• Ebook manager: Calibre
• Kindle PDF optimizer: k2pdfopt
• PDF Border Cropper Briss
• CHM File Extractor archmage

• PDF editing Xournal

• convert images to PDF

  	sudo apt-get install imagemagick
  	convert *.jpg pictures.pdf
  

• convert between different formats:

      sudo apt-get install calibre
      ebook-convert xxx.mobi xxx.txt --unsmarten-punctuation
  

Database scheme extractor & code generator in Go. Supported database:

1. MySQL
2. SQLite

Proxy for “go get”

https_proxy=http://user:pass@proxy_host:port go get ...

Proxy for Git

In $HOME/.gitconfig:

[https]
	proxy = proxy_url

Proxy for Mercurial

In $HOME/.hgrc:

[http_proxy]
host = host:port
user = ...
passwd = ...

Generate SSH keys

ssh-keygen -C [email protected]

Authorize public key at remote server

ssh-copy-id user@host

On Mac OSX, ssh-copy-id should be installed first.

brew install ssh-copy-id

Generate PEM

ssh-keygen -f ~/.ssh/id_rsa -e -m pem > ~/.ssh/id_rsa.pem

Copy file by base64

On remote session, run base64 < myfile and copy the output.

On local terminal, run base64 -d > myfile, paste the content and press ctrl+D.

Apache XMLBeans is an old tool but still functioning. Download and uncompress the latest binary release, then run inst2xsd under bin folder (needs JDK).

inst2xsd xxx.xml

This article is intended to be a comprehensive recipe to password management, assuming:

• You are a developer
• You have to manage dozens of passwords, ssh key pairs and possibly some secret documents
• You want strong security on each of them
• You do not want to forget any of them but do not either want to spend too much time memorizing them
• You want to access your passwords from both your computers and mobile devices

The proposed solution includes:

• An unbreakable encryption standard (OpenPGP) and its open source implementation (GnuPG)
• An open source password manager built on top of it (pass)
• Memorizing one strong master pass phrase
• A backup plan: do not put all your eggs in one basket

Install Prerequisites

On Linux:

• GnuPG
• pass

(Ubuntu)

sudo apt-get install gnupg
sudo apt-get install pass

On Android:

• OpenKeyChain
• Password Store

On iOS:

• Pass for iOS

Preparing PGP Keys

If you are already a PGP user, skip this step, otherwise, you are going to generate:

• A master keypair (public/private keys)
• A sub keypair for password encryption/decryption

gpg --gen-key

This command will generate a master keypair associated with your true identity ( you may later want to use the PGP key pair for encrypted, digitally signed email).

Choose:

• Kind: RSA and RSA
• Bits: 4096
• Expire: key does not expire
• Real name: <real-name>
• Email address: <email-address>
• Comment: <comment>
• Pass phrase: <master-pass-phrase>

To make the process faster, you shouse increase the system randomness. Run in another terminal:

sudo rngd -f -r /dev/urandom

When finished, a master key pair and an associated sub key pair will be created. To see a list of your keys, type:

gpg --list-keys

You will see:

pub   4096R/<master-key-id> <date>
uid                  <real-name> <<email-address>>
sub   4096R/<sub-key-id> <date> 

The <sub-key-id> is the name of the key to encrypt/decrypt your stored passwords.

Optionally, you can strengthen it by changing the encryption preferences.

gpg --edit-key <email-address>

And type:

setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed 
save

Intialize a Pass Store

A password store is simply a directory including encrypted files, and each of them contains a password (the first line) and extra information (rest of the file).

cd <pass-store>
pass init <sub-key-id>

Password Management Tips

Replace Existing Passwords with Strong Ones

Generate a random password (15 characters):

pass generate <account-name> 15

An encrypted file .gpg is created. In decrypted form, the first line is the generated password.

To add extra information like user name or URL for the service:

pass edit <account-name>

Then you can update the password online accordingly.

Put a password into Clipboard for 45 seconds

pass -c <account-name>

Avoid typing master passwords repeatedly

Add configuration file $HOME/.gnupg/gpg-agent.conf and remember the master password for 3600 seconds:

pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 3600
max-cache-ttl 3600

Store SSH keys

Store SSH public key as the password in the pass store, and encrypt the private key in the rest of the file.

To change a Git remote from HTTPS to SSH:

git remote set-url origin git@<domain-name>:<repo-path>.git

Backup Plan

Prepare for the following extreme case:

• Both your laptop and cell phone containing the pass store and PGP keys are damaged or stolen.
• But you can still remember the master pass phrase.

Use a remote Git repository to backup the password store

cd <pass-store>
pass git init
pass git remote add origin <remote-git-url>
pass git push

Backup PGP keys

Export all the key pairs (including both master and sub keys):

gpg --export-secret-keys --armor <email-address>  >  <private-key-file>
gpg --export             --armor <email-address>  >  <public-key-file>

Keep the files in a safe, secret place!

To restore the keys from backup:

gpg --import <private-key-file> <public-key-file>

Hide PGP Master Private Key

AFTER the full backup of your PGP keys, you can choose to delete the master private key on the device with the pass store, because only the sub key pair is needed for encryption/decryption. The deletion will not protect your pass store, but it will protect your identity associated with the master key.

gpg --export-secret-subkeys <email-address>   >   subkeys
gpg --delete-secret-key     <email-address>
gpg   --import subkeys
shred --remove subkeys

Security Limitation

PGP itself is secure and robust, but it all depends on how well you can preserve and protect your PGP key pair and master pass phrase.

References

1. Creating the Perfect GPG Keypair
2. Pass: the standard unix password manager

Knowledge is power. Information is liberating. — by Kofi Annan.

VPS

• CloudsVM
• Vultr
• DigitalOcean
• BandwagonHOST
  • Client Area -> Services -> Order New Services
  • 64MB RAM is enough for running both ShadowSocks and pdnsd
  • Install Ubuntu LTS 32bit (x86, i686) or CentOS 7.

CentOS

Install CentOS 7 (64bit)

Shadowsocks

cd /etc/yum.repos.d/
wget https://copr.fedorainfracloud.org/coprs/librehat/shadowsocks/repo/epel-7/librehat-shadowsocks-epel-7.repo
yum update
yum install shadowsocks-libev
cd /etc/shadowsocks-libev/
vim config.json
# server should be 0.0.0.0

vi /usr/lib/systemd/system/shadowsocks-libev.service
# replace all $variables to constant values to fix the bug

systemctl enable shadowsocks-libev
systemctl start shadowsocks-libev

pdnsd

wget http://members.home.nl/p.a.rombouts/pdnsd/releases/pdnsd-1.2.9a-par_sl6.x86_64.rpm
yum localinstall pdnsd-1.2.9a-par_sl6.x86_64.rpm
vim /etc/pdnsd.conf

pdnsd.conf (replace the port)

global {
	run_as      = "pdnsd";
	server_ip   = 0.0.0.0;
	server_port = [xxxx];
}

server {
	label   = "GoogleDNS";
	ip      = 8.8.8.8, 8.8.4.4;
	timeout = 3;
}

Then run:

systemctl enable pdnsd
systemctl start pdnsd

Docker

Install Docker on VPS.

Remote Proxy

Install shadowsocks:

docker run -d -p <port>:<port> h12w/shadowsocks -p <port> -k <password> -m aes-128-cfb -t 60

Remote DNS server

Install pdnsd:

docker run -d -p [port]:53 -p [port]:53/udp h12w/pdnsd

To test the DNS server:

dig @xxx.xxx.xxx.xxx -p xxxx www.linux.com

Local OpenWrt Router

Install openwrt-shadowsocks & ChinaDNS on an OpenWrt router.

Follow the instructions on OpenWrt-Dist:

Check CPU model of the router:

cat /proc/cpuinfo

add the following to /etc/opkg.conf:

src/gz openwrt_dist http://openwrt-dist.sourceforge.net/releases/[cpu model]/packages
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/releases/luci/packages

and install:

opkg update
opkg install ChinaDNS
opkg install luci-app-chinadns
opkg install shadowsocks-libev-spec
opkg install luci-app-shadowsocks-spec

opkg install bind-dig

Or manually download IPKs of the corresponding CPU:

• shadowsocks-libev-spec
  • luci-shadowsocks
• chinadns
  • luci-chinadns

Copy *.ipk to router:

scp *.ipk [email protected]:/tmp

And install:

opkg install shadowsocks-libev-spec_xxx.ipk
opkg install ChinaDNS_xxx.ipk
/etc/init.d/shadowsocks enable
/etc/init.d/chinadns enable

ShadowSocks configuration in /etc/config/shadowsocks:

config shadowsocks
	...
	option config_file '/etc/shadowsocks/config.json'
	...
	option tunnel_enable '0'
	...

It refers to /etc/shadowsocks/config.json:

{
    "server":      "xxx.xxx.xxx.xxx",
    "server_port": xxxx,
    "local_port":  xxxx,
    "password":    "xxxxxx",
    "method":      "aes-128-cfb",
    "timeout":     60
}

ChinaDNS configuration in /etc/config/chinadns:

config chinadns
    ...
    option chnroute '/etc/shadowsocks/ignore.list'
    ...
    option server '[isp_dns],[private_pdnsd_dns]'
    ...

Make sure [private_pdnsd_dns] is the same IP:PORT as the remote pdnsd server.

ucitrack configuration in /etc/config/ucitrack:

config shadowsocks
    option init 'shadowsocks'

config chinadns
    option init 'chinadns'

DHCP configuration in /etc/config/dhcp:

config dnsmasq
    list server '127.0.0.1#5353'
    option noresolv '1'
    option nohosts '1'

RedSocks2

Use RedSocks2 to bypass the proxy when the target site is reachable.

Download RedSocks2:

• RedSocks2
  • luci-redsocks2

Install RedSocks2:

scp *.ipk [email protected]:/tmp
opkg update
opkg install xxx.ipk

RedSocks2 will take effect immediately.

Upgrade OpenWRT

Download latest *.ipk above.

opkg update
opkg upgrade ipset libopenssl resolveip iptables-mod-tproxy
opkg install xxx.ipk

Merge configuration files manually.

Update ignore.list:

wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > ignore.list
scp ignore.list [email protected]:/etc/shadowsocks/ignore.list

reboot

Android Client

shadowsocks-android.