Annotation of wikisrc/tutorials/how_to_encrypt_iscsi_devices.mdwn, revision 1.1
1.1 ! jdf 1: **Contents**
! 2:
! 3: [[!toc levels=3]]
! 4:
! 5: # Encrypted iSCSI Devices on NetBSD
! 6:
! 7: ## Introduction
! 8:
! 9: This document shows how to set up and run an encrypted iSCSI device on NetBSD.
! 10: Encryption of devices can be used for maintaining privacy on devices located
! 11: remotely, possibly on co-located hardware, for instance, or on machines which
! 12: could be stolen, or to which others could gain access.
! 13:
! 14: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
! 15: NetBSD-current, and the standard cgd device. In all, setting up an encrypted
! 16: device in this manner should take less than 15 minutes, even for someone
! 17: unfamiliar with iSCSI or cgd.
! 18:
! 19: The approach is to layer a vnd on top of the "storage" file presented by the
! 20: iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
! 21: cgd device, which ensures that all data is encrypted on the iSCSI device.
! 22:
! 23: ### Device Initialisation
! 24:
! 25: This first section shows how to initialise the device, a one-time operation.
! 26:
! 27: Firstly, the initiator is started, pointing at the machine which is presenting
! 28: the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
! 29: this example, the target is running on the same machine as the initiator (a
! 30: laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
! 31: is being presented as target1.
! 32:
! 33: # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
! 34: [1] 11196
! 35: # df
! 36: Filesystem 1K-blocks Used Avail %Cap Mounted on
! 37: /dev/dk0 28101396 20862004 5834324 78% /
! 38: kernfs 1 1 0 100% /kern
! 39: procfs 4 4 0 100% /proc
! 40: ptyfs 1 1 0 100% /dev/pts
! 41: /dev/puffs 0 0 0 100% /mnt
! 42:
! 43: Looking at the last line, we can see that the initiator is running via the puffs
! 44: device.
! 45:
! 46: We now add a vnd device on top of the storage which the target is presenting:
! 47:
! 48: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
! 49:
! 50: We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
! 51: is so that the encrypted device which we shall put on top of the vnd does not
! 52: clash with the vnd's label. You should set the cgd's type to "cgd".
! 53:
! 54: # disklabel -e vnd0
! 55:
! 56: # /dev/rvnd0d:
! 57: type: vnd
! 58: disk: vnd
! 59: label: fictitious
! 60: flags:
! 61: bytes/sector: 512
! 62: sectors/track: 32
! 63: tracks/cylinder: 64
! 64: sectors/cylinder: 2048
! 65: cylinders: 50
! 66: total sectors: 102400
! 67: rpm: 3600
! 68: interleave: 1
! 69: trackskew: 0
! 70: cylinderskew: 0
! 71: headswitch: 0 # microseconds
! 72: track-to-track seek: 0 # microseconds
! 73: drivedata: 0
! 74:
! 75: 4 partitions:
! 76: # size offset fstype [fsize bsize cpg/sgs]
! 77: a: 102336 63 cgd 2048 16384 28360 # (Cyl. 0 - 49)
! 78: d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
! 79:
! 80: We now set up the cgd device, pointing it at the vnd device.
! 81:
! 82: # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
! 83:
! 84: and then zero the cgd device's storage.
! 85:
! 86: # dd if=/dev/zero of=/dev/rcgd0d bs=32k
! 87: dd: /dev/rcgd0d: Invalid argument
! 88: 1601+0 records in
! 89: 1600+0 records out
! 90: 52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
! 91:
! 92: We now unconfigure the cgd device.
! 93:
! 94: # cgdconfig -u cgd0
! 95:
! 96: and then write using the disklabel verification method onto the cgd. Sometimes,
! 97: this process does not always complete properly, and so it has to be repeated.
! 98:
! 99: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
! 100: cgdconfig: could not calibrate pkcs5_pbkdf2
! 101: cgdconfig: Failed to generate defaults for keygen
! 102: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
! 103:
! 104: Now we have to add the password to the cgd device
! 105:
! 106: # cgdconfig -V re-enter cgd0 /dev/vnd0a
! 107: /dev/vnd0a's passphrase:
! 108: re-enter device's passphrase:
! 109:
! 110: and disklabel inside the cgd itself:
! 111:
! 112: # disklabel -I -e cgd0
! 113:
! 114: # /dev/rcgd0d:
! 115: type: cgd
! 116: disk: cgd
! 117: label: fictitious
! 118: flags:
! 119: bytes/sector: 512
! 120: sectors/track: 2048
! 121: tracks/cylinder: 1
! 122: sectors/cylinder: 2048
! 123: cylinders: 49
! 124: total sectors: 102336
! 125: rpm: 3600
! 126: interleave: 1
! 127: trackskew: 0
! 128: cylinderskew: 0
! 129: headswitch: 0 # microseconds
! 130: track-to-track seek: 0 # microseconds
! 131: drivedata: 0
! 132:
! 133: 4 partitions:
! 134: # size offset fstype [fsize bsize cpg/sgs]
! 135: a: 102336 0 4.2BSD 2048 16384 28360 # (Cyl. 0 - 49*)
! 136: d: 102336 0 unused 0 0 # (Cyl. 0 - 49*)
! 137:
! 138: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
! 139:
! 140: # newfs /dev/rcgd0a
! 141: /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
! 142: using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
! 143: super-block backups (for fsck_ffs -b #) at:
! 144: 32, 25616, 51200, 76784,
! 145:
! 146: We can then mount the new file system in the cgd on the /iscsi mount point:
! 147:
! 148: # df
! 149: Filesystem 1K-blocks Used Avail %Cap Mounted on
! 150: /dev/dk0 28101396 20910216 5786112 78% /
! 151: kernfs 1 1 0 100% /kern
! 152: procfs 4 4 0 100% /proc
! 153: ptyfs 1 1 0 100% /dev/pts
! 154: /dev/puffs 0 0 0 100% /mnt
! 155: # mount /dev/cgd0a /iscsi
! 156: # df
! 157: Filesystem 1K-blocks Used Avail %Cap Mounted on
! 158: /dev/dk0 28101396 20910216 5786112 78% /
! 159: kernfs 1 1 0 100% /kern
! 160: procfs 4 4 0 100% /proc
! 161: ptyfs 1 1 0 100% /dev/pts
! 162: /dev/puffs 0 0 0 100% /mnt
! 163: /dev/cgd0a 49519 1 47043 0% /iscsi
! 164:
! 165: The new file system, mounted on /iscsi, can now be used as normal.
! 166:
! 167: ### Unmounting the Encrypted Device
! 168:
! 169: The device can be freed up using the following commands:
! 170:
! 171: # umount /iscsi
! 172: # cgdconfig -u cgd0
! 173: # vnconfig -u vnd0
! 174:
! 175: ### Normal Usage
! 176:
! 177: In normal usage, the device can be mounted. Firstly, the initiator must be
! 178: configured to connect to the device:
! 179:
! 180: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
! 181: # cgdconfig cgd0 /dev/vnd0a
! 182: /dev/vnd0a's passphrase:
! 183:
! 184: I'm using dk devices on this machine, so I now have to access the cgd device
! 185: using the dk that was assigned in the cgdconfig step. If I wasn't using dk
! 186: devices, then I'd use the cgd device.
! 187:
! 188: So either do
! 189:
! 190: # mount /dev/cgd0a /iscsi OR
! 191:
! 192: or
! 193:
! 194: # mount /dev/dk3 /iscsi
! 195:
! 196: Then,
! 197:
! 198: # ls -al /iscsi
! 199: total 3
! 200: drwxr-xr-x 2 root wheel 512 Jan 1 1970 .
! 201: drwxr-xr-x 35 root wheel 1536 Jan 5 08:59 ..
! 202: # df
! 203: Filesystem 1K-blocks Used Avail %Cap Mounted on
! 204: /dev/dk0 28101396 20910100 5786228 78% /
! 205: kernfs 1 1 0 100% /kern
! 206: procfs 4 4 0 100% /proc
! 207: ptyfs 1 1 0 100% /dev/pts
! 208: /dev/puffs 0 0 0 100% /mnt
! 209: /dev/dk3 49519 1 47043 0% /iscsi
! 210:
! 211: ### Conclusion
! 212:
! 213: An iSCSI disk can be in a location over which complete control cannot be
! 214: assured. In order to ensure privacy, the cgd device can be used to encrypt the
! 215: data on the iSCSI device.
! 216:
! 217: This document has shown how to set up a cgd device on top of the iSCSI device,
! 218: and how to mount and unmount on a regular basis.
! 219:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb