About

I'm a Linux/Unix sysadmin with experience in High Availability, scaling and clustering, security, (Open)SSL and general linux system administration. I've worked as a sysadmin (devops) for Certificate Authorities, Hospitals, Managed Service providers, Datacenters Development shops and large Internet Service providers. I currently work for an Openstack provider. I like to design, build and manage large, complex and high available systems. I like to work with configuration management tools and version control systems. Documentation, monitoring and backups are things I do first, not when the time allows it later.
This is my personal website, please do note that these articles do not reflect opinions or policies of any of my (previous) employers, only my personal one.


Latest Items

Raspberry Pi unattended upgrade Raspbian to Debian Testing

27-07-2016 | Remy van Elst

I'm working on a Nitrokey/SmartCard-HSM cluster article and therefore I needed three identical computers. The current version of Raspbian (2016-05-27) is based on Debian Jessie and comes with a version of OpenSC that is too old (0.14) to work with the Nitrokey/SmartCard-HSM. Since there is no Ubuntu 16.04 official image yet I decided to upgrade Raspbian to Debian Testing. Since I don't want to answer yes to any config file changes or service restarts I figured out how to do an unattended dist-upgrade.

Read more...

Storing arbitraty data in the Nitrokey HSM/SmartCard-HSM with Elementary Files (EF)

17-07-2016 | Remy van Elst

This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture.

Read more...

Use the Nitrokey HSM or SmartCard-HSM with sc-hsm-embedded, mod_nss and Apache (read only module)

15-07-2016 | Remy van Elst

This is a guide on using the Nitrokey HSM with sc-hsm-embedded module instead of the PC/SC daemon and OpenSC, mod_nss and the Apache webserver. This is an extension on the earlier guide, with new benchmarks. The sc-hsm-embedded module is not using a global lock like OpenSC, therefore providing better performance. The sc-hsm-embedded module is also a read only module, suitable for embedded systems or secure systems. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen. The guide covers the installation of the sc-hsm-embedded module, configuration of and benchmarks from Apache with the HSM and different key sizes.

Read more...

Decrypt/Extract Nitrokey HSM/SmartCard-HSM RSA private keys

13-07-2016 | Remy van Elst

This is a guide which shows you how to extract private RSA key material from the Nitrokey HSM / SmartCard-HSM using the DKEK. This way you can get the private key out of the HSM in an unencrypted form. It does require access to the HSM device, all the DKEK share and their passwords. Do note that doing this defeats the entire purpose of a HSM, namely that you never have access to the keys. In the article I'll go over some explanation why this might be a feature you need and why it might be a case of security over convinience.

Read more...

Use the Nitrokey HSM or SmartCard-HSM with mod_nss and Apache

21-06-2016 | Remy van Elst

This is a guide on using the Nitrokey HSM with mod_nss and the Apache webserver. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen. The guide covers the installation and configuration of mod_nss, coupling the HSM to NSS, generating the keys and configuring Apache, and last but not least we also do some benchmarks on Apache with the HSM and different key sizes.

Read more...

Get started with the Nitrokey HSM or SmartCard-HSM

19-06-2016 | Remy van Elst

This is a guide to get started with the Nitrokey HSM (or SmartCard-HSM). It covers what a HSM is and what it can be used for. It also goes over software installation and initializing the device, including backups of the device and the keys. Finally we do some actual crypto operatons via pkcs11, OpenSSL, Apache and OpenSSH.

Read more...

HTTP Strict Transport Security for Apache, NGINX and Lighttpd

17-06-2016 | Remy van Elst

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. This tutorial will show you how to set up HSTS in Apache2, NGINX and Lighttpd.

Read more...

Toggling in a simple program DEC PDP-8 and PiDP-8 using the switch register

08-06-2016 | Remy van Elst

In this guide I'll show you how to toggle in a simple program on the DEC PDP-8 or the PiDP-8, or in a front-panel simulator named BlinkenBone if you lack the hardware. I have a replica of the PDP-8/I (the PiDP-8) but lacked the actual knowledge on the front panel and switches to get started and do something cool. This guide has step by step instructons, with pictures, and basic explanation. After all, what is an expensive blinking light panel without fun stuff to toggle in?

Read more...

Ansible - Add an apt-repository on Debian and Ubuntu

15-05-2016 | Remy van Elst

This is a guide that shows you how to add an apt repository to Debian and Ubuntu using Ansible. It includes both the old way, when the apt modules only worked on Ubuntu, and the new way, now that the apt-modules also support Debian, plus some other tricks.

Read more...

Migrating personal webapps and services

05-05-2016 | Remy van Elst

Recently I've migrated some of my personal servers and services to new machines and newer operating system versions. I prefer to migrate instead of upgrading the OS for a number of reasons. I'll also talk about the migration process and some stuff to remember when migrating web applications and services.

Read more...

Build a FreeBSD 10.3-release Openstack Image with bsd-cloudinit

27-04-2016 | Remy van Elst

We are going to prepare a FreeBSD image for Openstack deployment. We do this by creating a FreeBSD 10.3-RELEASE instance, installing it and converting it using bsd-cloudinit. We'll use the CloudVPS public Openstack cloud for this. We'll be using the Openstack command line tools, like nova, cinder and glance.

Read more...

IPv6 in a Docker container on a non-ipv6 network

12-04-2016 | Remy van Elst

At work and at home my ISP's have native IPv6. I recently was at a clients location where they had no IPv6 at all and had to set up and demonstrate an application in a Docker container with IPv6 functionality. They said the had IPv6 but on location it appeared that IPv6 wasn't working. Since IPv6 was required for the demo the container needed a workaround. This article describes the workaround I used to add IPv6 to a Docker container on a non IPv6 network.

Read more...

Active Directory and Exchange Command Line Powershell

27-02-2016 | Remy van Elst

This is a collection of Powershell snippets to install Active Directory, create a new Active Directory Domain, join an existing Active Directory domain and to install Microsoft Exchange 2013. The snippets were tested on Windows Server 2012 R2.

Read more...

Let's Encrypt with DirectAdmin, now built in!

24-02-2016 | Remy van Elst

Let's Encrypt is a new certificate authority, recognized by all major browsers. They make it a breeze to set up TLS certificates for your web server. And for free! Let's Encrypt is supported by major players like Mozilla, Akamai, Cisco, the EFF, the Internet Security Research Group and others. Let's Encrypt provides free, automatic and secure certificates so that every website can be secured with an SSL certificate. This article shows you how to setup Let's Encrypt with the DirectAdmin web control panel. DirectAdmin now supports Lets Encrypt natively since 1.50, so no more ssh fiddling, just via the control panel, for all the users on the server.

Read more...

Recap of week 04, 2016

30-01-2016 | Remy van Elst

Recap of week 04 of 2016, covering open source and sysadmin related news, articles, guides, talks, discussions and fun stuff.

Read more...

Recap of week 03, 2016

23-01-2016 | Remy van Elst

Recap of week 03 of 2016, covering open source and sysadmin related news, articles, guides, talks, discussions and fun stuff.

Read more...

Ansible playbook for GoAccess Log Analyzer

17-01-2016 | Remy van Elst

This is a small Ansible playbook to deploy the GoAccess log analyzer on Debian based systems. Next to Piwik, I use goaccess myself to get better insights in who and what visits my servers. This role is ment to be included in your webserver playbooks.

Read more...

Recap of week 02, 2016

16-01-2016 | Remy van Elst

Recap of week 02 of 2016, covering open source and sysadmin related news, articles, guides, talks, discussions and fun stuff.

Read more...

Deborphan cleanup until no more orphaned packages left

11-01-2016 | Remy van Elst

Deborphan removes packages it thinks your system doesn't need anymore. It is a great tool for package cleanup and maintenance. Sometimes, after cleaning up the packages, it will find new packages that are orphaned (because you just cleaned up). This is a small script that cleans up with deborphan until there is nothing more to cleanup.

Read more...

Recap of week 01, 2016

10-01-2016 | Remy van Elst

Recap of week 01 of 2016, covering open source and sysadmin related news, articles, guides, talks, discussions and fun stuff.

Read more...

Microsoft Office 2013 and 2010 on Linux

02-01-2016 | Remy van Elst

This guide shows you how to run Microsoft Office 2013 and 2010 on Linux using CrossOver. It guides you through the installation and gives a review on what parts of the Office suite work with Linux.

Read more...

All Items