Encrypt Home DNS Traffic

Fully secure your home DNS traffic with CoreDNS

Your DNS server knows a lot about you - in fact it knows every single website your visit. Between ISP’s intercepting both valid and invalid domains, and potentially selling your browsing history to advertisers, it’s both prudent and remarkably simple to encrypt all of your DNS to prevent this and to more importantly, encrypt this traditionally plain-text data to prevent prying eyes.

Partially Authoritative DNS Zones with CoreDNS

Partial is a drop-in replcement for the CoreDNS file plugin to provide semi-authoritative DNS zones.

A semi-authoritative zone enables you to provide authoritative records for a given zone for records the DNS server is aware of, and forwarding all unknown requests to an upstream server.

Available as a CoreDNS plugin, Partial is a drop-in replacement for the CoreDNS file plugin that allows for partially or semi-authoritative DNS zones, and is available on Github at https://github.com/charlesportwoodii/coredns-partial.

Encrypted BTRFS backups with Minio, Systemd, and Restic

Automate backups on systemd-enabled Linux distributions to a encrypted BTRFS store with Restic and Minio.

If you’ve ever lost an important document or file you know how essential timely and reliable backups are. Getting backups done effeciently can prove to be challenge however, especially on Linux where a dozen different tools exist and do a variation on the same theme.

Until recently I’ve been using Duplicati which is an excellent tool, but struggles to start reliably on newer Linux kernel version, resulting in inconsistent backup states and data loss when you need to recover something.

In this article I’ll cover how I automate backups of all my Linux desktops, servers, and laptops to a locally encrypted BTRFS store, and off-site to a cloud provider.

AMD Ryzen 2 PCI Passthrough with OVMF+VFIO and libvirt on Ubuntu 18.04 to Windows 10

Information for getting PCI passthrough working between Ubuntu 18.04 and Windows 10 using OVMF, VFIO, and Libvirt

Unable to tolerate the significant performance losses I was seeing on my aging i5-2500 desktop, I recently elected to upgrade my desktop to something a bit more powerful that would enable me to work faster and get more done.

While planning out this process, I stumbled up this article from mid 2017 detailing the process of getting GPU passthrough working on Fedora 26 with Ryzen.

Exhausted by the constant performance losses incurred by Spectre and Meltdown I was experiencing on my old i5-2500, and wanting to capitalize on the cost-per-core benefit Ryzen 2 offered, I decided to take the plunge into GPU passthrough and to see if it would be a viable long term solution for me, and my have I been pleased.

This write up details my experiences getting PCI passthrough working through Ubuntu 18.04 to Windows 10 using OVMF+VFIO and libvirt. While this document shouldn’t be considered a comprehensive guide, it will cover what I needed to do to get this working (mainly so I can set it back up again if I ever need to), while also covering a few tips and tricks I’ve learned along the way.

Wireguard on EdgeOS for a faster home VPN

Installing Wireguard on Ubiquiti routers for faster home VPN

Wireguard is an extremely simple, fast, and modern VPN. With it’s introduction into the mainline linux kernel, Wireguard promises to provide a simpler, faster, and more secure way for setting up a VPN without needing to deal with traditional solutions like OpenVPN and L2TP/IPSEC, which can be cumbersome and slow.

In this article I’ll cover how to install Wireguard on a Ubiquiti router, and how to connect a remote client to it.

Adding a Secondary Encrypted Hard Drive with LVM & LUKS on Ubuntu

A guide to encrypting a second drive on Ubuntu with LVM

Similar to Bitlocker on Windows, the native Ubuntu installer provides the capabilities during installation to encrypt your primary hard drive. Getting secondary, or even external devices encrypted however is a bit more complicated.

In this article I’ll cover how to encrypt a second hard drive after installing Ubuntu, and set it up with LVM for easy expansion later. Additionally I’ll cover the steps necessary to automatically decrypt external drives on boot when you decrypt your primary hard drive, and how to access this media once logged into the system.

Protecting Passwords with Argon2id in PHP 7.3

Better password security in PHP 7.3 with Argon2id

Starting with PHP 7.3, Argon2id may be used as part of the password_* functions to provide better password security.

This article I cover the benefits of Argon2id, how to compile Argon2id into PHP, how to use Argon2id within your PHP 7.3 applications, and some useful pieces of information about Argon2id usage within applications in general.

For more information on Argon2id support within PHP 7.3, reference the Argon2 Password Hash Enhancements RFC on the PHP Wiki.

Creating an Alpine Linux Repository

Creating & Hosting an Alpine Linux Package Repository for Docker packages

One of the common problems developers run into when creating their own Docker images is the sheer size of the final output image. Even after compressing and squashing, images based off of Ubuntu or CentOS can still be hundreds of megabytes in size.

As part of my personal dockerization efforts I’ve spent the past several weeks working on repackaging my PHP and Nginx packages so that they work on Alpine Linux with the aspiration of significantly reducing the size of the Docker images I provide.

To reduce the complexity of my Docker images, I pre-build packages for a given operating system, then install them using the operating system’s built in package manager. After creating packages for Alpine Linux (which was troublesome in it’s own right), I discovered there was little to no accurate documentation on how to create a web repository for Alpine Linux.

In this article I’ll cover the steps I needed to take to create a maintainable ALpine Linux web repository.

Moving to Hugo

Migrating my personal blog from CiiMS to Hugo

It’s hard to believe that it has almost been an entire year since my last blog post. In that time a lot has happened and changed both with my personal life and in the web development world. With those changes comes the need to re-think the way I both host and manage my personal blog – including the platform. Starting today, I’m moving my personal blog (and several other pages scattered across the internet) from being hosted on CiiMS to being hosted on Google Storage with Hugo.

ECDSA Certificate Authorities and Certificates With OpenSSL

Everything you wanted to know about generating the next generation of public key ECC ECDSA certificates and certificate authorities with OpenSSL.

A lot has been said recently about ECSDA certificates and elliptical curve cryptography (ECC), and about how they are the future of the humble SSL Certificate. Cloudflare has written serveral articles describing what excatly ECSDA certs are and how they function with ECC.

If you’re not familiar with ECC yet though, Cloudflare provided a pretty basic TL;DR; of what exactly ECC is and why it is important:

[…] ECC is the next generation of public key cryptography and, based on currently understood mathematics, provides a significantly more secure foundation than first generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. _https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/_

Based upon our current understanding of mathamatics, ECC provides significantly better security and performance than a typica 2048 RSA certificate. In this article, we’ll cover how to make a ECDSA Certificate Authority, a ECDSA compatible CSR, and how to sign ECDSA certs.