Cybersecurity engineer here, these are all great answers I just wanted to add a couple tidbits.

• Where are the keys stored: In enterprise level security, you never want to store your key in the same system you are securing, so you normally use a “Key manager” or an “HSM” (Hardware security module) These are hardened appliances dedicated to generate keys and store them, then other devices that then use protocols such as KMIP or API calls to retrieve them remotely. The key is encrypted in transfer and never stored permanently in the client that is being encrypted. There’s also a key encryption mechanism … but let’s not goo too far into it. I’ll just mention that there’s usually a data encryption key (DEK) and a Key Encryption Key (KEK) and the DEK is never exposed. HSMs themselves are basically physical key managers that have a tamper proof crypto module built in. Think of them as TPM2 on steroids. If you want to read more about these guys check out the FIPS specification that they’re built to. https://en.wikipedia.org/wiki/FIPS_140-3

• How does the OS know which key to use: It doesn’t There is usually overlay software than handles this part, typically called an “encryption agent” that runs in the kernel space. Even tho most software is based on open source, encryption agents are usually very complex and secretive. My company’s filesystem encryption agent for example embeds 4Kb of metadata on every file with the name of the key that was used to encrypt it to prevent double encryption and help in file restoration. When a file request comes into the OS, we are loaded into the kernel and use a “filter driver” to decide if the file is encrypted or not, and if it’s encrypted, we route the file request to a virtual file system that then pipes it to our software for processing ACLs and decryption. If you want to learn more you can check out this brochure. https://cpl.thalesgroup.com/encryption/transparent-encryption

Happy to answer any questions.

Watch them try to ban raspberry pi now … like they did with the flipper

That’s fucking awesome!

I feel like this woman is about to give a bomb ass obituary so fucking powerful that it’s going to start a revolution https://youtu.be/TaKrm5txGCQ?t=4

Interesting, thanks for sharing.

Any clue what the power draw on the disk array is? I did some basic measurement with the kill-a-watt and a spinner takes about 6-7W where as an SSD takes about 2, the price difference is too much for my use case tho, performance per watt per TB, I’m better off with 1 single disk (or a mirror pair) of 6 TB in spinning rust.

I’m not particularly concerned about data security since I’m syncing evrything 3 ways. Whenever one of the drive fails I’ll consider it a “surprise disaster recovery exercise” XD

I was googling for orca-ucraine related news hoping that they had found a new way to end the war yet a little sooner.

Appreciate your input. K8 is on the roadmap. Currently on portrait using pangolin as a tunneled proxy.

Eventually plan to migrate from Joomla in LXC to a docker swarm load balanced by pangolin.

In b4 the comic of the two dudes putting an Ukraine hat on the dolphin

What did I miss now?

It does but there’s a lot of other stuff connected that I can’t unplug. I ended up getting a kill a watt and since the server has redundant power supplies I checked by unplugging one at a time.

I’m using 168W on an R430 with 2 E5-1220’s and 128 G and 8 spinners.

You’re probably using revanced or vanced … there was a recent patch, you have to update it.

I don’t trust oracle at all. The guide uses them because they’re free (It includes a business generator so that oracle doesn’t reclaim your box)

I personaly went with IONOS because they have a 2.99 plan with unlimited bandwidth which is great for pangolin as that’s routing traffic for my “media” box

not the same thing at all, but there’s already been a couple of pretty high profile “prompt injection” malware cases out there.

Host a pangolin reverse proxy on a free oracle cloud VPS! It’s super nice to redirect online traffic to a LAN resource, that way you can share your home lab with friends and family without having to forward any ports or loosen your security posture.

https://blog.thetechcorner.sk/posts/Connect-to-your-homelab-over-CGNAT-with-tunnels-homelab-2-0/

I also highly recommend this suite of tools for downloading and streaming legal media via torrent because I would never endorse piracy.

https://github.com/TechHutTV/homelab/tree/main/media

My previous experience is with dropbox and onedrive and I tend to limit bandwidth … I want sync to happen in the background. It’s not something I usually consider “high priority”

I found NC to be a lot more flexible and complete, specially with all the machine learning options. I also appreciate the privacy and price Hosting about 7TB of data for $10 worth of power a month and a $150 investment that allows me to host many other things.

The web interface in my case is a bit slow initially but that’s mostly because I opted to route it via pangolin reverse proxy / cloud flare tunnels, but I notice once the redis cache DB loads it’s blazing fast.

Overall I’m pretty happy with the speed, I’m sharing this with a family of 15 and I haven’t heard any complaints yet.

not sure what the big deal is, I’m running a docker lab with portrainer inside a proxmox LXC

Wow! Thanks so much for that explanation. I think In my mind I was mixing DAS with SAN and “fabric”

I’m much more confident now In planning this upgrade.

Good Point, idrac has issues on this server, I’ll take another crack at it and see if I can get it going.

I tried with powerstat and powertop but no dice

about 5TB of the 7 I have available are in use. I was planning on expanding to 12 to allow for growth.

I could just upgrade to bigger drives (1 TBs currently) but it feels cheaper to go with DAS

Good point. I actually have a watt meter coming in the mail tomorrow. Will measure the idle consumption of the r430 and report back. This thing sits mostly at under 10% except when running backups or the machine learning algos for nextcloud image recognition.

<!–StartFragment–>

<!–EndFragment–>