Rubenerd

Given the one-year anniversary, I’d be remiss if I didn’t share Ina’s first original song. It’s so beautiful! 💜 I’m impressed with her vocals, and the light electronic instrumentation is right up my alley.

The girls described their musical collaboration earlier this year with:

“We are here for you to overcome the difficult times.”

This time last year was looking pretty grim, but in the pits of our global despair five VTubers stepped up and lifted our spirits. Their timing couldn’t have been better; their enthusiasm and creativity have done so much for us during Covid lockdown melancholy and despair.

Clara and I started watching their streams shortly after Amelia Watson’s debut, not quite sure what to expect. That was probably was true of everyone: would an English Hololive work? How would they interact with their Japanese and Indonesian senpais? But it’s safe to say they blew us all away, and their success paved the way for IRyS and the current Council who wouldn’t exist without their efforts.

Our boy Cali’s music is now a fixture of family roadtrips. Kiara’s enthusiasm is infectious. Watson is our huggable gremlin who’s mannerisms have seeped into everything we say (kuh-yuute!). Gura’s bubbly persona and bathtub pizza can’t mask her genuine heart. And Ina, now Clara’s and my favourite ever streamer (!), continues to be a welcome, reassuring presence of comfiness. 💜

Perhaps the best part of all has been seeing their chemistry develop over the last twelve months. I hope to see more of it :). ありがとう~

Photographer Eric Kim had this bit of advice for photographers, though I think it applies to anyone with a creative project:

Simple way to thrive as a photographer: Own all your platforms.

For example, own your own self-hosted blog. Bluehost.com or 1and1.com and install wordpress.org

Instead of social media, make your own platform.

This isn’t tenable for everyone, but well worth it if you can.

Last Monday I wrote about a Braun electric shaver I use to shave, funny though it may seem. In particular I wondered why it would refuse to turn on after it was plugged in. A few of you were equally bemuxed, a word I was positive existed, but I can’t find it anywhere else.

Hans Dorn and Dale Smith both wrote in to say the Braun instructions made it clear that it was a safety feature of their electric shavers, to prevent people using it in the shower while it was connected to mains. That makes sense if that’s a design concern. I’ll bet there’s regulations involved as well.

I’ve never thought to use a corded appliance in a shower, whether it be a toaster, hair dryer, or shaver (and definitely not at the same time, before you get any weird ideas). I don’t think I’ve ever shaved in a shower either, even when I was still on acoustic shavers, so I wasn’t even ware people did that. The supplied cable is also far too short to reach a power socket from any shower I’ve ever used; that’s probably also a safety feature.

Yes, I called non-electric shavers acoustic shavers. I call non-motorbikes acoustic bikes too, because they must be. Fling as much justifiable frustration in the direction of the English language as you want for its weird spelling, loanwords, and overuse of idioms, but at least it’s consistent. Wait, no it isn’t.

But if you’ll stop interrupting me, I can see why this safety feature is a Good Thing. Just because you and I wouldn’t do something silly like use an electric shaver in the shower with a power cord somehow dangling over the railing with an extension cable to the power outlet on the other side of the room while trying to shove a hair dryer into a toaster, doesn’t mean someone else hasn’t given it a thought. I’ll bet Medhi has.

This post was also written in the Midnight Commander’s editor mcedit. I keep forgetting that exists. I adore the DOS-style dropdown menus. Not as much as a pretty sunset, though.

I have a confession. As opposed to a professioion? WHOA, is that how that works? Don’t answer that.

I’ve mentioned many times how excited I was for OpenZFS in FreeBSD 13, due in no small part to its inline encryption capabilities. I’d used the closed-source equivalent on the last Solaris, and had made some proof of concepts on the -CURRENT branch, but I hadn’t used it for any real world data. I also didn’t feel as compelled to rush out and replace my GELI encrypted volumes as I first thought. It still works, and will for the foreseeable future.

A shiny new set of drives for my home server finally gave me the kick up the proverbial posterior to give it a shot with some prod data that definitely isn’t a Plex server for anime. This was my story. DUN DUN.

The existing GELI approach

We’ve always been able to encrypt ZFS on FreeBSD, albeit with an intermediate layer performing the encryption before our data hits the disk. GELI was the most recent and accepted tool to achieve this, akin to cgd on NetBSD, or LUKS on Linux. It’s proven, well tested, and secure, like my hat. Wait, what?

Here’s an example of a typical encrypted ZFS volume using GELI. We create a new GPT layout, label it (you’ll be glad you did), create a key, create a new virtual GELI encrypted block device, then build our ZFS pool on top. Note in the final step we reference the virtual encrypted device:

# _LABEL="12TB-IronWolf-SERIALNO"
# _KEY="/root/example.key"
	
# gpart -s create gpt /dev/ada5
# gpart add -t freebsd-zfs -l "$_LABEL" /dev/ada5
	
# openssl rand -hex 32 | tee "$_KEY"
# geli init -P -K "$_KEY" "/dev/gpt/$_LABEL"
# geli attach -pk "$_KEY" "/dev/gpt/$_LABEL"
	
# zpool create pool "/dev/gpt/${_LABEL}.eli"
# zfs create pool/tank

This uses a plain disk, but you could just as easily build this on top of an iSCSI mount, or a HAST volume. When you restart, you perform the geli attach then zpool import as normal.

The key here is you’re encrypting the entire partition beneath ZFS. GELI is device and file-system agnostic, and ZFS is unaware (AFAIK) that it’s operating within a virtual encrypted device. This may still be preferable in some circumstances, as we’ll get to in a moment.

OpenZFS inline encryption

By contrast, is a phrase with two words. OpenZFS’s native encryption operates at the dataset level, negating the need for a GELI device that has to be mounted separately. What’s even cooler is that all of ZFS’s data integrity, deduping, compression, exports, and other features can operate on these encrypted datasets, even if they’re not imported/mounted. Cray!

You can prepare your drive with gpart(8) and create a key as per above. After that, we create a zpool(8), which has the encryption feature available by default on FreeBSD 13:

# zpool create pool "/dev/gpt/$_LABEL"
	
# zpool get feature@encryption pool
==> pool feature@encryption active local

Then create a new encrypted volume. You can also verify the operation and check the encryption scheme used with zfs-get(8):

# zfs create -o encryption=on -o keyformat=hex \
	-o keylocation=file:///root/example.key pool/tank 
   
# zfs get encryption,keylocation,keyformat pool/tank
==> NAME       PROPERTY     VALUE                     SOURCE
==> pool/tank  encryption   aes-256-gcm               -
==> pool/tank  keylocation  file:///root/example.key  local
==> pool/tank  keyformat    hex

Wait, hold on, that’s it? Yes! How cool is that!?

Gotchas

I had initially assumed that using keys would result in the zfs datasets automounting when the zpool is imported, which is not the case. Even if their key is available, you must import them first before the zfs dataset is mounted and ready to use (it looks like an rc.d service was written and reviewed to facilitate doing this on boot, which I’ll need to investigate).

The easiest way to do this is with the lowercase L option in zpool(8) import, which retrieves all the keys it can before mounting your encrypted datasets:

# zpool import pool -l

Or you can load all available keys with zfs(8) load-key:

# zpool import pool
# zfs load-key -a

Refer to the linked man pages for more details. Even if you don’t need more details, and just want to marvel at what well-documented software looks like. The GNU people could learn a lesson or two (or three).

Considerations

As I eluded to above, there are a couple of caveats. GELI encrypts whatever data is handed to it, whereas OpenZFS necessarily stores metadata about the datasets in order to use them. This includes dataset and snapshot names. Bear (bare?) that in mind when you’re naming and structuring your datasets.

This is speculation on my part, but I’d also think there’d be a chance for plausible deniability in a device that’s been completely encrypted with GELI, just as any device that uses whole drive encryption. By contrast, OpenZFS dataset metadata makes it obvious that they contain encrypted data, and the scheme with which the data was encrypted. I could be wrong here though.

Overall, is an item of clothing. OpenZFS encryption makes the system administrator’s life easier, and those caveats don’t concern me for how I store my data. I’ll be using it for everything going forward.

Allan Jude and Kyle Kneisl’s FreeBSD Journal article from last year is a great resource if you’d like to learn more about the implementation of OpenZFS’s encryption system. I also found Jim Salter’s article useful in Ars Technica for learning about key management; once you block all the irrelevant autoplaying videos. #ModernWeb

DISCLAIMER: Cryptography is critical to get right, or it’s not worth doing. Always read and follow the official documentation over someone’s blog, even if the blog has a cute anime mascot and is written by someone with the best of intentions and an awesome hat.

Mmm, rolls. Focus, Ruben.

A few eagle-eyed readers have noticed that my omake page has changed. I’ve merged all my disparate lists into one collapsible outline that you can explore by clicking through each section. I’m not at all sure I’ll keep the structure the same here, but it’s a start. Outlines are a fun way to collect and organise information, especially links and short snippets of text. OPML and RDF pending!

Which leads us to blogrolls. These used to be a fixture of the web, back when everyone had a blog. You would share links to your friends and the sites you read, sometimes in your blog sidebar, or on a separate page. I loved clicking through to all these different places in the mid 2000s, and seeing where I ended up.

As Josh from The Geekorium noticed when I posted about it on Mastodon, my fifteen-year old blogroll was in a bit of a sorry state. Over half the sites didn’t resolve, and those that did hadn’t been updated in years. It perhaps shouldn’t have been surprising, but it took me back a bit. I couldn’t decide whether to keep them or not, so I decided to split the difference and keep the ones that still exist, in the hopes that maybe one day they’ll come back. I did the same thing in my blog reader.

But now I’m in the market for other personal blogs to read! Let me know if you’d like to swap links :).

The Philadelphia Inquirer reported on the Pennsylvanian state transit authority’s plan to rebrand Philly’s transit system The Metro:

[..] in the transit agency’s wayfinding master plan, released Tuesday, to make rail transit easier to use in the Philadelphia region. The idea: Unify under one brand a system often thought of line by line, route by route because it’s been labeled that way for a century.

The idea is to use a standardised system of colours and icons:

The agency plans a redo of the system’s maps and signs with the aim of making wayfinding images easier to see and understand quickly. Lines will be denoted by capital letters and color badges instead of pictographs of rail vehicles over colored backgrounds. Planners propose keeping the hues historically associated with them, such as orange for the Broad Street Line, blue for the Market-Frankford Line (the El), and green for trolley routes.

Philadelphia is a beautiful city, and its transit system was one of the reasons Clara and I enjoyed wandering around there. I’ll admit I liked the realistic pictograms of each of the lines, but standardised signage with unique letters and numbers would make more sense.

Most systems in Asia rely on colour codes and names, but I like the idea of also using simple, block letters for those with colour blindness or other vision impairments. Singapore does number the lines as well, but they’re used to denote the direction of travel which I’ve personally found a bit confusing.

SEPTA also introduced their stored-value Key system in 2016 which makes life easier (you’ll need a US VPN to access). We both still have leftover tokens we used when Jim was showing us around :).

We’ve all had that experience where we forget our ATM PIN, or another access code, despite having used it for years. It’s unsettling, frustrating, and can be embarrassing if the lapse happens in public.

The same thing happened to me earlier in the week with my password manager. I sat there for a solid ten minutes unable to remember how to unlock the damned thing, before deciding that going for a walk was a more productive use of my time. I wanted to help someone solve an issue they were having, but I had to get back to them later.

I’ve had lapses where I forget my signature (though I so rarely use that now I understand it a bit more), how to spell my middle name, and the code to access a storage locker which has resulted in alarms sounding. Years ago I even forgot which finger I’d used for biometrics at a data centre, and a security guard had to come rescue me and file a report. Fun!

Mike from Mastodon and Bremen Saki hits the nail on the head, emphasis added:

At some point last year I temporarily lost the ability to tie my shoelaces for most of a day after I accidentally thought too hard about it. Had to forget that I’d forgotten before I could do it again.

That’s the key! So much of this is committed to muscle memory, I feel like as soon as we have to think about it too much, it evaporates.

Back when I was a bad person and used the same password everywhere, I had that string of gibberish committed to my fingers. I didn’t realise it until I got a new keyboard with a slightly different layout (the backtick is always a culprit) where that muscle memory didn’t produce the right password. As soon as I had to start thinking what the password was, it was gone.

As Mike said, our brains are weird.

Clara and I caught up on Bae’s Minecraft stream earlier in the week, and caught this exchange that will surely go down in Internet history. FLOWER!? Flower.

I love that inexplicable things like this exist, and that it’s already a meme with fanart and thousands of tweets. The Internet can be a great place. 🌷