)
<cole-h>
gchristensen: Are there any special args I should consider for my zfs send? Assuming I `zfs create -o encryption=aes-256-gcm rpool/system/var2` and want to send from `rpool/system/var` to `rpool/system/var2`
<gchristensen>
gosh I don't know
<cole-h>
(And also can I rename it after I send to the new one and delete the old one?)
<cole-h>
Haha
<gchristensen>
I read the entire man page of zfs send and zfs receive every time I have to do it
<cole-h>
Nice
<cole-h>
Guess I'll do the same
<gchristensen>
it is too complicated
<cole-h>
Let me ask a different, but related, question: do you usually specify arcane settings, or do you just `zfs send 1 | zfs receive 2`?
<elvishjerricco>
cole-h: Is your `rpool` dataset the encryption root of your system?
<cole-h>
elvishjerricco: I created it with `-O encryption=on`, so I believe so.
<samueldr>
folks: please share all the UI libraries you know can work on a linux fbdev, please, thank you :)
<samueldr>
I want to review what exists to decide what to do, and I don't know if I missed any first time I looked
<elvishjerricco>
cole-h: You're about to run into the same stuff as eyJhb did :P
<gchristensen>
samueldr: boy that is far outside my area of expertise :x
<cole-h>
elvishjerricco: Oh
<ldlework>
I don't understand why RPCS3 doesn't have the Vulkan option even though `vulkaninfo` works for me.
<samueldr>
gchristensen: lol
<cole-h>
....oh
<elvishjerricco>
Creating `rpool/system/var2` manually will mean it can't be received into
<cole-h>
And not creating it manually means that it won't have `-gcm`, right?
<elvishjerricco>
cole-h: You can do it differently by not creating it manually and doing `zfs receive -o encryption=aes-256-gcm` But you'll find this won't work because you haven't specified a keylocation
<gchristensen>
consider making rpool/system-aes-256-gcm/.... and then later you can rename system to system-ccm and system-ae... to system/
<elvishjerricco>
`receive` can create new datasets itself, but creating an encrypted dataset always requires a keylocation
<cole-h>
It won't inherit the keylocation because the encryption is different than `-ccm`, then?
<elvishjerricco>
cole-h: Yea, basically, encrypted datasets have an `encryptionroot`, and you only need to load the key for the `encryptionroot`. Right now, `rpool` is your only `encryptionroot`. To make a dataset with different encryption settings, it needs to be a new `encryptionroot`, and will need a second `zfs load-key` command (unless `-a` was used initially)
<elvishjerricco>
Regardless, if they both use `keylocation=prompt`, you'll be prompted twice
<lovesegfault>
I really wish Rust has specialization
<lovesegfault>
It's so annoying that it doesn't
<energizer>
what's the advantage of zfs encryption vs regular partition encryption?
<lovesegfault>
energizer: You can zfs send --raw to do encrypted backups
<lovesegfault>
You can also encrypt only some of the datasets in your pool
<elvishjerricco>
energizer: And if you use ZFS redundant vdevs, encryption is only calculated once.
<lovesegfault>
e.g. I have my /nix unencrypted and my /home encrypted
<cole-h>
elvishjerricco: I'm currently using #88789 and plymouth prompts me for my passphrase to `rpool` -- will it then also prompt me for `rpool/system-aes-256-gcm`, assuming I go through with this?
<elvishjerricco>
And you can scrub a zpool without loading keys for encrypted datasets
<elvishjerricco>
and resilver
<elvishjerricco>
replace disks
<elvishjerricco>
etc
<elvishjerricco>
all pool level operations
<cole-h>
This also means it's not entirely random noise -- some data is left unencrypted IIRC
<elvishjerricco>
cole-h: Yes
<elvishjerricco>
All user-level data is encrypted. File contents, names, permissions, directory listsings, acls, xattrs, you name it. Basically, if it's POSIX, it's encrypted
<energizer>
what is left out?
<elvishjerricco>
Pool level metadata, like block layout and dataset/snapshot names and whatnot, are not encrypted
<elvishjerricco>
The dedup table is unencrypted, but MACs are used instead of hashes. So all that's leaked is which blocks in the same dataset are deduplicated, not anything about their contents. But also, don't use dedup!
<gchristensen>
(don't use dedup!)
<lovesegfault>
In other words: ZFS does not give you deniability wrt to encryption
<lovesegfault>
Yes, dedup is malware
<gchristensen>
according to my brother, deniability isn't really a thing anyway
<gchristensen>
that if they're compelling you to decrypt your disk they already know what they're going to find
<elvishjerricco>
cole-h: Actually, now that I think about it, doesn't NixOS usually try to reuse passphrases for multiple encrypted things? Or is that just LUKS?
<elvishjerricco>
So maybe it wouldn't prompt you twice
<samueldr>
I could embed a web browser in the mobile nixos stage-1 for the boot gui
<samueldr>
what could go wrong?
<gchristensen>
samueldr: I think that is a good idea actually
<elvishjerricco>
Still, I don't like having multiple encryptionroots :P
<cole-h>
elvishjerricco: If I had set the passphrase different, I was wondering what would happen (since I've only ever had it prompt me for the top-level dataset (e.g. rpool and tank) vs rpool/system/var, etc)
<elvishjerricco>
Unless I intend to have them unlocked at disjoint times
<lovesegfault>
I wish ZFS had 2-FA unlock, like it needs my psk AND my yubikey
<cole-h>
elvishjerricco: Well, the plan would be to move each dataset over to gcm, one at a time
<cole-h>
And then destroy the other ones
<lovesegfault>
So I could eat my yubikey and just tell the badies my password
<samueldr>
gchristensen: actually, it could end up beng a half-truth, I'm familiar enough with netsurf's architecture that I believe some of the libs behind it may actually be useful
<cole-h>
elvishjerricco: So hopefully that would mean back to one encryptionroot?
<lovesegfault>
before they hit me with a wrench or something
<samueldr>
at the very least, text rendering wise, and unicode-handling
<elvishjerricco>
cole-h: Well you wouldn't be able to destroy or replace `rpool` itself as an encryptionroot
<elvishjerricco>
lovesegfault: You can always just have a keyfile that another script unlocks using 2Fa
<lovesegfault>
Maybe
<cole-h>
elvishjerricco: What are the downsides of multiple encryptionroots? Could I get away with `zfs send | zfs receive`ing to another pool with gcm set, and then trash this disk and send/receieve back?
<gchristensen>
elvishjerricco: or stick you in prison for 6 months at a time for contempt
<gchristensen>
s/prison/jail/
<cole-h>
Free gym membership!
<gchristensen>
lovesegfault* ^
<elvishjerricco>
cole-h: Yea no reason you can't backup and restore to a new setup
<elvishjerricco>
Having multiple `encryptionroot`s is just an annoyance, really
<lovesegfault>
gchristensen: The badies don't do that
<cole-h>
Because it would prompt for the passphrase (if applicable) for each encryptionroot?
<lovesegfault>
they wrench you
<elvishjerricco>
If you ever have to `load-key` manually, you'll have to do it twice :P
<cole-h>
Why not `load-key -a`? :P
<elvishjerricco>
You'll still be prompted twice, just by one command :P
<elvishjerricco>
cole-h: So if the plymouth thing does reuse passphrases you basically won't notice it as a problem, and I'm unaware of any security risk. Just feels... dirty
<gchristensen>
there used to be a security risk but I think it was solved
<elvishjerricco>
gchristensen: What kind of risk?
<gchristensen>
the kernel didn't clear out the memory allocated by early stages of boot, and the password typed in would be available in a memory dump
drakonis1 has joined #nixos-chat
<lovesegfault>
What's the process to remove something from nixpkgs?
<lovesegfault>
I want to get rid of casperjs b/c it's broken and upstream is abandoned
<gchristensen>
is it marked as broken?
<lovesegfault>
Nope
<infinisil>
lovesegfault: See pkgs/top-level/aliases.nix
<infinisil>
Can remove the attr from all-packages.nix and add a throwy alias there
<lovesegfault>
Aha
<lovesegfault>
Should I mark it broken or make it throw?
<gchristensen>
I'm mark it broken for a few montsh then rm
<lovesegfault>
I'm almost certain I'll forget to rm later
<lovesegfault>
pkg has been abandoned since 2018
<lovesegfault>
no rev deps
<samueldr>
though if it's been broken for months, and abandoned upstream, what's the need for marking it broken?
drakonis_ has quit [Read error: Connection reset by peer]
<infinisil>
2018 isn't that long ago
<samueldr>
it's technically broken already
drakonis2 has joined #nixos-chat
<gchristensen>
samueldr: yeah
julm has joined #nixos-chat
<lovesegfault>
in 2018 Obama was president
<samueldr>
(though if we want to make a precedent into marking broken first, then removing, I say go for broke(n))
<lovesegfault>
it's literally a lifetime ago
<infinisil>
lovesegfault: Um he wasn't :)
<samueldr>
out with the "off-by-one", in with the "off-by-two"!
<lovesegfault>
infinisil: It's so long ago I thought he was!