Diff for /wikisrc/guide/cgd.mdwn between versions 1.3 and 1.5

version 1.3, 2013/03/07 00:16:23 version 1.5, 2015/06/19 19:18:31
Line 1 Line 1
   **Contents**
   
   [[!toc levels=3]]
   
 # The cryptographic device driver (CGD)  # The cryptographic device driver (CGD)
   
 The [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current) driver  The [[!template id=man name="cgd" section="4"]] driver
 provides functionality which allows you to use disks or partitions for encrypted  provides functionality which allows you to use disks or partitions for encrypted
 storage. After providing the appropriate key, the encrypted partition is  storage. After providing the appropriate key, the encrypted partition is
 accessible using `cgd` pseudo-devices.  accessible using `cgd` pseudo-devices.
Line 40  The `cgd` device looks and behaves to th Line 44  The `cgd` device looks and behaves to th
 other disk driver. Rather than driving real hardware directly, it provides a  other disk driver. Rather than driving real hardware directly, it provides a
 logical function layered on top of another block device. It has a special  logical function layered on top of another block device. It has a special
 configuration program,  configuration program,
 [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current),  [[!template id=man name="cgdconfig" section="8"]],
 to create and configure a `cgd` device and point it at the underlying disk  to create and configure a `cgd` device and point it at the underlying disk
 device that will hold the encrypted data.  device that will hold the encrypted data.
   
Line 50  several of these logical block devices t Line 54  several of these logical block devices t
 `raid` to protect your encrypted data against hard disk failure as well.  `raid` to protect your encrypted data against hard disk failure as well.
   
 Once you have created a `cgd` disk, you can use  Once you have created a `cgd` disk, you can use
 [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current)  [[!template id=man name="disklabel" section="8"]]
 to divide it up into partitions,  to divide it up into partitions,
 [swapctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?swapctl+8+NetBSD-current) to  [[!template id=man name="swapctl" section="8"]] to
 enable swapping to those partitions or  enable swapping to those partitions or
 [newfs(8)](http://netbsd.gw.com/cgi-bin/man-cgi?newfs+8+NetBSD-current) to make  [[!template id=man name="newfs" section="8"]] to make
 filesystems, then `mount` and use those filesystems, just like any other new  filesystems, then `mount` and use those filesystems, just like any other new
 disk.  disk.
   
Line 134  We are going to delete and re-make parti Line 138  We are going to delete and re-make parti
 a backup to restore the data. So make sure you have a current, reliable backup  a backup to restore the data. So make sure you have a current, reliable backup
 stored on a different disk or machine. Do your backup in single-user mode, with  stored on a different disk or machine. Do your backup in single-user mode, with
 the filesystems unmounted, to ensure you get a clean  the filesystems unmounted, to ensure you get a clean
 [dump(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dump+8+NetBSD-current). Make sure you  [[!template id=man name="dump" section="8"]]. Make sure you
 back up the disklabel of your hard disk as well, so you have a record of the  back up the disklabel of your hard disk as well, so you have a record of the
 partition layout before you started.  partition layout before you started.
   
 With the system at single user, `/` mounted read-write and everything else  With the system at single user, `/` mounted read-write and everything else
 unmounted, use  unmounted, use
 [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current)  [[!template id=man name="disklabel" section="8"]]
 to delete all the data partitions you want to move into `cgd`.  to delete all the data partitions you want to move into `cgd`.
   
 Then make a single new partition in all the space you just freed up, say,  Then make a single new partition in all the space you just freed up, say,
Line 158  if the filesystems are mostly empty. We  Line 162  if the filesystems are mostly empty. We 
 further.  further.
   
 We could use  We could use
 [dd(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dd+1+NetBSD-current)  [[!template id=man name="dd" section="1"]]
 to copy `/dev/zero` over the new `wd0e` partition, but this will leave our disk  to copy `/dev/zero` over the new `wd0e` partition, but this will leave our disk
 full of zeros, except where we've written encrypted data later. We might not  full of zeros, except where we've written encrypted data later. We might not
 want to give an attacker any clues about which blocks contain real data, and  want to give an attacker any clues about which blocks contain real data, and
Line 182  if you have a large disk. Once finished, Line 186  if you have a large disk. Once finished,
 ### Creating the `cgd`  ### Creating the `cgd`
   
 The  The
 [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current)  [[!template id=man name="cgdconfig" section="8"]]
 program, which manipulates `cgd` devices, uses parameters files to store such  program, which manipulates `cgd` devices, uses parameters files to store such
 information as the encryption type, key length, and a random password salt for  information as the encryption type, key length, and a random password salt for
 each `cgd`. These files are very important, and need to be kept safe - without  each `cgd`. These files are very important, and need to be kept safe - without
Line 242  old, unencrypted ones, the offsets will  Line 246  old, unencrypted ones, the offsets will 
 the beginning of this virtual disk.  the beginning of this virtual disk.
   
 Then, use  Then, use
 [newfs(8)](http://netbsd.gw.com/cgi-bin/man-cgi?newfs+8+NetBSD-current) to  [[!template id=man name="newfs" section="8"]] to
 create filesystems on all the relevant partitions. This time your partitions  create filesystems on all the relevant partitions. This time your partitions
 will reflect the `cgd` disk names, for example:  will reflect the `cgd` disk names, for example:
   
Line 267  the `cgd`, so that your temporary files  Line 271  the `cgd`, so that your temporary files 
 filesystem.  filesystem.
   
 Each time you reboot, you're going to need your `cgd` configured early, before  Each time you reboot, you're going to need your `cgd` configured early, before
 [fsck(8)](http://netbsd.gw.com/cgi-bin/man-cgi?fsck+8+NetBSD-current) runs and  [[!template id=man name="fsck" section="8"]] runs and
 filesystems are mounted.  filesystems are mounted.
   
 Put the following line in `/etc/cgd/cgd.conf`:  Put the following line in `/etc/cgd/cgd.conf`:
Line 286  starts. Line 290  starts.
 ### Restoring data  ### Restoring data
   
 Next, mount your new filesystems, and  Next, mount your new filesystems, and
 [restore(8)](http://netbsd.gw.com/cgi-bin/man-cgi?restore+8+NetBSD-current) your  [[!template id=man name="restore" section="8"]] your
 data into them. It often helps to have `/tmp` mounted properly first, as  data into them. It often helps to have `/tmp` mounted properly first, as
 `restore` can use a fair amount of temporary space when extracting a large  `restore` can use a fair amount of temporary space when extracting a large
 dumpfile.  dumpfile.
Line 353  or, for a DVD: Line 357  or, for a DVD:
     # dd if=/dev/zero of=image.img bs=1m count=4482      # dd if=/dev/zero of=image.img bs=1m count=4482
   
 Now configure a  Now configure a
 [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-5.0.1+i386)-pseudo  [[!template id=man name="vnd" section="4"]]-pseudo
 disk with the image:  disk with the image:
   
     # vnconfig vnd0 image.img      # vnconfig vnd0 image.img
Line 365  partitions (I use one different file for Line 369  partitions (I use one different file for
 all removable media, but that's up to you).  all removable media, but that's up to you).
   
 I'll use AES-CBC with a keylength of 256 bits. Refer to  I'll use AES-CBC with a keylength of 256 bits. Refer to
 [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-5.0.1+i386) and  [[!template id=man name="cgd" section="4"]] and
 [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-5.0.1+i386)  [[!template id=man name="cgdconfig" section="8"]]
 for details and alternatives.  for details and alternatives.
   
 The following command will create the parameter file as `/etc/cgd/image`. *YOU  The following command will create the parameter file as `/etc/cgd/image`. *YOU
Line 539  configuring swap devices not marked as s Line 543  configuring swap devices not marked as s
 In order to automate the process of labeling the disk, prepare an appropriate  In order to automate the process of labeling the disk, prepare an appropriate
 disklabel and save it to a file, for example `/etc/cgd/wd0b.disklabel`. Please  disklabel and save it to a file, for example `/etc/cgd/wd0b.disklabel`. Please
 refer to  refer to
 [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-5.0.1+i386)  [[!template id=man name="disklabel" section="8"]]
 for information about how to use `disklabel` to set up a swap partition.  for information about how to use `disklabel` to set up a swap partition.
   
 On each reboot, to restore this saved label to the new `cgd`, create the  On each reboot, to restore this saved label to the new `cgd`, create the

Removed from v.1.3  
changed lines
  Added in v.1.5


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb