Thursday, November 06, 2003

Preliminary USB 2.0 Benchmarks

Write speed to the external USB 2.0 drive seems to be around 1.5 to 1.75 Mb/sec (5.27 to 6.15 Gb per hour), which means roughly 24 hours to fill the 75Gb drive that I have in there. That's a bit slow (should be up around 3.0Mb/sec).

The RAID1 set of 5400rpm drives has a bandwidth of around 6Mb/sec (copying 6Gb of data from one part of the disk to the other gave me 3Mb/sec read, 3Mb/sec write).

I'm going to go dust-off my little performance app that I wrote and see how those numbers compare to earlier baselines.

Labels: Benchmarks

posted by Wuphon's at 5:01 PM

Wednesday, November 05, 2003

GPG Encrypt Only

Okay, for the next trick... how do you setup a server to encrypt to a public-key using GPG where you're not storing any secret-key information on the server. For example, I have a server that I've attached a USB drive to for backup purposes. This drive will ultimately end up in a safe-deposit box, but maybe I'll just store it at a friend's house. Since I trust my friend, the majority of the information on the drive is unencrypted, but there still might be data that I want to encrypt (financial records). I could use Windows EFS, except that if I try to attach the drive to another one of my systems I'll have trouble decrypting the data. Easier is to use tar / WinRar / WinZip / Info-Zip combined with my public GPG/PGP key.

Setup:

1. Download and unzip GnuPG into a directory on the server. It should be a directory that gets backed up, but since we won't be storing any secret keys in the key-rings, it's not that important. I usually create a directory called "D:\Data\Bin" (because things in the "D:\Data" folder get backed up).

2. Add the "D:\Data\Bin" folder to your PATH= environment variable. Under Windows 2000, right-click on My Computer, Properties, Advanced tab, Environment Variables, then edit the PATH= system variable and put the ";D:\Data\Bin" on the end (note that entries are seperated by semi-colons).

3. Look at the readme.w32 file in the GnuPG distribution (or in the folder that you extracted the files to). Create the following key in the registry:

HKCU\Software\GNU\GNUPG

4. Create a REG_SZ variable within the GNUPG key called "HomeDir" and enter the path where you installed GnuPG to. Note that you have to use forward slashes instead of backslashes.

HomeDir = D:/Data/Bin

5. Get a copy of your public key as a text file. You can create this public-key by exporting from your key-ring on your workstation/laptop (gpg --export -a UID > UID.txt) or by importing from a key-server. If you're importing from a text file, use the following command to import the key:

gpg --import keyfile.txt

6. Now you need to designate that this key is ultimately trusted. Since you're encrypting using your own public-key (for decryption later by your secret-key), it's pretty safe to say that you know for certain that you've just imported your own public-key. Use the following commands to mark the key as trusted.

gpg --edit-key UID
Command> trust
Your decision? 5

That will mark the key as ultimately trusted.

7. If you want, you can add the right-click menu option (see my previous blog entry).

8. Test the encrypt/decrypt cycle. To encrypt a file, use the following command (which will encrypt filename.zip using key "UID", creating an output file called filename.zip.gpg):

gpg -r UID --encrypt -o filename.zip.gpg filename.zip

9. Verify that you can decrypt the file by copying the .gpg file to your workstation/laptop and using the following command (GnuPG will prompt you for your passphrase and then decrypt the file using your secret-key):

gpg filename.zip.gpg

Other notes:

Because GnuPG does not encrypt the original file, but merely creates a new encrypted file, you should be careful about how you create archives to be put on removable media. You don't want to do the encryption on the removable media, because the unencrypted (plain text) copy would be left behind in the sectors on the disk (even if you delete the plain text file). The preferred method would be as follows:

1. First, zip/tar your data into an archive that is still on the server's permanent drives. Optionally, you may wish to write this archive into a folder that is protected using Windows EFS.

2. Encrypt the archive file, specifying that the output file should be written to the removable media. Optionally, you may wish to create the .gpg file on the server's permanent drives and then move the file to the removable media (e.g. you're queing up multiple archives for off-loading to a tape drive).

Another possibility is that you'll want to encrypt files so that any one of multiple people can decrypt the data. For example, when backing up data, you can choose to encrypt the files so that either of two administrators can retrieve the data without having to share private keys. To do this, you just add more "-r UIDx" elements to the command:

gpg -r UID1 -r UID2 -r UID3 --encrypt -o filename.zip.gpg filename.zip

Reference links:

Earlier blog entry
Getting the long keyID

Software wanted:

What I have yet to find is software that will syncrhonize an entire source tree where the destination ends up encrypted using GPG/PGP.

posted by Wuphon's at 7:51 PM

Right-click GPG Encryption

This procedure will add a menu-item to let you right-click on a file and encrypt it (or decrypt it) when in Windows Explorer.

Originally posted by Peter Hegt on the gnugp-user mailing list (GPG Windows tip), but I've modified the instructions to work with the current version of GnuPG.

Encryption:

1. Create the following registry key, the text "GPG Encrypt for email address" can be anything that you want to show up on the right-click menu. Since this command will encrypt the file so that it can only be read by the designated user, you'll need a different menu item for every user-key that you're going to encrypt to. (For ad-hoc encryption, you're better off using the command line, this tip is mainly to make it easier to do lots of file encryption for people you communicate with often, or to encrypt files for yourself.)

HKEY_CLASSES_ROOT\*\shell\GPG Encrypt for email address\command

2. The "(default)" value of the registry key value should be as follows (change the path to point to the proper gpg.exe file on your system, make sure you put double-quotes around the %1 to allow for spaces in the filename). The "(default)" value should already exist when you create the "command" key and will be type REG_SZ. Replace "IDorEMail" with the UserID or e-mail address of the key that you want to encrypt with.

(Default) = c:\App\gnupg\gpg.exe -r IDorEMail --encrypt -o "%1.gpg" "%1"

The end result is a GPG encrypted file with the extension of .gpg tacked on.

Decryption:

1. Create the following key:

HKEY_CLASSES_ROOT\.gpg\shell\GPG Decrypt\command

2. Change the "(default)" value of the registry key to the following:

(default) = C:\App\gnupg\gpg.exe "%1"

This will associate with any files with a .gpg extension, decrypt them (prompting you for your GPG pass-phrase), with the resulting file having the .gpg extension stripped off.

If you need help setting up GPG, see my earlier blog entry.

posted by Wuphon's at 6:51 PM

Network Exploration

Step 1, grab a copy of WinPCap for Windows. Step 2, grab a copy of Show Traffic.

It makes for a good tool to use on a LAN segment to verify that you're IPSec implementation is working properly (and that no packets are being transmitted in the clear). Usage is pretty simple, you can filter off TCP, UDP or ICMP packets and do some other things. You can't use the tool to see inside the packets, it's more of a quick survey of what IP traffic is on the network.

posted by Wuphon's at 4:38 PM

Server Blues

So the new server box is giving me issues (after being perfectly stable as a workstation). One symptom is that when I copy a few gigs of data from the hard drive to the USB drive, performance slowly falls to nothing (over the course of about 15 minutes). Performance also gets really wierd, the machine will seemingly hang for 10-30 seconds (some windows work, most refuse to update or work). Then I get the following event in my event log:

Event ID: 9, Source: atapi, The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Some background about the system. I'm running an Asus A7V266-E motherboard with a built-in Promise FastTrak100 Lite RAID1 controller, hooked to a pair of ATA/133 5400rpm Maxtor drives. I also have an Adaptec 3100LP USB 2.0 PCI card with 3 external ports (and 1 internal port). An Adaptec PCI-SCSI card (AHA-2930CU), a Netgear PCI 10/100 ethernet card and a 3com 10/100 ethernet card. (Which means I'm just about out of PCI slots!) Also running a GeForce3 MX400 AGP video card. I have a SCSI CDRW burner, a SCSI Exabyte 8505 tape drive, a SCSI Iomega ZIP100 drive and a IDE CD-ROM.

All of which is a lot of equipment to try and get running on the first go round. (Smarter folks then me tend to start with the minimum amount of hardware installed and then add on...)

I'm still troubleshooting, but at the moment, I've pulled the Netgear ethernet card, the Adaptec SCSI card, pulled the power plugs on the SCSI devices, and moved the PCI-USB controller card to the last PCI slot (it was in the number one slot). Now I'm copying a few gigs from the hard drive to the USB drive to see if the problem has gone away. I'm pretty sure that moving the PCI-USB card to a different PCI slot is the key thing, but I won't know until I've added back in the rest of the devices.

Update #1: So far, it's been running hard for over an hour (copying files and zipping up 6 directories at the same time). Using a performance monitor interval of 144 sec (4 hrs of duration), the system is processing 3.6 Mb/sec on/off the physical disks. This might seem low, but since it's currently CPU-bound by the WinZip program, it's not that bad. (Bad performance is anything under 1.5Mb/sec, good performance would be 6-8Mb/sec.)

Update #2: It's been a few hours now, I've dropped all of the SCSI devices back in (only thing not re-installed is the 2nd NIC, but I won't put that back in until I setup the isolated wireless segment). Moving the USB-PCI card down to the last slot seems to have done the trick.

posted by Wuphon's at 2:33 PM

Tuesday, November 04, 2003

Encrypted File System

Playing around with Microsoft's EFS (Encrypted File System) again. I'm still trying to answer the question of whether using EFS to encrypt files on a USB drive (or other removable drive) allows you to read the files back on another machine (assuming both machines belong to the same domain and the same user is logged in). So far, I haven't been able to get it to work - it seems like NTFS/EFS is tossing an extra key into the mix so that files encrypted on a drive attached to machine A can't be moved to machine B and read back.

The problem with that is when doing disaster recovery planning where I'm backing files off to a removable hard drive, I want to protect some of the files using encryption, but I can't assume that when I'm restoring from the backup drives that I'll have the original machine to attach to.

Links:

Laptop Security Guidelines

Encrypted Storage

Earlier blog entry about EFS

Even earlier blog entry about disk/file encryption

posted by Wuphon's at 8:42 PM

Monday, November 03, 2003

Server Build

Finally upgrading my old game machine into a server (Athlon XP 1800+). It's already a semi-quiet box, so I went with a pair of 5400 Maxtor 160Gb ATA/133 quiet drives hooked up to the motherboard's Promise FastTrak100 Lite (RAID1) to try and keep the noise down. Now, even though the drive says 160Gb... that's 160,000,000,000 bytes but the Promise FastTrak100 Lite is only seeing 127Gb (ah well... only losing 22Gb). It's an old Asus A7V266-E motherboard, and I don't see any updated BIOS on their website for the raid controller.

It's taking 50 minutes to format 127Gb (or around 43Mb/sec) which is pretty decent performance for only a 5400rpm drive). I'll set it up with a 12Gb boot drive and configure the rest as a storage partition (D:) which should give me net space of 110Gb or so (double the old server that it's replacing).

I still might investigate a quiet power supply, but I think once I close the case I'm not going to notice it. My newer game PC makes a lot more noise (sadly). The mini-ITX boxes are intriguing because they're almost entirely passive-cooling (ultra quiet) - but most of the boxes only hold a single drive and I prefer RAID1 (2 drives) at a minimum.

Oh, and since I started collecting my confirmed spam messages... I now have 4200 spams in my bayesian filter training folder. (The filter is getting *really* accurate.)

posted by Wuphon's at 11:51 AM