TurnKey Linux Virtual Appliance Library

LXDE review: it zips, it flies! (base for client-side TurnKey appliances?)

At home we canceled our cable subscription a few months ago. We hardly ever used it any more. Instead we were downloading content to a makeshift media server and watching it on our own schedule. Many of the shows I like (e.g., Colbert Report) aren't even available over here.

Upstairs we had a gorgeous big screen HDTV set that was being powered by one of my old computers, a nice P4 machine with 1GB of memory that was running the TurnKey Torrent Server appliance on bare metal.

Then it died. Traced it back to the motherboard being fried by a faulty power unit. Facing an immediate home entertainment emergency, I rummaged through the basement and found an old P3 machine with 256MB of old-style memory (I.e., the kind you can't get any more of these days).

Passphrase dictionary attack countermeasures in tklbam's keying mechanism

Background: how a backup key works

In TKLBAM the backup key is a secret encrypted with a passphrase which is uploaded to the Hub.  Decrypting the backup key yields the secret which is passed on to duplicity (and eventually to GnuPG) to be used as the symmetric key with which backup volumes are encrypted on backup and decrypted on restore.

When you create a new backup, or change the passphrase on an existing backup, a new backup key is uploaded to the Hub where it is stored in the key field for that backup record.

When you restore, tklbam downloads the backup key from the Hub and decrypts it locally on the computer performing the restore. Note that the Hub only allows you to download the backup key for backup records to which you have access (e.g., you are the owner).

Only you can decrypt your passphrase protected backups

All of this matters because it means that as long as you use a passphrase to protect the key, even the Hub can't decrypt your backups, only you can - provided you remember the passphrase (or failing that, at least have the escrow key stored in a safe place).

In other words, the decryption of the backup key happens locally and at no point does the passphrase reach the Hub, so we can't decrypt your backup even if you asked us to. Neither can an attacker that has theoretically compromised the Hub, or a government agency that comes kicking down our door with a court warrant.

The problem with cryptographic passphrases

But wait. If an attacker has local access to the key, his ability to run dictionary attacks to find the key's passphrase is limited only by the computational resources he can throw at it.

TKLBAM: a new kind of smart backup/restore system that just works

Drum roll please...

Today, I'm proud to officially unveil TKLBAM (AKA TurnKey Linux Backup and Migration): the easiest, most powerful system-level backup anyone has ever seen. Skeptical? I would be too. But if you read all the way through you'll see I'm not exaggerating and I have the screencast to prove it. Aha!

Backups are hard, making sure you got it right - harder

According to Murphy's Law, everything that can go wrong, eventually will go wrong.

This is true for backups on multiple levels. A backup is often our last line of defense when things go wrong, but so many things can go wrong with the backup itself that we usually don't find out about it until, well, horror of horrors, the backup fails.

On the surface, backups can fail for zillions of reasons.

Finding the closest data center using GeoIP and indexing

We are about to release the TurnKey Linux Backup and Migration (TKLBAM) mechanism, which boasts to be the simplest way, ever, to backup a TurnKey appliance across all deployments (VM, bare-metal, Amazon EC2, etc.), as well as provide the ability to restore a backup anywhere, essentially appliance migration or upgrade.

Note: We'll be posting more details really soon - In this post I just want to share an interesting issue we solved recently.

Ask us anything

We're going to be doing a series of interviews with prominent TurnKey community members so we figured it would make sense to do an interview with the founders of TurnKey (that's us!).

Interviewing ourselves is a bit weird, so instead we're inviting the TurnKey community to propose the questions which we'll answer in a separate blog post.

So... ask us anything!

Django settings.py for development and production

So you developed a Django web application and now need to deploy it into production, but still need to actively continue development (bugfixes, tweaks, adding and testing new features, etc.)

In your development environment you probably had debugging enabled, performance settings disabled, used SQLite as your database, and other settings that make development easier and faster. 

But in production you need to disable debugging, enable performance, and use a real database such as MySQL or PostgreSQL, etc.

GNU high school: teaching kids by contributing to open source

Today I'd like to spotlight TurnKey's unlikely relationship with Chelsea School, a high school in suburban Maryland. I'm going to try to tell this story on two levels:

  1. The straightforward who-what-why.
  2. Why you should care.

I'll start with the latter. If it works maybe you'll stick around for the full story.

Kids collaborate with NASA, discover cave on Mars

Recently, a 7th grade science class, using the raw data from a NASA satellite, made a remarkable discovery: a mysterious cave on Mars.

Tip: use custom search engines for efficiency

I don't need to tell you how search improves our efficiency on the web, but using custom search engines can make your day even more efficient.
Configuring your browser to use custom search engines is a massive time gain, and improves your work flow.

TurnKey Appliance Development Contest: An Open Source Summer Bonanza!

Over the last few months donations have been trickling in and gradually piling up. Since there's a limit to how much beer we can reasonably drink we've been brainstorming ideas for using that money to help the project.