Harald Hoyer

ssh-tresor: Encrypting Secrets with Nothing but Your SSH Agent

Harald Hoyer — Wed, 21 Jan 2026 00:00:00 +0000

What if your SSH agent could encrypt secrets, not just authenticate connections? ssh-tresor does exactly that—it uses your SSH keys to encrypt files with no key material stored on disk. Works seamlessly over forwarded agents, supports multiple keys like LUKS slots, and turns your existing SSH setup into a portable secret management solution.</p>

Pull Backup with Restic to a QNAP NAS S3 store

Harald Hoyer — Mon, 06 Nov 2023 00:00:00 +0000

Although restic</code></a> is a really nice backup solution, it lacks the possibility to pull the files to backup from a remote server, like rsync does over ssh</code>, preventing any attacker to gain access to a secret. This blog post shows some workarounds and does the backup to a QNAP NAS S3 store over an encrypted TLS connection.</p>

Read More



Bye bye Fedora - Hello NixOS
Harald Hoyer — Fri, 27 Oct 2023 00:00:00 +0000
After over twenty years of using Red Hat and Fedora, it’s time to move on to explore other possibilities.
Although my secure boot laptop still uses VerityBook</a>, which is based
on Fedora, my other machines are now running NixOS</a>.</p> 
Read More


Webcam Eye AF for the Sony A7RII
Harald Hoyer — Thu, 28 Oct 2021 00:00:00 +0000
I am using my Sony A7 RII as a webcam with shallow depth of field with gphoto2</code> under Linux.
The normal auto focus does not follow very well, therefore I assigned the “Eye AF” to the lens button
and activate it permanently with some rubber straps and a small button like object underneath.</p> 
Read More



rman - Search the Rust Documentation offline
Harald Hoyer — Tue, 23 Jun 2020 00:00:00 +0000
Want to search your local offline rust std</code> documentation,
with a quick command from your terminal?</p> 
Read More



Rust - Static PIE and ASLR for the x86_64-unknown-linux-musl Target
Harald Hoyer — Tue, 23 Jun 2020 00:00:00 +0000
With current rust nightly the default binary output of the x86_64-unknown-linux-musl</code> target is a
static position independent executable (static-pie)
with address space layout randomization (ASLR) on execution.</p> 
Read More



Syntax highlighting for console snippets
Harald Hoyer — Tue, 19 May 2020 00:00:00 +0000
Finally, I moved my blog from wordpress to a static site. I chose zola</a> as the
site generator, because most of my documentation nowadays is in markdown anyway.</p>
Syntax highlighting was a badly missed feature for me in the past. And zola delivers :-)</p>
The only thing missing was syntax highlighting for console</code> (terminal) snippets.</p> 
Read More



Bat understands varlink now
Harald Hoyer — Thu, 07 Feb 2019 07:04:47 +0000
Bat</a> is a cat(1)</em> clone with syntax highlighting and Git integration.</p>
My pull request for varlink syntax coloring was accepted today :-)</p> 
Read More



varlink and the elvish shell
Harald Hoyer — Thu, 22 Feb 2018 09:53:37 +0000
I recently discovered Elvish</a>, which is a shell perfectly
suited to process structured data. In my case it is perfect to be used with
varlink</a>. Too bad elvish has no numeric type and
can’t feed varlink with int and float, because to-json converts them to strings.</p> 
Read More


varlink for dnf - a Showcase
Harald Hoyer — Thu, 22 Feb 2018 07:09:03 +0000
On the varlink wiki page</a> I showcase how to add varlink to a python project. In this case, I chose DNF, the rpm package manager of Fedora.</p> 
Read More


Varlink
Harald Hoyer — Mon, 18 Dec 2017 12:22:38 +0000
For a long time we tried to solve the early boot IPC problem. IPC problem you ask? Well, in the early boot phase we
cannot talk D-BUS, because the daemon is not running yet, but to bring up the system, so that the D-BUS daemon can run
(mount stuff, load modules, start other services), we need some kind of IPC. Therefore all the early boot daemons have a
fallback IPC via unix domain sockets with its own homegrown protocol.</p> 
Read More


Rust Echo Server
Harald Hoyer — Fri, 09 Dec 2016 14:23:35 +0000
On modern CPUs, rust seems to perform very nicely with the thread context switches,
at least when benchmarking an echo server</a>.
For that I also wrote an echo server benchmark client</a>.</p> 
Read More


dracut and CVE-2016-4484: Cryptsetup Initrd root Shell
Harald Hoyer — Tue, 15 Nov 2016 16:42:23 +0000
People who want to secure their Fedora/RHEL system have to:</p>

add a BIOS password</li>
add a grub password</li>
add “rd.shell=0” to the kernel command line</li>
</ul>
Anaconda does add “rd.shell=0” to the kernel command line automatically, if you setup the bootloader with a password.</p> 
Read More


GPG, Smartcard and ssh
Harald Hoyer — Thu, 21 Jul 2016 14:35:14 +0000
This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key.
It also serves me as a recipe for fresh installations.</p> 
Read More


A Python Transaction Class
Harald Hoyer — Tue, 13 Oct 2015 10:20:43 +0000
This is a repost of a blog post of 2008. Just for the reference :-)</p>
This class allows sub-classes to commit changes to an instance to a history, and rollback to previous states.</p> 
Read More


libtool: getting rid of 180,000 sed forks
Harald Hoyer — Thu, 05 Mar 2015 08:10:36 +0000
When compiling systemd on rawhide, we noticed a significant slowdown in compile time.
Investigating further, it turns out, that libtool forks an incredible amount of sed.
Running perf showed 30% of the “make all” was spent in bash. strace showed an execve of
sed with the same arguments 180,000 times!!!!!</p> 
Read More


Single UEFI executable for kernel+initrd+cmdline
Harald Hoyer — Wed, 25 Feb 2015 15:55:16 +0000
Lately Kay Sievers and David Herrmann created a UEFI
loader stub</a>, which starts a linux kernel
with an initrd and a kernel command line, which are COFF sections of the executable.
This enables us to create single UEFI executable with a standard distribution kernel,
a custom initrd and our own kernel command line attached.</p> 
Read More


Self Hosting Fedora Base
Harald Hoyer — Tue, 14 Jan 2014 16:15:52 +0000
If you want to bootstrap a distribution or want to rebuild it from the sources (SRPMS) to get the same
binaries (think CentOS), you have to build the build tools and rebuild them with the built build tools,
which have to be built with other build tools…</p>
My goal for a self-hosting Fedora Base is to reduce the number of packages to do such a rebuild.</p> 
Read More


Linux: HOWTO get the number of CPUs
Harald Hoyer — Wed, 13 Nov 2013 12:13:04 +0000
$ </span>getconf</span> _NPROCESSORS_ONLN
</span></code></pre>
returns the number of CPUs online.</p> 
Read More


Fedora Boot Optimization
Harald Hoyer — Wed, 13 Nov 2013 10:12:04 +0000
This article shows how to reduce boot time for Fedora 17, but the recipe can also be applied to 18, 19 and 20.</p>
The target is to get a fast booting system with NetworkManager running and gdm displaying the login
screen as fast as possible.</p> 
Read More


Redirecting apache access_log and error_log to the systemd journal
Harald Hoyer — Thu, 07 Nov 2013 10:03:38 +0000
To redirect all apache messages to syslog, which will then appear in the systemd
journal modify your httpd.conf:</p> 
Read More


dracut - kernel command line
Harald Hoyer — Mon, 04 Nov 2013 18:36:27 +0000
To quickly find out, what dracut wants as the kernel command for your current disk setup,
fire up:</p>
# </span>dracut</span> --print-cmdline
</span></code></pre> Read More


Impressum
Harald Hoyer — Sat, 01 Jan 2000 00:00:00 +0000
Impressum</h1>
Harald Hoyer</p>
Gerda-Penzel-Str. 13
85591 Vaterstetten</p>
Email:webmaster@harald.hoyer.xyz</p>
GPG key: current 0x4BC0896FB5693595</a> as seen on the key servers and github.com/haraldh.gpg</a></p>
Keybase: https://keybase.io/haraldhoyer/</a></p>
old GPG key (not compromised): C5575542 as seen on the key servers</p>


RSS Feeds
Harald Hoyer — Sat, 01 Jan 2000 00:00:00 +0000
Want to subscribe to the blog topics through an RSS feed? You’ve come to the right place!
If you want to receive all content, then subscribe to the Blog RSS feed here</a>.</p>