System Security – Jean's Blog

ZFS Disaster Recovery: Rebuilding and Mirroring a Pool After Top-Level Vdev Error

I recently learned a hard lesson about ZFS Vdev architecture after attempting to convert a single-disk pool into a mirror. By mistake, I added the new disk as a top-level Vdev, rather than attaching it as a mirror. As zpool remove and zpool detach both failed on the top-level Vdev, I was forced to destroy the pool and restore the data from a snapshot.

This process outlines how I recovered data and subsequently created a proper mirror configuration.

KeyDB Performance: Switching from Redis to a Multi-Threaded Drop-in Alternative

I just read a few pages with benchmarks about Redis vs. KeyDB, and my curiosity was piqued. KeyDB, a multi-threaded fork of Redis, promised significant performance and memory usage improvements. This guide shows how I switched three different Redis use cases to KeyDB.

Automating Security Patching: Debian Unattended Upgrades

If you follow current IT security vulnerabilities, you’ll agree that keeping systems up to date is critical. Unattended Upgrades for Debian/Ubuntu offers a simple yet powerful way to automate this process, securing your infrastructure with minimal manual intervention.

StrongSwan VPN: Mastering IKEv2 EAP-TLS and ChromeOS Client Integration

StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.

OpenSSH Hardening Strategy: Auditing Policies and Mitigating Low-Strength Ciphers

OpenSSH ships with a default configuration that prioritizes high compatibility. However, this compatibility comes at a price: some of the included ciphers and algorithms may be outdated or contain known vulnerabilities. To strengthen the encryption and gain a transparent overview of known weaknesses, ssh-audit is the essential auditing tool.

ZFS Data Migration: Encrypting Existing Volumes with zfs send and zfs recv

Encrypting previously unencrypted data, such as a legacy ZFS pool, requires a reliable migration strategy. The most robust way to achieve this is by using the powerful ZFS data stream mechanism: zfs send and zfs recv.

The core procedure is simple: create a snapshot, transfer this snapshot, and receive it at a new, encrypted destination.

ZFS Encryption: Mitigating Physical Attacks with Remote Key Management

This article documents the design and implementation of an external key management solution for ZFS encryption. This approach utilizes a custom PHP service to serve encryption keys on demand, specifically designed to mitigate physical and system-level compromises where local keys would fail. This deep dive explores the security architecture, the self-written PHP proof-of-concept (PoC), and the critical security caveats of building a custom Key Management System (KMS).

Redis Instance Isolation: Running Multi-Instance Redis with systemd Templates

Instead of running a single global Redis server, I prefer to use multiple isolated instances. This allows me to precisely limit resources like memory (maxmemory) and apply specific tuning per instance. This approach is fundamental to reliable operation in a shared environment. I used systemd templates to manage this, creating an instance for Amavisd-new as a practical example.