Essentially the computer you usually personally work with, regardless if its a desktop or a notebook computer or even your TV, as long as it runs Ubuntu Desktop or similar.
Desktop
What Counts as a Desktop?
There’s no need to be fussy about form factors. When I say “desktop,” I’m talking about any machine that you personally sit down and use for actual work or entertainment. This could be:
- Your traditional tower + monitor setup that’s been chugging along since 2019
- That sleek laptop you overpaid for but secretly love
- Your gaming rig with RGB everything (no judgment, we’ve all been there)
- That old ThinkPad you rescued from the office closet
- Even your smart TV if you’ve managed to get a proper Linux distro running on it
The key thing is that it’s running Ubuntu Desktop or something similar - basically any Linux distribution with a proper desktop environment that you can actually interact with using a mouse, keyboard, and GUI.
Why Ubuntu Desktop?
Ubuntu Desktop is kind of the vanilla ice cream of Linux distributions - it’s not the most exciting flavour, but it’s reliable, well-supported, and most importantly, it just works. Here’s why it makes sense for a personal desktop setup:
It’s Actually User-Friendly
Unlike some distributions that seem designed by masochists for masochists, Ubuntu Desktop comes with sane defaults. You can install it, boot it up, and actually get work done without spending three hours configuring your window manager.
Hardware Support That Doesn’t Suck
Ubuntu’s hardware detection is pretty solid. Your WiFi will probably work out of the box. Your graphics card won’t immediately burst into flames. Your printer might even work on the first try (okay, that’s optimistic, but still).
Package Management That Makes Sense
Between apt, Snap packages, and Flatpak support, you’ve got multiple ways to install software. And unlike some other distributions, you probably won’t break your system by installing a media player.
Essential Desktop Setup
Once you’ve got Ubuntu Desktop running, there are a few things you’ll want to configure to make your life easier:
Configure Your Network Connection
Make sure your desktop can talk to the rest of your infrastructure. If you’re following the network topology documented elsewhere in this setup, your desktop should be able to resolve internal hostnames and access your self-hosted services.
Set Up Development Tools
If you’re doing any kind of technical work, you’ll want:
- A proper terminal emulator (the default one is fine, but I personally may for a Termius licence)
- A decent text editor or IDE
- Git and other version control tools
- SSH client configured with your keys
Install Essential Applications
The bare minimum for a functional desktop:
- A web browser that isn’t terrible (Firefox comes pre-installed, Chrome if you must)
- A password manager
- Communication tools (Discord, Rocket.Chat, whatever your team uses)
- Media players for when you need to procrastinate
Security Considerations
Your desktop is often the weakest link in your security chain because it’s where you actually do stuff. Some basic hardening:
- Enable the firewall (
ufw enable- it’s that simple) - Keep your system updated (
apt update && apt upgraderegularly) - Use full disk encryption if you’re dealing with sensitive data
- Don’t run random scripts from the internet as root (seriously, stop doing this)
Integration with Your Infrastructure
Your desktop isn’t an island - it should integrate nicely with the rest of your self-hosted setup:
SSH Key Management
Set up proper SSH keys for accessing your servers. Use ssh-agent to avoid typing your passphrase constantly, and consider using SSH certificates if you’re feeling fancy.
File Synchronization
Whether it’s Nextcloud, Syncthing, or just good old rsync, make sure your important files are backed up and synchronised across your devices.
Remote Access
Configure VPN access to your home network, set up remote desktop if needed, and make sure you can get to your stuff when you’re not at home.
Common Issues and Solutions
Graphics Drivers
If your desktop looks like it’s running on a potato, you probably need proprietary graphics drivers. Ubuntu’s “Additional Drivers” tool usually handles this, but NVIDIA drivers can still be a pain. Pro tip: if you’re buying new hardware, AMD graphics tend to have fewer headaches.
Audio Problems
PulseAudio works most of the time, but when it doesn’t, it really doesn’t. pulseaudio -k followed by pulseaudio --start fixes about 80% of audio issues. For the other 20%, good luck - you’re entering the realm of ALSA configuration files and pain.
Wi-Fi Connectivity
If your Wi-Fi keeps dropping or won’t connect, check if your router is using older security protocols. Some newer Linux kernels are picky about WEP (which you shouldn’t be using anyway) and older WPA implementations.
Performance Optimisation
Disable Unnecessary Services
Ubuntu Desktop comes with a bunch of services you might not need. Use systemctl list-unit-files --state=enabled to see what’s running and disable stuff you don’t use.
Manage Startup Applications
Check what’s launching at startup with the “Startup Applications” tool. That Slack client that takes 30 seconds to load? Maybe it doesn’t need to start automatically.
Monitor Resource Usage
Install htop and iotop to keep an eye on what’s eating your CPU and disk I/O. Sometimes the solution to a slow desktop is just killing that one process that’s gone rogue.
Backup Strategy
Your desktop probably contains important stuff, so back it up:
What to Back Up
- Your home directory (obviously)
- System configuration files you’ve customised
- Installed package lists (
dpkg --get-selections > packages.txt) - SSH keys and other credentials (securely!)
How to Back Up
- Automated backups to your NAS or cloud storage
- Regular system snapshots if you’re using BTRFS or ZFS
- Configuration management if you’re into that sort of thing
Secrets
Passphrases
- Craft strong, unique passphrases for enhanced security.
- Ensure they are memorable yet resilient to unauthorized access.
Strong Yet Simple to Remember
When it comes to passphrases, there’s a sweet spot between making them strong enough to resist the bad guys and keeping them memorable enough for you to recall without breaking a sweat. One single word isn’t cutting it anymore, so here’s how you can create passphrases that are both tough and easy to remember.
Tools Like Diceware:
Enter Diceware. It’s a total game-changer for creating passphrases that are both secure and user-friendly. Unlike some tools that might give you passwords that make you want to scream, Diceware gives you strong passphrases that are actually easy to memorize.
A Diceware passphrase might look like “timid bingle heath js duck” — jot it down once, and before long, it’ll be sticking in your brain like a catchy tune.
XKCD’s Take on Password Strength:
If you haven’t checked out XKCD’s genius thoughts on password strength, now’s your chance. The XKCDpass tool is a cool way to generate passphrases made up of random word combos that are both secure and easy to remember.
You can grab XKCDpass from the Ubuntu Software Center or hit up the command line with this:
$ sudo apt install xkcdpass.
Storing Passphrases in Your Brain:
Let’s be real — no one’s going to remember every single password they have. So, you only really need to keep three passphrases locked in your brain:
- Your password manager (like KeePass)
- Your main desktop login
- Access to your encrypted storage (USBs, hard drives, etc.)
For everything else, just stash them in a secure database on your devices. That way, you can go wild with long, complicated passphrases and not worry about memorizing them.
Strong Yet Easy to Type
Sometimes, you need a passphrase that’s secure but also doesn’t make your fingers cramp up when you’re typing it out. For these situations, Diceware is your friend, even if you’re not storing the passphrase in your memory.
Password Generators vs. Diceware:
Sure, password generators can cook up passwords that are tough to crack, but they’re usually a pain to type, especially when there’s no auto-fill option around.
A Diceware passphrase, on the other hand, is secure, but also something you can type out without wanting to throw your keyboard across the room. Much easier to use in scenarios where you don’t have a “copy-paste” option.
Context is Everything:
Think about where and how you’ll use the passphrase. If you need something that’s easy to type, like on a mobile device, go for something that’s secure but not a pain to punch in.
A passphrase like “timid bingle heath js duck” is super easy to type, while more complex ones can be used where a little extra typing effort is okay.
Choosing the Right Number of Words:
The more words you add to a Diceware passphrase, the more secure it gets. Based on how much computing power the big guys (like governments) have, this guide gives you some recommendations for how many words to use.
- Recommended Words for Different Security Levels:
- High-security (Password Safe, GPG Private Key, Admin Logins, CA Keys): 7 words.
- Medium-security (User Logins, Email Accounts, Cloud Storage): 5 words.
- Moderate-security (Wi-Fi Networks): 4 words.
Keys
- Manage cryptographic keys with precision.
- Use them for securing communications, authenticating users, and encrypting sensitive data.
SSH Client Keys: Choosing and Securing Your Digital Signatures
In the realm of SSH (Secure Shell) communication, client keys play a pivotal role as the digital signatures that authenticate and secure connections. Understanding the significance of these keys, this guide delves into the specifics of ed25519 and RSA keys, highlighting their characteristics and recommended usage.
ed25519: Fast, Secure, and Compact
Overview:
- ed25519 stands out as a highly efficient and secure public-key signature system. It boasts small keys (32 bits) and compact signatures (64 bits), making it a swift and robust choice for SSH public key authentication.
Key Generation Command:
To generate an ed25519 key pair, use the following command:
$ ssh-keygen -t ed25519 -o -a 100This command prompts you to enter a file to save the key and a passphrase for added security.
Note:
- While ed25519 offers optimal speed, key size, and security, it is essential to be aware that not all tools and agents recognise ed25519 keys. Compatibility issues may arise with tools like ssh-copy-id and certain SSH agents like those in Seahorse and GnuPG.
RSA: Robust Legacy with Larger Bit Sizes
Overview:
- RSA (Rivest-Shamir-Adleman) remains a reliable choice for SSH keys. Defaults typically generate a 2048-bit RSA key, but it is strongly recommended to use at least 3072 bits for enhanced security.
Key Generation Command:
To generate an RSA key with a specified bit size, use the following command:
$ ssh-keygen -t rsa -b 4096 -o -a 100This command prompts you to enter a file to save the key and a passphrase for additional protection.
Considerations
Key Size Recommendations:
- While defaults may be convenient, it is advisable to opt for larger bit sizes for RSA keys (at least 3072 bits) to bolster security, especially in the face of evolving computing capabilities.
Security Practices:
- The process prompts users to enter a passphrase, which acts as an additional layer of protection for the key files. This passphrase encrypts and shields the key, ensuring that only those who know the passphrase can access and utilise the associated key.
Reference:
Certificates
- Oversee digital certificates to validate entity authenticity within your network.
- Maintain a secure and trustworthy digital environment.
Gnome Keyring
- Securely manage and store sensitive credentials.
- Streamline access to passwords and encryption keys.
KeePassXC
- Employ a robust password manager for complex password storage.
- Facilitate seamless, secure access across devices.
OpenPGP
- Implement for secure email and file encryption.
- Use public/private key pairs for authentication and data protection.
Yubikey
- Integrate hardware-based two-factor authentication.
- Strengthen account and system security through physical verification.
Certificates
Creating and Managing Certificates: The DIY Guide
Certificates are like digital IDs, vouching for who you are or which device you’re using. If you’re someone who loves getting their hands dirty, this guide walks you through the whole process of generating Certificate Signing Requests (CSRs) and handling certificates, whether you’re managing your own or dealing with client devices.
Preparations
Set Up Your Personal Directory:
1$ mkdir -p ~/.ssl/{certs,private} $ chmod 700 ~/.ssl/privateSet Environment Variables:
1 2$ export CN=$HOSTNAME.example.net $ export emailAddress=john.doe@example.net
Personal User Certificate Request
OpenSSL Configuration:
Create a new OpenSSL configuration file
~/.ssl/openssl-user.cnf, and make sure to tweak the highlighted lines to fit your needs.Generate Certificate Signing Request and Key:
1$ openssl req -new -out ~/.ssl/$emailAddress.req.pem- Enter your passphrase when prompted.
- Lock down the private key:
1$ chmod 400 ~/.ssl/private/$emailAddress.key.pemVerify the Request:
1 2 3$ openssl req -verify -in ~/.ssl/$emailAddress.req.pem \ -noout -text -nameopt multiline \ -reqopt no_version,no_pubkey,no_sigdump
Client Device Certificate
OpenSSL Configuration:
Set up a new OpenSSL config file
~/.ssl/openssl-client.cnf, and again, tweak the highlighted lines as needed.Generate Certificate Signing Request and Key:
1$ openssl req -new -out ~/.ssl/$CN.req.pem- Enter your passphrase when prompted.
- Secure the private key:
1$ chmod 400 ~/.ssl/private/$CN.key.pemVerify the Request:
1 2 3$ openssl req -verify -in ~/.ssl/$CN.req.pem \ -noout -text -reqopt no_version,no_pubkey,no_sigdump \ -nameopt multiline
Using the Certificate
View the Certificate:
1 2 3$ openssl x509 -in $CN.cert.pem \ -noout -text -certopt no_version,no_pubkey,no_sigdump \ -nameopt multilineVerify the Certificate:
1 2 3 4$ openssl verify -issuer_checks -policy_print -verbose \ -untrusted intermed-ca.cert.pem \ -CAfile root-ca.cert.pem \ certs/$CN.cert.pemOnce the Certificate Authority (CA) verifies and signs your CSR, you’ll get the certificate back in a file like
host.example.net.cert.pem.
KDE Wallet
Managing Secrets with KDE Wallet on Ubuntu Desktop
In the KDE desktop environment, KDE Wallet is the go-to tool for securely storing and managing your passwords, keys, and other secrets. It functions similarly to Gnome Keyring, but with a focus on the KDE ecosystem. This guide will walk you through how KDE Wallet manages your secrets and how to disable the KDE Wallet SSH agent for specific scenarios.
Overview of KDE Wallet
Encrypted Storage:
- KDE Wallet acts as an encrypted storage database, tied to your user account. It uses your login password to unlock the wallet, ensuring your credentials are encrypted and protected during your session. When you log out, the wallet is securely closed.
Automatic Decryption:
- When you log in again, KDE Wallet automatically decrypts and makes all stored credentials accessible. The only thing you need to remember is your Ubuntu login password to unlock the wallet.
Comprehensive Credential Management:
- KDE Wallet handles the storage of various types of credentials, including passwords and passphrases for applications and network connections used within your desktop session.
Local Solution Limitations:
- While KDE Wallet is a powerful and convenient solution for managing secrets within the KDE environment, it’s tied to your local Ubuntu Desktop session and isn’t designed for syncing across multiple systems or platforms.
Mozilla Products and KDE Wallet:
- Similar to Gnome Keyring, Mozilla applications like Firefox and Thunderbird do not use KDE Wallet to manage website or mail server login credentials. These are stored separately.
Management of SSH Keys and TLS Certificates:
- KDE Wallet can also manage SSH keys and TLS certificates, but for compatibility with newer versions of OpenSSH, you may need to use a native OpenSSH agent.
Disabling the KDE Wallet SSH Agent
The KDE Wallet SSH agent has certain limitations, which may lead you to want to disable it in specific cases:
Reasons for Disabling:
- It does not support newer SSH key formats (like ed25519).
- It automatically loads all keys from
~/.sshon startup, which may not be ideal. - It lacks the ability to remove loaded keys via
ssh-add -D. - It doesn’t always respect key constraints.
Disable Autostart:
- To prevent the KDE Wallet SSH agent from autostarting, you’ll need to modify the autostart configuration:
1 2 3$ mkdir -p ~/.config/autostart $ cp /etc/xdg/autostart/kwalletmanager.desktop ~/.config/autostart/ $ echo 'X-KDE-Autostart-enabled=false' >> ~/.config/autostart/kwalletmanager.desktopApply Changes:
- The change will take effect the next time you log in. To apply the change immediately in your current session, restart the KDE Wallet Daemon without the SSH agent:
1$ kwriteconfig5 --file kwalletrc 'Wallet' 'false'
KeePassXC
In today’s digital world, where the ability to store and manage information is a game-changer, KeePassXC rises to the occasion as the go-to solution for secure password management. It takes the complexity out of managing multiple passwords, letting you store and auto-type your credentials for websites and applications. Here’s how KeePassXC is revolutionizing password security.
Key Features of KeePassXC:
Versatile Information Storage:
- KeePassXC isn’t just for passwords. It’s built to protect any private info you need to store, like bank account details, credit card numbers, PIN codes, and more.
Comprehensive Security:
- With KeePassXC, users can:
- Forget about memorizing all those different passwords—just remember your KeePass database password.
- Ensure each account, website, or service gets its own unique, unguessable password.
- Use KeePassXC’s auto-generated, virtually uncrackable passwords for maximum security, even against advanced threats.
- With KeePassXC, users can:
Encrypted Database Sync:
- KeePassXC stores all your info in a single, encrypted database file that can sync across multiple devices. Whether you’re using a cloud service or an unencrypted drive, your data stays safe and accessible wherever you need it.
Secure Sharing:
- Share your KeePass database securely with friends or family. Without the database passphrase, no one can access your sensitive info, making it ideal for safe sharing.
Cross-Platform Compatibility:
- KeePassXC uses the KeePass database format, which is compatible with numerous platforms. Whether you’re on Linux, UNIX, macOS, Windows, Android, iOS, or Chrome OS, you can access your encrypted database without issues.
Installation Steps:
Add the KeePassXC PPA (Personal Package Archive):
- To make sure you’re getting the latest version, add the KeePassXC PPA with the following commands:
1 2sudo add-apt-repository ppa:phoerious/keepassxc sudo apt updateInstall KeePassXC:
Pick your preferred installation method:
- Install from the Ubuntu Software Center.
- Or use the command-line:
1sudo apt install keepassxc
References:
- For more details, check out the KeePassXC User Guide.
KeePassXC is more than just a password manager. It’s a robust, cross-platform solution for securely managing all your sensitive information. With powerful features like encrypted syncing, secure sharing, and automatic password generation, KeePassXC ensures your passwords are as safe as they are easy to manage.
GnuPG
When it comes to data security and privacy, GnuPG (GNU Privacy Guard) stands out as a powerful tool. It allows users to encrypt, sign, and secure communication, making it an essential part of any privacy-conscious digital lifestyle. As a complete and free implementation of the OpenPGP standard (RFC 4880), GnuPG provides versatile key management and supports integration with public key directories.
Note: The following guide assumes you are using GnuPG version 2.2.x, pre-installed on Ubuntu 20.04.
Contents:
GPG Setup and Configuration
- Set up GnuPG settings for optimal security and performance.
Managing OpenPGP Keys
- Learn about generating, revoking, and expiring OpenPGP keys.
Distributing OpenPGP Keys
- Best practices for securely distributing your OpenPGP keys.
SSH Authentication with OpenPGP
- Use OpenPGP keys for SSH authentication to boost security in remote logins.
Using OpenPGP on Remote Systems
- Apply OpenPGP to remote systems for secure communication and data integrity.
OpenPGP Applications and Tools
- Explore additional tools that complement and enhance GnuPG.
Yubikey Neo
- Integrate Yubikey Neo to securely store private keys for use across various environments.
Enigmail
- Use Enigmail to encrypt, decrypt, sign, and verify email communications seamlessly.
Key Features:
GPG Setup and Configuration:
Before diving into key management, it’s important to configure GnuPG for your system. This ensures it runs securely and efficiently.
Managing OpenPGP Keys:
Key Generation:
Create your own keys using GnuPG to securely sign and encrypt data.Revocation:
Learn how to revoke a key when it’s compromised or no longer needed.Key Expiration:
Set an expiration date for your keys to ensure they’re used only within the intended timeframe.
Distributing OpenPGP Keys:
Once your keys are created, you need to securely distribute them to others. This can be done via:
Key Servers:
Public key servers are a good place to upload your public keys so others can find and verify them.Direct Sharing:
For increased security, share keys directly with trusted contacts.
SSH Authentication with OpenPGP:
OpenPGP keys aren’t just for email encryption—they can also be used for SSH authentication, providing secure access to remote systems. Learn how to integrate OpenPGP keys for SSH to keep your remote logins safe from attackers.
Using OpenPGP on Remote Systems:
Extend OpenPGP usage beyond your local machine to remote servers, ensuring that all communication and data exchanges are encrypted. This is key for secure file transfers, remote logins, and maintaining data integrity.
OpenPGP Applications and Tools:
GnuPG is compatible with several applications that enhance its functionality:
Kleopatra:
A graphical tool for managing your OpenPGP keys, making it easy to encrypt and decrypt messages.GpgOL and GpgEX:
Use GpgOL for integration with Microsoft Outlook, and GpgEX for adding GnuPG functionality to Windows Explorer.
Yubikey Neo:
For the highest level of security, store your private keys on a Yubikey Neo. This hardware device enhances key management by keeping your keys safe from theft, even in the event of device compromise. Yubikey Neo can be used across various environments, adding another layer of protection to your cryptographic operations.
Enigmail:
Transform your email communications with Enigmail, an extension that works seamlessly with Thunderbird. It allows for easy encryption, decryption, digital signing, and verification of email messages, providing end-to-end security for your email exchanges.
References:
GPG Setup
The available configuration options for GnuPG can be found on the gpg man page. To configure GnuPG, you need to open the file ~/.gnupg/gpg.conf in your home directory and modify it by changing, adding, or uncommenting the following options:
GnuPG Configuration Example
| |
Bash User Environment
Add the following lines to your local profile settings file ~/.profile to set the GPGKEY environment variable:
| |
This allows you to use the $GPGKEY environment variable in commands and scripts related to PGP.
Backup Your Keys!
Perform regular backups to prevent data loss. Back up your private keys, key-rings, and related files to an encrypted USB drive. For instance:
| |
Restoring Private and Public Keys
Assuming your safe storage is mounted on /media/$USER/SafeStorage, follow these steps to restore your keys:
| |
GPG Publish
Distributing OpenPGP Keys
Key-Servers
While public key servers like keys.openpgp.org were widely used, recent issues with their federation model, reliability, abuse-resistance, privacy, and usability have led to the recommendation against their use.
DNS CERT
Publishing OpenPGP keys as DNS CERT type 3 (PGP) according to RFC 4398. This involves generating DNS records with the OpenPGP packet.
PKA
Publishing keys as DNS CERT record type 6 (IPGP) using RFC 4398. The record contains the fingerprint and/or URL of an OpenPGP packet. Use the gpg command to output the required DNS records for a key with the export-pka export option.
| |
DANE
The RFC 7929 introduces DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP, associating a user’s OpenPGP public key with their email address using the OPENPGPKEY DNS RRtype. Use the gpg command to output the required DNS records for a key with the export-dane export option.
| |
Web Key Directory (WKD)
OpenPGP Web Key Directory (WKD) allows discovering OpenPGP keys from email addresses. Modern OpenPGP applications automatically fetch keys from well-known locations on web servers in the domain of the user’s email address.
To create the necessary directories and files for your website:
| |
Keybase.io
Keybase.io is another platform for distributing OpenPGP keys. Details are to be determined (TBD).
QR-Code
Use the openpgp4fpr IANA registered URI scheme for OpenPGP version 4 public keys. Create a QR code containing the text “OPENPGP4FPR:” followed by your fingerprint.
| |
Publish on Websites
RFC 3156 defines how ASCII-armored OpenPGP keys are to be presented on websites. To publish an ASCII armored PGP public key, export it to a file and upload it to your website with a link for visitors to download.
For ASCII-armored keys:
| |
For binary keys:
| |
Ensure links have the appropriate MIME types:
| |
Testing:
| |
GPG SSH
SSH Authentication with OpenPGP
SSH authentication can be performed using OpenPGP keys instead of traditional SSH keys. This approach has several advantages:
- Single Key Management: Manage only one set of public/private keys.
- Trust in OpenPGP Key: Remote system administrators can rely on trust in your OpenPGP key.
- Eliminate Key Transmission: No need to send public SSH keys, as OpenPGP public keys are already published.
- Hardware Security Devices: OpenPGP private keys can reside on hardware security devices like Yubikey.
In the past, system administrators typically asked for a user’s SSH public key, often signed by their OpenPGP private key. However, with OpenPGP-based SSH keys, administrators can directly extract the public SSH key from the user’s OpenPGP key, eliminating the need for additional signing and file transfers.
Disable Gnome-Keyring SSH Agent
Gnome Desktop usually runs its own SSH Agent as part of Gnome Keyring. To enable SSH to access keys through the GnuPG Agent ssh-agent, it’s necessary to disable the Gnome-Keyring SSH agent. Refer to the relevant documentation for instructions on disabling it.
Systemd User Environment
In Ubuntu 20.04.1, there is a script that instructs Systemd services on how to communicate with the GnuPG SSH Agent. Ensure that the script has the execution bit set.
| |
Bash User Environment
Configure the SSH program to contact the GnuPG SSH agent. Add the following lines to your local profile settings file ~/.profile:
| |
Creating an Authentication Subkey
Details to be determined (TBD).
SSH Public Key
Use the gpg --export-ssh-key command to extract an OpenSSH public key from an OpenPGP public key. Ensure the OpenPGP public key is present in the local keyring.
To allow SSH access to a user on the local system by a system administrator:
| |
To install your own SSH public key on a remote system:
| |
This approach simplifies key management and enhances security by leveraging OpenPGP keys for SSH authentication.
GPG Remote
Using OpenPGP on Remote Systems
If you frequently work on remote systems, you can use GnuPG on these systems without transferring and installing private keys. GnuPG can be utilized similarly to your local machine for signing, decrypting files and emails, performing signed Git operations, signing software packages, or using the GnuPG SSH-agent when opening remote sessions or transferring files. Importantly, your private keys remain on your local machine, which is particularly beneficial when using hardware tokens like YubiKey or smart cards that can’t be directly connected to remote systems.
The GnuPG agent can be configured to use an additional socket on the local system and forward it to the remote system through a secure SSH connection. On the remote system, this socket is then connected to the gpg-agent socket and used by GnuPG as if it were a locally running gpg-agent.
Remote System Setup
Configure the remote SSH server by adding the following line to the /etc/ssh/sshd_config file:
| |
Restart the remote SSH server to apply the changes:
| |
Determine the location of the gpg-agent socket on the remote system:
| |
Local System Setup
Determine the location of the gpg-agent extra socket on the local system:
| |
Set up the forward in the local SSH client configuration:
| |
Alternatively, use a more detailed configuration for specific hosts:
| |
Remote GnuPG Setup
While private keys are now available on the remote system, GnuPG isn’t fully usable without the public keyrings. Transfer the public keys and trust settings from the local to the remote system:
| |
Assimilate the GnuPG configuration on the remote system:
| |
This setup allows you to use GnuPG on remote systems seamlessly, leveraging your private keys without compromising security.
GPG Tools
OpenPGP Applications and Tools
1. Gnome OpenPGP Applet
Sometimes, you might encounter blocks of encrypted text, and the Gnome OpenPGP Applet can help simplify the process of working with encrypted content. Typically found in messages like the one below:
| |
The OpenPGP Applet allows you to work directly with your clipboard, eliminating the need to create files. It was initially available exclusively on the Tails Live Linux distribution but has since been made accessible to other Gnome Desktop environments.
With the OpenPGP Applet, you can:
- Encrypt any text in your clipboard with a passphrase.
- Encrypt and sign any text in your clipboard to an OpenPGP public key.
- Decrypt and verify any text in your clipboard.
To install the OpenPGP Applet, you can use the Ubuntu Software Center or the command line:
| |
2. Seahorse Nautilus Extension
Seahorse, also known as “Secrets and Keys,” is the Gnome Desktop application that provides a graphical user interface for managing secrets within the Gnome-Keyring. The “Nautilus extension for Seahorse integration” allows encryption and decryption of OpenPGP files using GnuPG directly from the Nautilus file manager.
To install the Seahorse Nautilus extension, you can use the Ubuntu Software Center or the command line:
| |
3. Signing Git Operations
In the Version Control section, you can find a description of how to set up Git for signing and verifying various operations.
Yubikey
YubiKey
YubiKey NEO
YubiKey is an authentication device capable of generating One Time Passwords (OTP). The YubiKey connects to a USB port and identifies itself as a standard USB HID keyboard, making it compatible with most computer environments using native drivers.
It is available for around €45.00 from the Yubico online store.
Software Packages
Yubico provides a software package repository on Launchpad. You can add it to your system using the following commands:
| |
Yubico Authenticator
Yubico Authenticator is a graphical desktop tool for generating Open AuTHentication (OATH) event-based HOTP and time-based TOTP one-time password codes, commonly used as a second factor for two-factor authentication.
| |
Yubikey Personalization Tool
This graphical tool allows you to customize the YubiKey token with your cryptographic key and options.
| |
Yubikey Manager
Yubikey Manager (ykman) is a Python library and command-line tool for configuring a YubiKey over all transports. It can read device information, configure various aspects of a YubiKey, enable or disable connection transports, and program various types of credentials.
| |
Where to Go from Here…
- Disk Encryption with Yubikey (Not provided)
- Linux Login with Yubikey (Not provided)
- GnuPG with Yubikey (Not provided)
- SSH User Authentication with Yubikey (Not provided)
- YubiKey SmartCard (Not provided)
- Backup Yubikey (Not provided)
Yubikey LUKS
Disk Encryption with Yubikey
YubiKey NEO
Yubikey’s HMAC-SHA1 challenge-response mode can be used to unlock your encrypted hard disk at boot time.
Required Software
Yubikey for LUKS is available from the package manager:
| |
Setup and Configuration
Assuming you already have full disk encryption enabled on your desktop system and you unlock the disk with a password at boot time.
Important Information
- The disk device and partition number where your encrypted file system resides.
- The LUKS key-slot to use. By default, slot 7 (the last one) will be used.
Display the already used slots in the LUKS header information:
| |
Backup your LUKS header:
| |
Initialize your Yubikey for HMAC-SHA1 challenge/response mode in slot 2:
| |
Enroll your Yubikey to a LUKS slot:
| |
Enable at System Boot:
Open the file /etc/crypttab and change the line:
| |
as follows:
| |
This tells the boot process to call the script /usr/share/yubikey-luks/ykluks-keyscript, which will send the password typed by the user as a challenge to the Yubikey and send the response from the Yubikey to LUKS to decrypt the disk.
Save and close the file, then update the initial RAM disk:
| |
Yubikey LUKS Suspend
There is also a YubiKey/Luks Suspend/Resume service installed with this software package.
It takes care of closing your encrypted volume and discards all key material from memory before the system goes to sleep.
Unfortunately, this particular feature doesn’t work anymore since Ubuntu 18.04. On suspend, the system gets stuck on a black text screen saying:
| |
When you press enter, the system will lock your session, but doesn’t go to sleep.
You can still use suspend/resume, just disable the yubikey-luks-suspend.service service:
Warning: Be aware that the encrypted volume will remain unencrypted during suspend and will be readable without the need of the Yubikey and password on resume. Only a complete shutdown and power off will lock your encrypted volume.
| |
References
Yubikey PAM
Linux Login with Yubikey
YubiKey NEO
Software Installation
This module implements PAM over U2F, providing an easy way to integrate the YubiKey (or other U2F compliant authenticators) into your existing infrastructure.
We don’t need YubiKey NEO Manager, since November 2015 YubiKeys are shipped with all modes of operations already enabled by default.
| |
Yubikey Registration
A mappings file needs to be created and filled with the user’s registered U2F keys.
There is a command-line tool to help with the registration process. Replace ${USERNAME} with the name of the user, which belongs to the Yubikey if it’s not your own:
| |
Nothing will happen in your console, but your Yubikey should start to blink as it wants to be touched now. Touch it, the command exits, and the file /etc/u2f_mappings will contain the necessary challenges for the Yubikey belonging to that user.
If you have a second key:
| |
Configuration
Create a new PAM service file /etc/pam.d/u2f:
| |
This tells the PAM module that it can look up information about each user’s U2F keys in the /etc/u2f_mappings file.
Testing with sudo
Include the file in other PAM service files. For example, for the sudo command, edit the file /etc/pamd.d/sudo as follows:
| |
Make sure the line “@include u2f” sits before the “common-auth” include line.
Going Live
Open the PAM service file /etc/pam.d/u2f again and remove the debug string:
| |
Open the PAM service file /etc/pam.d/gdm-password and add the following line before the “@include common-auth” line:
| |
Do the same with /etc/pam.d/login and /etc/pam.d/polkit-1.
Lock the Desktop with Yubikey
Setup the desktop to immediately lock Gnome shell desktop sessions when the Yubikey is removed.
In Linux, most hardware devices are managed by the udev service. Using udev-rules actions can be triggered when certain hardware events (device is added or removed) occur. Each USB device has a Vendor ID and a Product ID that can be used to identify the device. For all YubiKeys, Yubico’s USB vendor ID (VID) is 0x1050. Yubico publishes a list of YubiKey USB ID Values where you can see all the Product IDs.
To get a list of all currently attached USB devices on your system:
| |
To show only USB devices manufactured by Yubico:
| |
In this example, 0116 is the product ID for a Yubike NEO. You might have a different product ID.
Note: The USB product ID will change depending on which of the features on your Yubikey have been enabled with Yubikey Manager.
Create a udev rule for this specific device with the file /etc/udev/rules.d/85-yubikey-screen-lock.rules:
| |
References
- Yubico Support: Ubuntu Linux Login Guide - U2F
- Yubico developers site: pam-u2f
- /usr/share/doc/libpam-u2f/README.gz
- /usr/share/doc/libpam-u2f/changelog.Debian.gz
Yubikey GPG
GnuPG with Yubikey
YubiKey NEO
Prerequisites
Additional Software
Install the following:
| |
GnuPG should now be able to access the Yubikey Neo as a smart card:
| |
Setup the Yubikey NEO
Use GnuPG’s card-edit command to configure the card:
| |
Setting PIN codes
The Smartcard has two PIN codes:
- Regular PIN to unlock the private key stored on the card, so it can be used for decryption or authentication.
- Administration PIN to reset the regular PIN or reset the private key storage.
A reset PIN to reset the counter of remaining PIN entry attempts.
Warning: Entering a wrong Administration PIN three times in a row destroys the card! There is no way to unblock the card when a wrong Administration PIN has been entered three times.
Yubikey NEO is shipped with:
- A default regular PIN code of
123456. - A default Administration PIN code of
12345678.
| |
| |
1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit
Your selection? 1
Select 1 to change the regular PIN.
You will be asked for the current regular PIN, which is 123456 on a new Yubikey.
You will be asked twice for the new regular PIN.
| |
1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit
Your selection? 3
Select 3 to change the Administration PIN.
You will be asked for the current Administration PIN, which is 12345678 on a new Yubikey.
You will be asked twice for the new regular PIN.
| |
1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit
Your selection? 4
You will be asked twice for the new reset PIN.
| |
1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit
Your selection? q
| |
The Yubikey is now ready for use with GnuPG.
Store Your Key on the Yubikey
Note: This will move your private key to the card. It will no longer be available on your desktop computer without the Yubikey.
Start by opening your key with GnuPG for editing:
| |
| |
On other Systems
Thanks to the Yubikey, our private keys are no longer stored on and tied to a particular computer. The Yubikey can be plugged into any computer system, and our private keys are ready for use, right?
Unfortunately, that’s not the case. For the following two reasons:
- As shown at the beginning of this guide, additional software, usually not pre-installed, is used to access the Yubikey or GnuPG Smartcard.
- Second, the local GnuPG keyring doesn’t know anything about the private key on the Yubikey and does not know anything of its corresponding public key.
So, to use your PGP keys stored on a Yubikey or GnuPG Smartcard, the following steps need to be taken:
Install required software to enable GnuPG to access the Yubikey:
1sudo apt install pcscd scdaemonDownload the corresponding public keys of your private keys and add them to the local keyring:
1gpg --card-edit1gpg/card> fetch1gpg/card> exitEdit key:
1gpg --edit-key 0x0123456789ABCDEFSecret key is available.
1 2 3 4 5 6 7 8 9 10sec rsa2048/0x0123456789ABCDEF created: 2014-01-15 expires: 2019-01-14 usage: SCA trust: ultimate validity: ultimate ssb rsa2048/0x0123456789AAAAAA created: 2014-01-15 expires: 2019-01-14 usage: E ssb rsa2048/0x6E0D7F94789BBBBB created: 2016-07-02 expires: 2019-01-14 usage: A [ ultimate] (1). John Doe <john@example.net> [ ultimate] (2) John Doe <john@example.org> [ ultimate] (3) [jpeg image of size 23712]At the
gpg>prompt, entertrustto start the operation:1gpg> trustPlease decide how far you trust this user to correctly verify other users’ keys (by looking at passports, checking fingerprints from different sources, etc.)
1 = I don’t know or won’t say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
The local GnuPG installation has now the means to access your private key stored in the Yubikey or GnuPG Smartcard, and it knows about your public keys.
References
- GnuPG Howto’s: The GnuPG Smartcard How-To
- Yubico Support: Using Your YubiKey with OpenPGP
- drduh’s Guide to using YubiKey for GPG and SSH
Yubikey SSH
SSH User Authentication with Yubikey
YubiKey NEO
A YubiKey with OpenPGP can be used for logging in to remote SSH servers. In this setup, the Authentication sub-key of an OpenPGP key is used as an SSH key to authenticate against the server.
See GnuPG with Yubikey and SSH Authentication with OpenPGP.
Yubikey PIV
YubiKey SmartCard
YubiKey NEO
The YubiKey NEO supports the Personal Identity and Verification Card (PIV) interface specified by the National Institute of Standards and Technology (NIST). This enables you to perform RSA or ECC sign and decrypt operations using a private key stored on the YubiKey. Your YubiKey acts as a SmartCard in this case, through common interfaces like PKCS#11.
Prerequisites
Additional Software
YubiKey PIV Manager (with graphic interface)
YubiKey PIV Tool (command line)
OpenSC - Smart card utilities with support for PKCS#15 compatible cards
| |
Setup the Yubikey
If you have a YubiKey that was not previously set up with YubiKey PIV Manager, a PIN has to be set the first time YubiKey PIV Manager is accessing the YubiKey.
The PIN
The PIN is a password that you type when you are using your YubiKey to:
- Request new certificates
- Log into websites using a certificate stored on your YubiKey
- Sign or decrypt mails using a certificate stored on your YubiKey
The PIN must be 4 to 8 characters in length.
The PIN can contain lower- and uppercase English characters and numbers.
Use of nonalphanumeric characters in the PIN is possible but not recommended.
Entering an incorrect PIN three times consecutively will cause the PIN to become blocked, rendering the SmartCard features of your YubiKey unusable.
Let KeepassX generate a random PIN.
The PUK
The PUK can be used to reset the PIN if it is ever lost or becomes blocked after the maximum number of incorrect attempts. Setting a PUK is optional.
If you use your PIN as the Management Key, the PUK is disabled for technical reasons.
The requirements and restrictions of the PUK are the same as for the PIN:
The PUK must be 4 to 8 characters in length.
The PUK may contain lower- and uppercase English characters and numbers.
Use of nonalphanumeric characters in the PUK is possible but not recommended.
If PIN complexity is enforced, the same rules are applied to the PUK.
If the PUK ever becomes blocked, either by deliberately choosing to block it or by giving the wrong PUK value 3 times, it can only be unblocked by performing a complete reset.
Let KeepassX generate a random PUK.
Management Key
By default, the YubiKey PIV Manager lets you use the PIN as Management Key too. This is not recommended for security and compatibility reasons.
The Management Key must be a 24-byte-long 3DES key (24-byte random hex string).
Starting YubiKey PIV Manager
Setting the PIN
Start the “YubiKey PIV Manager” application from the Dash.
Insert your YubiKey NEO in any USB slot.
YubiKey PIV Manager will detect that your YubiKey is not initialized and therefore ask for a new PIN.
Select “Use a separate key” under “Management Key”.
A random 24-byte 3DES Key is automatically created to be used as a management key.
Deactivate “Generate a certificate for authentication” under “Authentication certificate”.
Enter the PIN generated with KeePassX earlier and confirm it.
Copy the Management Key to the clipboard and store it in KeePassX.
Enter the PUK generated with KeePassX earlier and confirm it.
Click OK.
Mozilla Applications Configuration
The procedure is the same for Firefox Browser, Thunderbird Mail Client, and Tor Browser Bundle.
Find the location of the OpenSC PKCS#11 library installed earlier:
1 2 3$ find /usr/lib -name opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.soThe second one usually is just a link to the first one.
In your Mozilla Application:
- Open “Settings”
- Select “Advanced”
- Select “Certificates”
- Click the “Cryptographic Modules” button
- Click the “Load” button
- Change the module name to “OpenSC PKCS#11 Module”
- Enter the path of the library as found before (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
- Click the “Ok” button
References
Yubikey Backup
Backup Yubikey
OpenPGP Keys
Safe working Environment
To set up a second Yubikey for use with your OpenPGP keys, you need a backup of your private keys since it’s not possible to retrieve anything from your original Yubikey.
Since we created a backup of our OpenPGP private keys on the Safe Storage, residing on your Safe System, boot your workstation with it. Keep the network cable unplugged and wireless and Bluetooth disabled.
Mount the safe storage. The following steps assume your safe storage is mounted on /media/$USER/SafeStorage.
Kill all running GnuPG agents, directory managers, etc., as they might interfere:
| |
Set which key we need to move to our backup Yubikey:
| |
Create a temporary GnuPG home directory:
| |
Import from Backup
Import your public key:
| |
Import your private key:
| |
Import your personal trust settings:
| |
Prepare the Yubikey
| |
Set the PIN code needed to unlock the private key on the card before use:
| |
On a new Yubikey, the default is set to 123456.
Change the Admin PIN:
| |
On a new Yubikey, the default Admin PIN is 12345678.
Move OpenPGP Key to Yubikey
| |
Network
Network Time Synchronisation: Ensuring accurate and synchronised time across devices within a network, often achieved through protocols like NTP (Network Time Protocol).
Domain Name Resolver: The system or service responsible for translating human-readable domain names (e.g., www.example.com) into IP addresses that computers can use to locate each other on a network.
DNS Updates: Managing changes and updates to the Domain Name System (DNS), including modifications to domain records such as IP address changes, name server updates, etc.
Virtual Private Network (VPN): Establishing secure and encrypted connections over a public network, allowing users to access private networks as if they were directly connected to them.
SSH - Secure Shell: A cryptographic network protocol for secure communication over an unsecured network, providing a secure way to access and manage remote systems.
Time Sync
Self-hosting involves managing various services on your own infrastructure rather than relying on external providers. Here’s an expanded explanation of the Network Time Synchronisation section, including the scripts provided:
timesyncd
On Ubuntu, the system clock synchronisation is handled by the timesyncd systemd service, introduced in Ubuntu 16.04 to replace the deprecated classic NTP client (chrony). The service is configured through the /etc/systemd/timesyncd.conf file.
The configuration file (timesyncd.conf) sets the NTP servers to contact, and during runtime, this list is combined with any per-interface NTP servers acquired from systemd-networkd. If no NTP servers are specified, a compiled-in list of servers is used.
To customize NTP servers, you can edit the configuration file. For example, changing the default FallbackNTP to local NTP servers:
| |
After modifying the configuration, restart the systemd-timesyncd service:
| |
systemd-networkd
While systemd-networkd can be configured via /etc/systemd/networkd.conf and various files in /etc/systemd/network/, Ubuntu Desktop doesn’t use systemd-networkd.service by default; instead, it relies on NetworkManager.
NetworkManager
NetworkManager is the default network management tool for Ubuntu Desktop. Unlike systemd-networkd, NetworkManager doesn’t automatically communicate with systemd-timesyncd to set NTP server addresses.
To address this, a script inspired by the ArchLinux wiki can be placed in /etc/NetworkManager/dispatcher.d/ to be triggered by NetworkManager-dispatcher.service on relevant network events. The script (10-update-timesyncd) dynamically updates timesyncd configuration based on DHCP-supplied NTP servers.
| |
Make the script executable and writable only by the root user:
| |
This script ensures that when a network connection goes up or DHCP configuration changes, it checks for received NTP server addresses and updates the timesyncd configuration accordingly. The script restarts the timesyncd service if it’s currently active.
References
- Synchronizing your systems time
- systemd-timesyncd.service Ubuntu man page
- Gnome Network Manager
- ArchLinux Wiki on systemd-timesyncd
Unbound
A Little History
The landscape of DNS resolving on Linux and Ubuntu Desktop has evolved significantly over the years. Initially, a straightforward /etc/resolve.conf file sufficed, pointing to LAN or ISP DNS resolvers. However, as networks became more diverse and users more mobile, the need for dynamic and automatic management of connection changes arose.
Several tools and changes were introduced over time:
2006: Network Manager was introduced to help users switch network configurations.
2012: Dnsmasq was installed as the standard local caching resolver.
2015: Ubuntu switched from Upstart to Systemd, but DNS resolving remained with Dnsmasq.
2017: Systemd-resolved replaced Dnsmasq as the default local DNS resolver.
DNS Today
In response to global surveillance concerns, efforts were made to enhance online security and privacy. However, DNS security (DNSSEC) did not receive the same level of attention until recent years. Technologies like DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt were introduced.
Unbound and dnssec-trigger
This document focuses on setting up Unbound as a local DNS resolver on the desktop. Additionally, dnssec-trigger is used to test and handle upstream resolvers for DNSSEC compatibility.
Unbound DNS Resolver
Unbound is a validating, recursive, and caching DNS resolver designed for speed and efficiency. It supports modern features based on open standards and offers DNS-over-TLS and DNS-over-HTTPS for encrypted communication.
Installation
Install Unbound using the following command:
| |
Disable Default Resolver
Since running two different resolvers concurrently is not recommended, disable the default resolver:
| |
Unbound Configuration
Enable Unbound’s remote control by creating /etc/unbound/unbound.conf.d/remote-control.conf:
| |
After saving the configuration, reload the Unbound server:
| |
DNSSEC-Trigger Daemon
DNSSEC-Trigger is experimental software that enables DNSSEC protection for DNS traffic. It reconfigures Unbound based on DNSSEC compatibility tests performed by dnssec-trigger.
Installation
Install DNSSEC-Trigger using the following command:
| |
Configuration
DNSSEC-Trigger uses two configuration files: dnssec-trigger.conf and dnssec.conf in the /etc/dnssec-trigger/ directory. The former controls the daemon’s behavior, and the latter controls the dnssec-trigger script.
Initial Setup
Run the following commands for initial setup:
| |
Network Manager Configuration
To achieve harmony between Network Manager, dnssec-trigger, and Unbound, configure Network Manager as follows:
Create /etc/NetworkManager/conf.d/no-systemd-resolved.conf:
| |
Create /etc/NetworkManager/conf.d/unbound-dns.conf:
| |
Restart the Network Manager service:
| |
References
DNS
For non-servers such as personal computers, desktops, laptops/notebooks, or portable devices that connect from different networks, dynamic temporary addresses are common. The nsupdate program allows you to contact your domain name server and update your hostname with the current address.
In modern setups, NetworkManager typically handles such updates, making it the logical tool for managing DNS updates.
TSIG Key
TSIG (Transaction Signature) is a mechanism to authenticate DNS update requests. When using nsupdate or a similar tool to update DNS records, you can employ TSIG keys to add a layer of security to the process.
TBD (To Be Discussed)
WireGuard
WireGuard is a modern VPN (Virtual Private Network) protocol that aims to be faster, simpler, and more secure than traditional VPN protocols. It’s designed to be easy to configure and deploy while providing strong security and efficient performance.
Key Features of WireGuard:
Performance: WireGuard is known for its exceptional performance due to its simplicity and efficiency. It’s designed to be lightweight and fast, making it suitable for various use cases, including mobile devices.
Security: WireGuard is built with a focus on security. It uses state-of-the-art cryptographic protocols, including the Noise protocol framework and Curve25519, to ensure strong encryption and secure key exchange.
Simplicity: One of WireGuard’s key design principles is simplicity. The codebase is concise and easy to audit, which contributes to its security. Configuration is also straightforward, making it easier for users to set up and manage.
Dynamic Routing: WireGuard operates at the kernel level, allowing for dynamic routing updates. This enables more flexible network configurations.
Cross-Platform Support: WireGuard is available for various platforms, including Linux, Windows, macOS, Android, and iOS. This cross-platform support makes it versatile for different devices and operating systems.
Tailscale
Tailscale is a secure networking solution that builds on the WireGuard protocol. It simplifies the creation of a secure and private network, allowing devices to connect seamlessly regardless of their physical location. Tailscale is designed for ease of use, making it accessible for individuals and organizations without extensive networking expertise.
Key Features of Tailscale:
Mesh Networking: Tailscale creates a mesh network, connecting devices securely over the Internet. This allows for easy communication between devices, regardless of their location, without the need for complex VPN configurations.
Zero Trust Security Model: Tailscale follows a zero-trust security model, meaning that devices are not implicitly trusted just because they are part of the network. Each device is authenticated, and communication is encrypted.
Cross-Platform Compatibility: Tailscale supports a wide range of platforms, including Windows, macOS, Linux, Android, iOS, and others. This enables a seamless experience across different devices and operating systems.
Centralized Management: Tailscale provides a centralized management console where users can view and manage connected devices. This simplifies network administration and monitoring.
Scalability: Tailscale is designed to scale from small setups to large networks, making it suitable for both personal and enterprise use.
WireGuard + Tailscale
Tailscale builds on the WireGuard protocol to provide a user-friendly and secure mesh networking solution. By combining the efficiency and security of WireGuard with the ease of use and management features of Tailscale, users can create a secure and interconnected network for their devices.
To use WireGuard with Tailscale, you typically install the Tailscale software on your devices, which includes the WireGuard implementation. Tailscale then simplifies the process of creating a secure network, allowing devices to connect seamlessly.
Note: It’s always recommended to check the official documentation of WireGuard and Tailscale for the most up-to-date and accurate information on installation, configuration, and best practices.
SSH
| |
System-Wide Client Configuration
Note: The following configuration options can also be kept in your personal user settings in the ~/.ssh/config file. But if you have services or scripts running under other users or if this system is used by multiple user profiles, it might be easier to maintain a system-wide configuration.
The system-wide default client settings are stored in /etc/ssh/ssh_config. The options are described in the ssh_config(5) man page.
| |
In case you were wondering about the HashKnownHosts options, I suggest reading Joey’s [former] Blog about this.
Specific settings for certain domains and networks, like your own, friends, or customers, might be better placed in their own files for easier maintenance and distribution. That’s what the “Include” statement and the /etc/ssh/ssh_config.d/ directory are for.
Create a file like /etc/ssh/ssh_config.d/example.net.conf and make changes according to your needs:
| |
User Configuration
The client settings for users are stored in /etc/ssh/ssh_config. The options are the same as described in the ssh_config(5) man page.
In the file ~/.ssh/config, you can customize your client (like specific usernames) or add 3rd-party systems which are not covered by system-wide settings:
| |
Again, create several include files for different networks.
In the file ~/.ssh/config.d/local.conf, we set options for discoverable hosts in our LAN:
| |
The file ~/.ssh/config.d/example.net.conf contains settings for our own servers:
| |
OpenSSH Trust in DNSSEC
In the previous section, we have set our SSH client to verify the server’s SSH public key with the fingerprints published in DNS through the VerifyHostKeyDNS configuration option. Unfortunately, this won’t work out of the box, as the following tests will show:
Set this to your server’s hostname for the following checks to work:
| |
Let’s check if the fingerprints of our server are present in DNS and that these DNS records are secured by DNSSEC:
| |
The ad flag in the DNS answer stands for “authenticated data” and confirms that the DNS records requested have been successfully verified with valid DNSSEC signatures. But the OpenSSH client will still insist that the fingerprints, while visible, are not to be trusted:
| |
This is caused by the GNU C library and it’s not just a simple bug but a rather complex trust issue described in Glibc support encryption by modifying the DNS.
Unless /etc/resolv.conf contains edns0 and trust-ad as configuration options, programs that use the GNU C library (glibc) like OpenSSH and many others aren’t able to see that the DNSSEC validation was successful.
Nowadays the /etc/resolv.conf file is managed by systemd, NetworkManager, the resolvconf service, or whatever you use as your local DNS resolver. It’s, therefore, no longer possible and not recommended to change anything in this file manually.
As described in the manpage for resolv.conf(5), the options can also be set as a space-separated list in the RES_OPTIONS environment variable:
Let’s try this out:
| |
Warning: The following system-wide configuration settings should only be made if you trust your DNS resolvers and providers. dnssec-trigger can help establish this trust.
Bash Environment
To set this as a system-wide default for terminal sessions and shell scripts, add the following file to /etc/profile.d directory:
| |
Systemd Environment
Gnome desktop applications, like remote SFTP folders in Nautilus, may not read your bash environment, as they are not running in your terminal session. Since these are managed by Systemd, we set these through a systemd environment file generator.
Create the systemd user environment directory:
| |
Create the file /etc/systemd/user-environment-generators/90res-options:
| |
It needs to be executable:
| |
See also
You may also look at these related pages:
Postfix null
Usually, personal computers are not set up to send mail out on their own. However, many things are going on in the background, mostly invisible to the user. Some useful features are only possible if the system can notify you about certain events. For example, if someone tries to log in to your personal computer and fails, the system can attempt to notify you by email. This works only if the system is able to send out mails.
Null Client
We want our personal computer to send out mails on its own but not receive any or deliver mails to its local user accounts. This particular configuration is called a “null client” and can be described as follows:
- It never receives any mail from the network.
- It can only send mail out to a mail gateway/smart-host.
- It does not deliver any mail locally. All mails are sent to outside mail accounts.
In the following example, our personal workstation will be called torres. We have purchased and set up our domain example.net. We call our mail server mail.example.net. This mail server accepts only mails from registered mail accounts that log in with their full mail address and password on the SMTP submission server running on port 587. The connection needs to be encrypted by TLS.
Prerequisites
Installation
To install:
| |
The installation process will ask you a series of questions. Unfortunately, the “null client” configuration we need here is not in the list. Therefore, we have to choose: “No configuration” here.
If you are installing on a Raspberry Pi running Debian:
| |
Postfix Configuration
Create an empty Postfix configuration file:
| |
Main Configuration File
Fortunately, a “null client” needs very little configuration. Just a few lines in the file /etc/postfix/main.cf are enough:
| |
Or you could set those with command-lines using postconf:
| |
Client Authentication
Like your desktop mail client or any other client, torres will need to login (as torres@example.net) before being allowed to deliver mails on mail.example.net.
This is how we tell our workstation to log in on the remote server mail.example.net. We store the login password in the file /etc/postfix/smtp_password.
The format is <SMTP server> <user-name>:<password>.
Create a mail account password for the mail account torres@example.net:
| |
Note the displayed password; you will need it to set up the account on the mail-server later. After that, update the relevant postfix database and protect it:
| |
Mail-Server Account
As mentioned before, for the central mail server mail.example.net, our workstation is just another mail client, which needs to log in before being allowed to send any mails. We, therefore, create a mail account for it on our mail server.
Create a mail account for your workstation on your mail server. You can use the mail server’s Administration Web Interface for that.
Rerouting Local Mails
Notification and warning mails created by system programs (like cronjobs) are usually sent to local profiles like root, webmaster, or other local Unix user profiles. Since these are local profiles, their mail address is just a user id, there is no “@” and there is no domain part.
Local mail is delivered by storing it in a mailbox in the user’s home directory, where it will never be found or read, since these “user” accounts are not real human users.
We want these mails to be re-routed to mailboxes owned by real humans stored on remote mail-servers. To yourself, the owner, or the person responsible for this computer.
To re-route all mails to one single address, we can use a Regular Expression. Regular expressions need to be defined in a map file, for Postfix to interpret it.
So instead of the usual /etc/aliases file, we create a virtual alias table with a regular expression in the map file /etc/postfix/virtual_alias.
#
# Postfix virtual alias map
# Regular expression database
#
# Please run `sudo postmap /etc/postfix/virtual_alias` after changing this file.
#
/.+@.+/ john@example.net
The contents of the file are cached in the database /etc/postfix/virtual_alias.db. That database needs a refresh every time changes have been made to /etc/postfix/virtual_alias:
| |
Configuration Check
| |
Restart Postfix
| |
Send a Test Mail
| |
Anacron
Since personal computers, unlike servers, are not running 24 hours a day, the daily user data backups should be started by anacron instead of the usual cron.
Anacron will run the backup job once a day, whenever the computer is turned on and not running on battery.
Unlike cron, anacron is normally used for system administrative jobs only and does not run individual user jobs. This document describes how to set up anacron for individual users, so they can run their personal periodic jobs.
Directory Structure
Create anacron directories in the user’s home directory:
| |
This creates the following directory structure:
~/.anacron/cron.daily~/.anacron/cron.monthly~/.anacron/cron.weekly~/.anacron/spool
The anacrontab File
Anacron reads the list of jobs from the configuration file anacrontab.
Create and edit the file ~/.anacron/anacrontab and replace username and home directory with your own literal values (shell variables won’t work here):
| |
Run on Login
To run anacron on every login, edit the file ~/.profile and add the following line at the bottom:
| |
Run every Hour
To make anacron check every hour if there is anything to do, edit the user’s crontab file as follows:
| |
This opens an editor, where the following lines need to be added at the bottom:
| |
Also, replace username and home directory with your own literal values (shell variables won’t work here).
Backup
Setting up a backup client on a personal computer is crucial for safeguarding data. Here are some tools and considerations for this purpose:
Tools:
1. Borg
BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.
2. Borgmatic
borgmatic is a simple, configuration-driven frontend to automate Borg backup on servers and workstations.
3. Vorta
Vorta is a backup client for macOS and Linux desktops. It integrates the mighty Borg Backup with your favorite desktop environment.
Considerations:
User and System Data
- Separate backups for user data and system configuration.
- System configuration backups are made anytime the system is powered on.
- User data backups are made when a user is actively working on the system.
- Encrypted home directories are only backed up when the user is logged in.
- Users don’t have access to system configuration backups.
Scheduling
- Backups can be made several times a day.
- Utilize
systemd-timersfor flexible scheduling. - Fresh backups after startup and at desired intervals when on AC power and connected to the network.
- User data backups occur whenever the user logs in.
Retention
- Backup archives are stored for specific durations:
- All backups of the last 24 hours.
- Last backup of the day for 7 days.
- Last backup of the week for 4 weeks.
- Last backup of the month for 6 months.
- Last backup of the year for 2 years.
Encryption
- Client-side encrypted backup data.
- Two-factor authentication.
- Password and key-file required to access backup data.
- BLAKE2b-256 recommended over SHA-256 on modern CPUs.
Prerequisites:
- Working Borg Backup Server prepared to receive backup data.
- Personal computer set up to send mails.
Installation:
Ubuntu 22.04 (Jammy) or Later
| |
From Source Using Python PIP
| |
This installs system-wide usable software in /usr/local/bin/, accessible by the system and users alike. To install updates, repeat the installation command.
System Configuration Backup
Borg Preparation
Add configuration and keys directory:
1sudo mkdir -p /etc/borg/{keys,ssh}Add cache and security directories:
1sudo mkdir -p /var/lib/borg/{cache,security}Create SSH private and public key:
1 2 3sudo ssh-keygen -t ed25519 -C "BorgBackup@$(hostname)" -f /etc/borg/ssh/id_ed25519 sudo chmod 0600 /etc/borg/ssh/id_ed25519 sudo cat /etc/borg/ssh/id_ed25519.pubInstall the public key on the backup server:
1sudo ssh-copy-id -i /etc/borg/ssh/id_ed25519.pub borg-backup@nas.example.netThe backup server needs to set up that public key for use with this specific Borg client by defining a ssh forced command pointing Borg to this client’s repository.
Mail Notification Script
Create the /etc/borgmatic/notify.sh shell script for email notifications:
| |
Borgmatic Configuration
Generate a new borgmatic configuration file:
| |
This generates a sample configuration file /etc/borgmatic/config.yaml.
What to Backup and Where
Edit the configuration file /etc/borgmatic/config.yaml with the desired backup settings, source directories, repositories, and exclude patterns.
How to Store the Backups
Continue editing the configuration file to specify storage options, encryption passphrase, SSH command, and directories for Borg.
How Long to Keep Backups
Define the retention policy for keeping backups in the configuration file. Adjust parameters like keep_within, keep_hourly, keep_daily, etc.
What To Do on Errors
Configure hooks in the configuration file to execute shell commands or scripts on specific events, such as backup errors.
What To Do Before and After
Set up pre and post-backup hooks in the configuration file if needed. These can include shell commands or scripts to run before or after backups.
Secure and Validate Configuration
Ensure secure permissions on the borgmatic configuration file and scripts:
| |
Initialize Repository
Initialize the Borg repository:
| |
Interactive Backup Test
Run an interactive backup test:
| |
Systemd Service Files
Service
Create the systemd service file /etc/systemd/system/borgmatic.service:
| |
Schedule
Create the systemd timer file /etc/systemd/system/borgmatic.timer:
| |
Activate
Enable and start the systemd timer:
| |
User Data Backup
Borg Preparation
Add configuration and keys directory:
1 2mkdir -p ~/.config/borg/{keys,ssh,security} chmod -R 0700 ~/.config/borgAdd a cache directory:
1mkdir -p ~/.cache/borgCreate SSH private and public keys for use with Borg:
1 2 3ssh-keygen -t ed25519 -f ~/.config/borg/ssh/id_ed25519 chmod 0600 ~/.config/borg/ssh/id_ed25519 cat ~/.config/borg/ssh/id_ed25519.pubInstall the public key on the backup server:
1ssh-copy-id -i ~/.config/borg/ssh/id_ed25519.pub borg-backup@nas.example.netThe backup server needs to set up that public key for use with this specific Borg client by defining a ssh forced command, pointing Borg to this client’s repository.
Mail Notification Script
Create the ~/.config/borgmatic/notify.sh shell script for email notifications:
| |
Borgmatic Configuration
Generate a new borgmatic configuration file:
| |
This generates a sample configuration file /home/user/.config/borgmatic/config.yaml.
What to Backup and Where
Edit the configuration file ~/.config/borgmatic/config.yaml with the desired backup settings, source directories, repositories, and exclude patterns.
How to Store the Backups
Continue editing the configuration file to specify storage options, encryption passphrase, SSH command, and directories for Borg.
How Long to Keep Backups
Define the retention policy for keeping backups in the configuration file. Adjust parameters like keep_within, keep_hourly, keep_daily, etc.
What To Do on Errors
Configure hooks in the configuration file to execute shell commands or scripts on specific events, such as backup errors.
What To Do Before and After
Set up pre and post-backup hooks in the configuration file if needed. These can include shell commands or scripts to run before or after backups.
Secure and Validate Configuration
Ensure secure permissions on the borgmatic configuration file and scripts:
| |
Initialize Repository
Initialize the Borg repository:
| |
After the initialization, a key file is found at ~/.config/borg/keys/$USER.key.
Warning: Without the repository key-file, the repository password, and the SSH private keys, your backup data will not be accessible anymore. Store these files and passwords in a safe place!
Interactive Backup Test
Run an interactive backup test:
| |
Systemd Service Files
Service
Create the systemd service file ~/.config/systemd/user/borgmatic.service:
| |
Schedule
Create the systemd timer file ~/.config/systemd/user/borgmatic.timer:
| |
Activate
Enable and start the systemd timer:
| |
Checking Backups
Check the logs in the systemd journal:
| |
Listing Archives
| |
Archive Information
| |
Mounting Backup Archives
The easiest way to access the backed-up files in the archive is by mounting it as a file system:
| |
Save the keys in the GnuPG keyring file
/usr/share/keyrings/debian-keyring.gpg.Import the signing key to your personal keyring:
1wget -O - https://tails.boum.org/tails-signing.key | gpg --importVerify the ISO image:
1 2cd Downloads gpg --verify-files tails-i386-1.3.iso.sig
3. Burn to DVD
You can burn the Tails ISO image to a DVD for booting.
4. Install on USB Flash Drive
Alternatively, you can create a bootable Tails USB flash drive for portability.
With Tails, you can have a secure environment for tasks that demand a higher level of privacy and anonymity.
Safe Storage with LUKS
Linux Unified Key Setup (LUKS) is a disk-encryption standard that provides a robust solution for creating encrypted volumes. This ensures that sensitive data is stored securely, protecting it from unauthorized access.
How to Create and Use Encrypted Volumes with Tails:
To set up encrypted volumes using LUKS on Tails, follow these steps:
Boot Tails:
- Boot your system using the Tails operating system from the DVD or USB flash drive.
Enable Persistent Storage:
- Configure Tails to use persistent storage where the encrypted volumes will be created and stored.
Open Disks Utility:
- Access the “Disks” utility on Tails. You can find it in the application menu or by searching for it.
Create Encrypted Volumes:
- Use the Disks utility to create LUKS-encrypted volumes within the persistent storage. Follow the prompts to set up encryption parameters and passphrase.
Mount Encrypted Volumes:
- Once the encrypted volumes are created, mount them to access and store sensitive data. You’ll need to enter the passphrase to unlock the encrypted volumes.
Unmount Encrypted Volumes:
- When you’re done using the encrypted volumes, unmount them to ensure that the data is securely stored.
By utilising LUKS on Tails, you can create a safe and encrypted storage space for your highly sensitive information, enhancing the overall security of your system.
XCA - X Certificate and Key Management
XCA is an application designed for creating and managing X.509 certificates, certificate requests, RSA, DSA, and EC private keys, Smartcards, and Certificate Revocation Lists (CRLs). It provides comprehensive features for Certificate Authorities (CAs) and supports the signing of sub-CAs recursively. XCA also includes customizable templates for easy certificate or request generation, making it suitable for company-wide use.
Installation:
XCA can be installed on Ubuntu using the Software Center. Open the Software Center and search for XCA, then proceed with the installation.
| |
Configuration:
Open the XCA application.
From the File menu, select Options.
Configure options to match the OpenSSL settings used for Certificates and Keys on the server:
- Remove all listed mandatory subject entries except commonName.
- Set the standard hash algorithm to SHA-256.
- Set the allowed string type to PKIX UTF8.
Create Templates:
Server Template:
Select the Templates tab.
Click the “New Template” button on the top right.
Configure the template settings according to your requirements.
By creating templates, you can efficiently generate new certificates based on predefined settings, streamlining the certificate creation process.
For additional details and reference options, you can consult the XCA Options Reference.
XCA serves as a valuable tool not only for managing your own CA but also for backing up personal, client, and server keys and certificates securely.
Wine
Wine, originally an acronym for “Wine Is Not an Emulator,” is a compatibility layer that enables running Windows applications on various POSIX-compliant operating systems. These include Linux, macOS, and BSD. Unlike virtual machines or emulators that simulate internal Windows logic, Wine translates Windows API calls into POSIX calls on-the-fly. This approach eliminates the performance and memory penalties associated with other methods, allowing for the seamless integration of Windows applications into your desktop environment. Wine provides a bridge for running Windows software on non-Windows systems, expanding compatibility and flexibility for users across different platforms.
Instant Messaging
Dino XMPP Client
Dino is a modern open-source chat client designed for the desktop, focusing on delivering a clean and reliable Jabber/XMPP experience with privacy in mind.
Security: Chats are encrypted on your computer, and with end-to-end encryption via OMEMO or OpenPGP, only you and your chat partners can read messages.
Privacy Features: Dino allows you to disable read and typing notifications globally or for specific contacts to enhance privacy.
XMPP Protocol: Built on the XMPP protocol, Dino promotes decentralized communication, allowing users to use a federated, worldwide infrastructure without relying on a single provider.
Installation:
| |
Signal Messenger
Signal is a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC. It ensures secure one-to-one and group messaging, supporting various media types. Signal provides end-to-end encryption for all communications, and users can independently verify the identity of their contacts.
Installation:
| |
Jitsi Video Conferencing
Jitsi offers free and open-source applications for voice (VoIP), video conferencing, and instant messaging on multiple platforms. The Jitsi project includes Jitsi Desktop, Jitsi Video Bridge, and Jitsi Meet. Jitsi Meet is a full video conferencing application with web, Android, and iOS clients.
- Browser Access: Jitsi allows starting or joining conferences via a web browser without desktop software. Chromium is recommended, and Firefox is not supported as of spring 2020.
Installation:
| |
Public Servers: A list of public accessible servers is available on the Jitsi Community Instances page.
Roll Your Own: For self-hosting, refer to the Video Conferencing Server guide.
Transmission BitTorrent Client
transmission-remote-gtk is a GTK client designed for the remote management of the Transmission BitTorrent client, utilizing its HTTP RPC protocol.
Installation:
| |
Description: Transmission Remote offers a graphical interface for remotely managing Transmission BitTorrent client, providing convenient control over torrents and settings. This client facilitates the interaction with Transmission’s HTTP RPC protocol, enhancing user experience in managing BitTorrent downloads.
Installation Command:
$ sudo apt install transmission-remote-gtk
Calibre - Electronic Books Management
Calibre is a comprehensive and open-source e-book library management application tailored for users of e-books. It offers a wide range of features, including:
- Library Management: Organize and manage your e-book collection efficiently.
- E-book Conversion: Convert e-books between different formats.
- Syncing to E-book Reader Devices: Seamlessly synchronize with e-book reader devices.
- News Download: Download news from the web and convert it into e-book format.
- E-book Viewer: A comprehensive viewer for e-books.
- Content Server: Facilitates online access to your e-book collection.
- E-book Editor: Edit e-books in major formats.
Installation: While Calibre is available in the Ubuntu Software-Center, it’s recommended to install the latest version from the official website as the Software Center version might be outdated. Use the following command to install Calibre:
| |
Synchronize with ownCloud: To access your e-book collection from different devices, synchronize the Calibre Library directory with the ownCloud Desktop Client. This allows online access to your e-book library through the Electronic Books Library server.
Digital Rights Management (DRM): For handling DRM-protected e-books, Adobe Digital Editions under Wine is required since there is no native Linux version. Install Adobe Digital Editions 4.5 under Wine using the provided commands.
De-DRM eBooks: Remove DRM from your eBooks using the DeDRM plugin for Calibre. This involves installing Python for Windows and the required Python Crypto modules under the Wine environment.
The instructions guide you through installing Python for Windows, Python Crypto modules, and the DeDRM plugin for Calibre. This enables you to remove DRM from Kindle, Barnes & Noble, Adobe Digital Editions, and other e-books.
Note: DeDRM is a tool designed to legally remove DRM from your purchased e-books for personal use only.
For the detailed setup and command instructions, please refer to the original guide.
Adobe Acrobat Reader on Wine (64-Bit)
To run Adobe Acrobat Reader on Wine with a 64-bit system, follow these steps:
Open the Adobe Reader Download Page in your browser.
On the website:
- Select “Windows XP SP2 (64-Bit)”
- Choose your preferred language
- Select version 11.0.08 or later
Open a terminal and navigate to the Downloads directory:
1cd ~/DownloadsRun the following commands to prepare Wine:
1winetricks mspatcha wsh57 atmlib riched20Install Adobe Acrobat Reader using Wine:
1wine 'AdbeRdr11008_en_US.exe'During the installation, choose “Always open with Protected Mode disabled.”
Reference:
Media Services
Despite DLNA being an open and proven standard for media services in a home network, the Ubuntu Linux situation is far from perfect.
Only a small number of projects, some abandoned. The default media player applications, Rhythmbox for Music, Totem for Videos, and Shotwell for Photos, don’t know anything about DLNA.
The Pulseaudio sound framework has some support for playing audio over a local network, but that doesn’t work out of the box.
Ubuntu as Media Server This section covers how to use a network media player as your sound card on the desktop. For information on how to share your video and audio and pictures collection on the local network, see External Drives.
Install Rygel
| |
Configure Rygel
Create a configuration file (if it doesn’t exist):
1touch ~/.config/rygel.confOpen the configuration file with a text editor:
1nano ~/.config/rygel.confAdd or modify the necessary settings. An example configuration might look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18[general] media-engine=tracker [GstLaunch] enabled=true launch-items=myaudioflac;myvideomkv [MyAudioFlac] enabled=true title=@Audio FLAC media-container=audio/flac content-type=music [MyVideoMkv] enabled=true title=@Video MKV media-container=video/x-matroska content-type=videoSave and close the file.
Start Rygel
| |
Rygel should now be running and sharing your specified media.
Accessing DLNA on Other Devices: You can use any DLNA-compatible media player or device to discover and play media from your Ubuntu machine. This could include smart TVs, gaming consoles, or other computers on your network.
WireGuard
Virtual Private Network (VPN) Setup using WireGuard
Introduction: WireGuard is a simple, fast, and modern VPN protocol designed to be more performant than traditional protocols like IPSec and OpenVPN. This guide provides a quick start to set up a VPN using WireGuard.
Installation: WireGuard needs to be installed on both the server and client devices.
For Ubuntu:
| |
Configuration:
Server Setup:
Generate server private and public keys:
1wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickeyCreate the server configuration file (e.g.,
/etc/wireguard/wg0.conf):1 2 3 4 5 6 7[Interface] Address = 10.0.0.1/24 PrivateKey = <Contents of /etc/wireguard/privatekey> [Peer] PublicKey = <Client Public Key> AllowedIPs = 10.0.0.2/32Enable IP forwarding:
1sudo sysctl -w net.ipv4.ip_forward=1Start WireGuard:
1sudo wg-quick up wg0
Client Setup:
Generate client private and public keys:
1wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickeyCreate the client configuration file (e.g.,
/etc/wireguard/wg0.conf):1 2 3 4 5 6 7 8[Interface] Address = 10.0.0.2/24 PrivateKey = <Contents of /etc/wireguard/privatekey> [Peer] PublicKey = <Server Public Key> Endpoint = <Server IP>:<Server Port> AllowedIPs = 0.0.0.0/0Start WireGuard:
1sudo wg-quick up wg0
References:
This is a basic setup, and you should adapt configurations based on your specific requirements and security considerations. Always refer to official documentation for the latest and most accurate information.
3rd-Party Repos
3rd-party Software Packages Sources
Over time, various software packages may be installed from third-party repositories on your Ubuntu system. It’s sometimes challenging to remember which packages are sourced from these repositories. Below are examples of adding, removing, and managing third-party repositories.
Uninstalling Packages from a Specific Repository:
| |
Adding 3rd-party Repositories:
Day of Ubuntu Wallpaper:
1 2 3sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 0x7A5579BA519AE6BB sudo nano /etc/apt/sources.list.d/dylanmccall-ppa-trusty.list deb http://ppa.launchpad.net/dylanmccall/ppa/ubuntu karmic mainDevolo Powerline:
1 2 3sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 0x093E0372DBF92DF8 sudo nano /etc/apt/sources.list.d/devolo-updates.list deb http://update.devolo.com/linux/apt/ stable mainGuardian Project KeySync:
1sudo add-apt-repository ppa:guardianproject/ppaupmpdcli, upplay:
1sudo add-apt-repository ppa:jean-francois-dockes/upnpp1MPD Music Player Daemon:
1sudo add-apt-repository ppa:mc3man/mpd-test3Tor Browser Launcher and OnionShare:
1sudo add-apt-repository ppa:micahflee/ppaNextcloud Client:
1 2 3sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 0x977C43A8BA684223 sudo nano /etc/apt/sources.list.d/owncloud-client.list deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/xUbuntu_14.04/ /Quimup:
1sudo add-apt-repository ppa:quimup/quimupRing:
1 2 3sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 0x9842E7BDE8E242F4 sudo sh -c "echo 'deb [arch=amd64] http://nightly.apt.ring.cx/ubuntu_14.04/ ring main' \ >> /etc/apt/sources.list.d/ring-nightly-man.list"Conky Manager:
1sudo add-apt-repository ppa:teejee2008/ppaTor Project:
1 2 3 4 5sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 0xEE8CBC9E886DDD89 sudo sh -c "echo 'deb http://deb.torproject.org/torproject.org trusty main' \ >> /etc/apt/sources.list.d/torproject.org-mainline.list" sudo sh -c "echo '# deb-src http://deb.torproject.org/torproject.org trusty main' \ >> /etc/apt/sources.list.d/torproject.org-mainline.list"Wine (Windows Emulation):
1sudo add-apt-repository ppa:ubuntu-wine/ppa
Note:
- Adjust the repository URLs and keys according to the specific software and version you intend to install.
- Always be cautious about adding third-party repositories and ensure they are from trusted sources.
- Regularly review and update repositories to maintain a secure and stable system.
Toolbox
Toolbox
Here are some additional tools that can enhance your workflow:
Version Control:
Version control systems help manage changes to source code over time.
- Git: A distributed version control system.
1sudo apt-get install git
Meld Visual Diff Tool:
A visual diff and merge tool.
| |
Sublime Text:
A sophisticated text editor for code, markup, and prose.
| |
Guake:
A drop-down terminal for GNOME Desktop Environment.
| |
Sphinx - Python Documentation Generator:
A tool that makes it easy to create intelligent and beautiful documentation.
| |
NUT Monitor:
Network UPS Tools - UPS monitor program.
| |
Gnome Tweaks:
A tool for advanced GNOME 3 settings.
| |
Gnome Shell Extensions:
Extensions to enhance the GNOME Shell.
| |
Pomodoro Technique:
A time management method.
| |
Networking Tools:
Various networking tools for diagnostics and monitoring.
| |
MicroTik WinBox:
Software for Windows that is used to remotely configure MikroTik RouterOS devices.
| |
Download the WinBox executable from the official MikroTik website and run it with Wine.
WebP:
A modern image format that provides superior compression for images on the web.
| |
Feel free to customize the list based on your specific needs and preferences.
Git SCM
Version Control
Version control is crucial for managing source code changes over time. Here’s a guide on using Git for source code management:
Git Source Code Management
Git is a distributed version control system designed for efficiency. It outclasses other tools with features like cheap local branching, staging areas, and multiple workflows.
Installation:
| |
Configuration:
Set up global user information:
| |
Configure PGP settings:
| |
Set up password caching:
| |
GitHub Website
GitHub is a platform for hosting and version control using Git. Here are some configurations:
Mail Address:
Ensure your commit email address matches your GitHub account. Check and add emails at GitHub Email Settings.
PGP Public Key:
Export your PGP key:
| |
Copy and paste the key to your GitHub SSH and GPG keys.
SSH Public Key:
Export your SSH public key:
| |
Add the key to your GitHub SSH keys.
Personal Access Tokens:
For HTTPS connections, create a personal access token at GitHub Tokens. Use it as a password when prompted for HTTPS connections.
Set up credential caching for HTTPS:
| |
Meld Visual Diff Tool
Meld is a visual diff and merge tool. Install it and integrate it with Git:
Meld Installation:
| |
Using Meld with Git:
Integrate Meld as the difftool and mergetool:
Meld as git difftool:
| |
Meld as git mergetool:
| |
References:
Sublime Text
Sublime Text
Sublime Text is a versatile source code editor with extensive language support and a Python API. It supports various programming and markup languages, and users can enhance its functionality with plugins.
Software Installation:
| |
Package Control:
Package Control is the de facto package manager for Sublime Text. Install it by opening the “Tools” menu and selecting “Install Package Control.”
For older versions, manually install Package Control:
| |
Access Package Control in the “Preferences” menu as “Package Control.”
Recommended Packages:
EditorConfig: Sublime Text plugin for maintaining consistent coding styles between different editors.
Emacs-like Modelines: Adds Emacs-like modelines for Sublime Text 2 and 3.
Sublime Linter: A code linting framework for Sublime Text 3, highlighting programming errors and stylistic issues.
SublimeLinter-shellcheck: Linter plugin for SublimeLinter that interfaces with shellcheck to find bugs in shell scripts.
SublimeLinter-php: SublimeLinter 3 plugin for PHP, using php -l.
nginx: Syntax highlighting for Nginx configuration files.
INI: Syntax highlighting for INI and REG files in Sublime Text.
HTML-CSS-JS Prettify: Formats HTML, CSS, JavaScript, JSON, React, and Vue code. Requires Node.js for interpretation.
Using Sublime Text with Git:
Set up git to use Sublime Text as the default editor:
| |
References:
Guake
Guake
Guake is a dropdown terminal designed for the GNOME desktop environment. Its window style is inspired by first-person shooter (FPS) games, and it aims to be easily accessible.
Software Installation:
| |
Usage:
Press F12 to toggle the Guake terminal.
Guake provides a convenient dropdown terminal accessible with a hotkey, making it easy to quickly access and hide the terminal window.
Sphinx
Sphinx - Python Documentation Generator
Sphinx is a tool designed to facilitate the creation of intelligent and aesthetically pleasing documentation. It is written by Georg Brandl and is licensed under the BSD license.
To install Sphinx and related packages, you can use the following command:
| |
This command installs Sphinx along with some additional packages and themes that enhance the documentation generation process. The sphinx-rtd-theme is the Read the Docs theme, which is commonly used for creating professional-looking documentation.
Once installed, you can use Sphinx to generate documentation for your Python projects. The specific configuration and usage would depend on your project structure and requirements.
NUT Monitor
NUT Monitor
You can install NUT Monitor using the following command:
| |
NUT (Network UPS Tools) is a collection of programs that provide a framework for monitoring and administering UPS (Uninterruptible Power Supply) hardware. The NUT Monitor component provides a graphical user interface for monitoring and managing UPS devices on your system. After installing NUT Monitor, you should be able to access it to check the status and health of your UPS.
GNOME Tweaks
Gnome Tweaks
To install Gnome Tweaks, you can use the following command:
| |
Gnome Tweaks, previously known as Tweak Tool, is a graphical user interface for advanced GNOME 3 settings. It allows you to customize various aspects of the GNOME desktop environment that are not available in the standard system settings. With Gnome Tweaks, you can modify settings related to fonts, themes, window management, and more. It provides a more fine-grained control over the appearance and behavior of your GNOME desktop. After installing Gnome Tweaks, you can launch it and explore the available customization options.
GNOME Shell Extensions
Gnome Shell Extensions
- Firefox Add-On
To integrate GNOME Shell with the extensions repository on the GNOME Extensions website, you can install the necessary tool:
| |
After installation, you can visit the GNOME Extensions website and install extensions with a simple click on the page.
- App Indicators
For supporting app status notifiers in the GNOME Shell, you can install the following:
- AppIndicator Support
Note: Some indicators may require additional support; you can try installing:
- TopIcons Plus
- Lock Keys
For displaying Numlock and Capslock status on the panel, you can use the following extension:
- Lock Keys
- Printers
For managing print jobs and printers, you can install the Printers extension.
- GSConnect
GSConnect is an implementation of “KDE Connect” designed for GNOME Shell. It offers integration with Nautilus, Chrome, and Firefox. GSConnect allows secure sharing of content such as notifications and files, along with features like SMS messaging and remote control. Note that GSConnect does not rely on the KDE Connect desktop application.
To install GSConnect:
| |
Additionally, you may want to install the indicator extension for compatibility with Gtk desktops other than GNOME Shell:
- KDE Connect Indicator
These extensions enhance the functionality and integration of the GNOME Shell desktop environment.
Pomodoro
Pomodoro Technique
The Pomodoro Technique is a time management method that breaks work into intervals, traditionally 25 minutes in length, separated by short breaks. These intervals, known as pomodoros, aim to enhance focus and productivity. The technique was developed by Francesco Cirillo in the late 1980s.
Pomodoro Indicator App
The Pomodoro Indicator app is designed to facilitate the use of the Pomodoro technique in Ubuntu. It offers simple management through the mouse wheel, allowing you to start or stop the procedure. Additionally, you can access menu options to initiate or pause the Pomodoro sessions.
Installation
| |
This app can be a helpful tool for individuals looking to implement the Pomodoro Technique for effective time management.
References:
Winbox
MicroTik WinBox
Winbox is a utility that allows for the administration of MikroTik RouterOS using a fast and simple GUI. While it is a native Win32 binary, it can be run on Linux and MacOS (OSX) using Wine.
Here are instructions for installing WinBox on Linux using a script available on GitHub:
| |
This script helps set up WinBox in your Linux desktop environment. It also handles updates automatically when needed. Keep in mind that some advanced and system-critical configurations might not be possible from WinBox, and you might need to use the console for those tasks.