Howto wipe your hard disk quickly, securely & easily

I was looking for a way to clean all the data from a hard disk and found a tool that I had never seen before: dcfldd. I haven’t looked into all the options yet, but what I have seen works very well. Basically it is a replace for the *nix command dd. The thing that I liked about it was that it lets you add an input pattern, thus speeding up the process significantly.

So the next thing was to figure out what to write to the disk, I was taught that multi-pass writes were really a good thing, but have read a lot more recently that says you only need 1 pass to get basically the same effect. Being paranoid but in a bit of a hurry, I decided to do a 2 pass wipe. First set all bits to 1, then do a second to 0. This means that every bit will go high then low. So the history would be: ? -> 1 -> 0. That seems like a good / fast solution to me, and it does not need the slow random pass. I like the 0’s to be on the final pass so installers see a nice clean drive. If you are going to encrypt the drive you might want to a random on the end

Anyway here are the steps:

  1. Download & burn your favorite Linux live CD. Make sure that it is 32bit (i386). I used CentOS 6.
  2. Boot from the CD, login
  3. Open a terminal
  4. sudo su –
  5. goto /dev and find your hard drive(s), lets use /dev/sdb for this example (make sure to use the root drive not a partition so /dev/sdb not /dev/sdb1)
  6. write ones: dcfldd pattern=FF of=/dev/sdb bs=1024   (this is the really nice part of dcfldd the pattern statement makes this really easy)
  7. write zeros: dcfldd pattern=00 of=/dev/sdb bs=1024   (pattern should be even faster than /dev/zero, I haven’t played with block sizes with dcfldd, but coming from dd, 1024 seems to be good)

Encrypted MySQL Connections

This week I fought with MySQL trying to get an encrypted connection. Getting the server piece to appear to work was easier than actually getting the connection. Whether the problems didn’t show up until the connection or if the code in myql client app is just broken, I’m not sure, but I did get it to work.

My environment was:

  • RHEL 6.3
  • MySQL 5.5.28 from MySQL SRPM, compiled against OpenSSL 1.0.0j

ERROR 2026 (HY000): SSL connection error: ASN: before date in the future

  • this one is easy, the client checks the certificate date is > the current, so wait a minute and it goes away

I kept getting: ERROR 2026 (HY000): SSL connection error: protocol version mismatch

  • Make sure that your DN’s are different.
  • I saw a lot of stuff to use 0.9.8(something) to generate the certificates, and this did work once, but I also had several fails with 0.9.8 as well.
  • I also got 1.0.0 to work – not 100% sure what I did differently to finally get it working. All of a sudden it went from not working to working.
  • I did use statically defined subject lines, but not 100% sure that fixed it. I think I had the first one fail but after so many trials, I’m not sure.
  • My guess is that the client side has a problem with any but the simplest DN’s. But that is just a guess.

For the SSL connection error: protocol version mismatch – I did a little research in the code, but then stopped once I got it working:

  1. protocol version mismatch points comes from badVersion_error yassl_error.cpp
  2. badVersion is used in 2 files: extra/yassl/src/yassl_imp.cpp & extra/yassl/src/yassl_int.cpp
  3. either there is a test that is applied to the client cert file that is bombing out because of a version, or the client cert file is not being loaded & causing an error with the underlying ssl — haven’t dug deeper yet

So Here is the code:

/etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
symbolic-links=0
log-error=/var/log/mysqld.log
bind-address=server.milcom.us

sql_mode=STRICT_ALL_TABLES
max_allowed_packet=64M
query_cache_size=128M

# innodb settings
innodb_fast_shutdown=0
innodb_flush_log_at_trx_commit=1
innodb_lock_wait_timeout=120

# replication settings
server-id=1
log-bin=mysql-bin
binlog-format=MIXED
sync_binlog=1

# SSL settings
ssl
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

log-error=/var/log/mysql/error
log-warnings

[client]
host=server.milcom.us
port=3306
user=username

ssl
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem

/etc/mysql/make-cert
#!/bin/bash
# ********* NEW CERT Script **********
rm -f *.pem

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj '/DC=us/DC=milcom/CN=CA'

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj '/DC=us/DC=milcom/DC=server'
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem -subj '/DC=us/DC=milcom/DC=server/CN=user'
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x100001 -out client-cert.pem

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

chmod 600 ca-key.pem
chmod 644 ca-cert.pem
chgrp mysql server* client*
chmod 640 server*
chmod 644 client*

References:

  • http://waterlovinghead.com/MysqlSSL&show_comments=1#comments
  • http://www.mysqlfanboy.com/2011/11/simplified-mysql-ssl-connections/
  • http://bugs.mysql.com/bug.php?id=64870
  • http://orensol.com/2010/06/21/error-2026-hy000-ssl-connection-error-the-solution/
  • http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
  • http://dev.mysql.com/doc/refman/5.0/en/server-options.html
  • http://www.howtoforge.com/managing-multiple-mysql-servers-from-one-phpmyadmin-installation-using-ssl-encryption