The Hermit Project - Part 4

Innsbruck is beautiful at Christmas time. The white mountains, the scent of mulled wine (Gl├╝hwein) when you go through the Christmas Markets near the city hall. While wandering for the city, I was wondering how it would feel to have a small cabin out in the mountains in that area, perhaps by a lake, a small car just enough to go grocery shopping, and an Internet connection just enough to exchange a few emails and some video calls. I can picture myself curling under a blanket on the sofa while reading some books. Would that be the perfect set to be a digital hermit? Ok, to be perfect, I wouldn’t mind a seaplane docked by the lake if I can dream big. ;-)

The Chuwi laptop was perfect for what I needed. Journaling helped me going through the holidays, although the pain was still there. During this time, Nina’s words resonated again and again: “With modern processors, you have enough power to run any basic tasks”. Running DBU and Harbour made me realise that I can perhaps add a few functionalities besides writing journals and articles.

The time has come to go back to London. I travel light between Milan and London, as I have everything duplicated between the two homes (yeah, that includes clothes as well). So I wouldn’t bring the Chuwi laptop with me. Before leaving, I wanted to save the things in my Hermit partition.

I am a NextCloud user, but it seemed too much for a few configuration files and some text notes. I thought I would use Git with my own private Gitea installation. I have totally segregated configuration (aka “dot” files) from my work/standard partition and the Hermit partition. My friend Matteo (jtheo) spoke a few weeks before about chezmoi. This project helps to keep in sync your home directory configuration files among multiple machines. I wanted to give it a try because it could also be helpful for my work stuff. Even if I run a private Gitea instance on a VPN, I couldn’t trust having private keys in cleartext.

Chezmoi has support for Fillippo Valsorda’s age. I love age. It’s a one-binary encryption program, that is so much similar to my beloved GPG/PGP, but with less complexity. I configured an offline age key that I didn’t include in any configuration, and I pushed the chezmoi repository in my Gitea.

The configuration of chezmoi.toml is as easy as this:

encryption = "age"
[age]
   identity = "/usr/home/XXXX/.config/chezmoi/XXXXX.key"
   recipient = "XXXXXXXXXXXX"

I found a solution for my configuration files. But what about my journal? I didn’t want to commit the journal files in cleartext. I consider them even more confidential than an SSH key. So, I decided to skip these files at the moment and go home to the UK.

I have a similar but slightly more powerful spare laptop in London than the Chuwi. It’s a Dell Latitude 7390, a 13" inch screen with an i5 processor, 16GB of RAM and 256 GB NVME (replaced with a 2TB NVME) that I bought second-hand. I believe it’s the best piece of hardware I’ve purchased in a good while. Thank Matteo for giving me such an astounding hint. I replicated what I did on the Chuwi laptop: I shrank the partitions and gave space to a small FreeBSD installation with ZFS and a ZFS-encrypted home.

I started documenting the Hermit configuration in a separate git repository, along with the scripts, to help me replicate/sync the configuration among the different installations. The chezmoi encryption and configuration worked like a charm between the two laptops.

So I had an idea: What if I had a similar approach to protect my journal? I could use age to encrypt the files and keep them securely in a git repository, creating a full end-to-end encryption. Encryption/decryption is easy with age, but it’s kind of unpractical to write my journal to a file and encrypt it. Or worse, if I need to modify something, I need to decrypt it to a temporary file, edit it and encrypt it again. So, during my lonely time in London, I wrote some wrapping scripts that would do that transparently. The note script would:

  1. if the file exists, decrypt the encrypted file to a temporary file in /tmp;
  2. if the file does not exist, create a new temporary file in /tmp;
  3. Open the nano editor;
  4. Encrypt/Re-encrypt the file;
  5. Wipe the temporary file.

Can you see where the problem is? I rely on the /tmp for storing the cleartext version of my journal. What if some file remains there? While the /tmp in Linux is wiped, FreeBSD does not automatically.

I took inspiration from a friend’s FreeBSD installation script, and I decided to enable tmpfs on both /tmp and /var/tmp/ with the following:

tmpfs  /tmp     tmpfs rw,nosuid,noexec,mode=01777  0 0
tmpfs  /var/tmp tmpfs rw,nosuid,noexec,mode=01777  0 0

With the journal files encrypted with age and the comfort of my wrapping scripts, I could commit those files to a git repository, providing a backup, and confident that -even if someone can break into my server setup- my files are secure.

Bonus info. I didn’t know that Git could create an archive file called “Bundles” that can be used for the offline transfer of Git objects without needing a server. Which makes it perfect for backup purposes. However, I discovered that “git bundle” might produce different results (digest) of the bundle on the same set of files because it uses multiple threads. They can be sequenced at different times, producing a different output. That’s verifiable with any checksum, such as md5sum or sha1sum. To avoid this, limit the number of threads to one, adding these lines to .gitconfig.

[pack]
  threads = 1

And here’s v2 of my Hermit Project running on the Dell Latitude:

Hermit v2 running on Dell Latitude

[Part 3] | [Part 5]

2024-03-21