Annotation of wikisrc/tutorials/how_to_encrypt_iscsi_devices.mdwn, revision 1.2

1.1       jdf         1: **Contents**
                      2: 
                      3: [[!toc levels=3]]
                      4: 
                      5: # Encrypted iSCSI Devices on NetBSD
                      6: 
                      7: ## Introduction
                      8: 
                      9: This document shows how to set up and run an encrypted iSCSI device on NetBSD.
                     10: Encryption of devices can be used for maintaining privacy on devices located
                     11: remotely, possibly on co-located hardware, for instance, or on machines which
                     12: could be stolen, or to which others could gain access.
                     13: 
                     14: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
1.2     ! sevan      15: NetBSD-6 and newer, and the standard cgd device.  In all, setting up an encrypted
1.1       jdf        16: device in this manner should take less than 15 minutes, even for someone
                     17: unfamiliar with iSCSI or cgd.
                     18: 
                     19: The approach is to layer a vnd on top of the "storage" file presented by the
                     20: iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
                     21: cgd device, which ensures that all data is encrypted on the iSCSI device.
                     22: 
                     23: ### Device Initialisation
                     24: 
                     25: This first section shows how to initialise the device, a one-time operation.
                     26: 
                     27: Firstly, the initiator is started, pointing at the machine which is presenting
                     28: the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
                     29: this example, the target is running on the same machine as the initiator (a
                     30: laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
                     31: is being presented as target1.
                     32: 
1.2     ! sevan      33:     # iscsi-initiator -u agc -h inspiron1300.wherever.co.uk /mnt &
1.1       jdf        34:     [1] 11196
                     35:     # df
                     36:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                     37:     /dev/dk0      28101396   20862004    5834324  78% /
                     38:     kernfs               1          1          0 100% /kern
                     39:     procfs               4          4          0 100% /proc
                     40:     ptyfs                1          1          0 100% /dev/pts
                     41:     /dev/puffs           0          0          0 100% /mnt
                     42: 
                     43: Looking at the last line, we can see that the initiator is running via the puffs 
                     44: device.
                     45: 
                     46: We now add a vnd device on top of the storage which the target is presenting:
                     47: 
                     48:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
                     49: 
                     50: We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
                     51: is so that the encrypted device which we shall put on top of the vnd does not
                     52: clash with the vnd's label. You should set the cgd's type to "cgd".
                     53: 
                     54:     # disklabel -e vnd0
                     55:     
                     56:     # /dev/rvnd0d:
                     57:     type: vnd
                     58:     disk: vnd
                     59:     label: fictitious
                     60:     flags:
                     61:     bytes/sector: 512
                     62:     sectors/track: 32
                     63:     tracks/cylinder: 64
                     64:     sectors/cylinder: 2048
                     65:     cylinders: 50
                     66:     total sectors: 102400
                     67:     rpm: 3600
                     68:     interleave: 1
                     69:     trackskew: 0
                     70:     cylinderskew: 0
                     71:     headswitch: 0           # microseconds
                     72:     track-to-track seek: 0  # microseconds
                     73:     drivedata: 0
                     74:     
                     75:     4 partitions:
                     76:     #        size    offset     fstype [fsize bsize cpg/sgs]
                     77:      a:    102336        63        cgd   2048 16384 28360  # (Cyl.      0 -     49)
                     78:      d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
                     79: 
                     80: We now set up the cgd device, pointing it at the vnd device.
                     81: 
                     82:     # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
                     83: 
                     84: and then zero the cgd device's storage.
                     85: 
                     86:     # dd if=/dev/zero of=/dev/rcgd0d bs=32k
                     87:     dd: /dev/rcgd0d: Invalid argument
                     88:     1601+0 records in
                     89:     1600+0 records out
                     90:     52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
                     91: 
                     92: We now unconfigure the cgd device.
                     93: 
                     94:     # cgdconfig -u cgd0
                     95: 
                     96: and then write using the disklabel verification method onto the cgd. Sometimes,
                     97: this process does not always complete properly, and so it has to be repeated.
                     98: 
                     99:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
                    100:     cgdconfig: could not calibrate pkcs5_pbkdf2
                    101:     cgdconfig: Failed to generate defaults for keygen
                    102:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
                    103: 
                    104: Now we have to add the password to the cgd device
                    105: 
                    106:     # cgdconfig -V re-enter cgd0 /dev/vnd0a
                    107:     /dev/vnd0a's passphrase:
                    108:     re-enter device's passphrase:
                    109: 
                    110: and disklabel inside the cgd itself:
                    111: 
                    112:     # disklabel -I -e cgd0
                    113:     
                    114:     # /dev/rcgd0d:
                    115:     type: cgd
                    116:     disk: cgd
                    117:     label: fictitious
                    118:     flags:
                    119:     bytes/sector: 512
                    120:     sectors/track: 2048
                    121:     tracks/cylinder: 1
                    122:     sectors/cylinder: 2048
                    123:     cylinders: 49
                    124:     total sectors: 102336
                    125:     rpm: 3600
                    126:     interleave: 1
                    127:     trackskew: 0
                    128:     cylinderskew: 0
                    129:     headswitch: 0           # microseconds
                    130:     track-to-track seek: 0  # microseconds
                    131:     drivedata: 0
                    132:     
                    133:     4 partitions:
                    134:     #        size    offset     fstype [fsize bsize cpg/sgs]
                    135:      a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
                    136:      d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
                    137: 
                    138: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
                    139: 
                    140:     # newfs /dev/rcgd0a
                    141:     /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
                    142:     using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
                    143:     super-block backups (for fsck_ffs -b #) at:
                    144:     32, 25616, 51200, 76784,
                    145: 
                    146: We can then mount the new file system in the cgd on the /iscsi mount point:
                    147: 
                    148:     # df
                    149:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    150:     /dev/dk0      28101396   20910216    5786112  78% /
                    151:     kernfs               1          1          0 100% /kern
                    152:     procfs               4          4          0 100% /proc
                    153:     ptyfs                1          1          0 100% /dev/pts
                    154:     /dev/puffs           0          0          0 100% /mnt
                    155:     # mount /dev/cgd0a /iscsi
                    156:     # df
                    157:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    158:     /dev/dk0      28101396   20910216    5786112  78% /
                    159:     kernfs               1          1          0 100% /kern
                    160:     procfs               4          4          0 100% /proc
                    161:     ptyfs                1          1          0 100% /dev/pts
                    162:     /dev/puffs           0          0          0 100% /mnt
                    163:     /dev/cgd0a       49519          1      47043   0% /iscsi
                    164: 
                    165: The new file system, mounted on /iscsi, can now be used as normal.
                    166: 
                    167: ### Unmounting the Encrypted Device
                    168: 
                    169: The device can be freed up using the following commands:
                    170: 
                    171:     # umount /iscsi
                    172:     # cgdconfig -u cgd0
                    173:     # vnconfig -u vnd0
                    174: 
                    175: ### Normal Usage
                    176: 
                    177: In normal usage, the device can be mounted. Firstly, the initiator must be
                    178: configured to connect to the device:
                    179: 
                    180:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
                    181:     # cgdconfig cgd0 /dev/vnd0a
                    182:     /dev/vnd0a's passphrase:
                    183: 
                    184: I'm using dk devices on this machine, so I now have to access the cgd device
                    185: using the dk that was assigned in the cgdconfig step.  If I wasn't using dk
                    186: devices, then I'd use the cgd device.
                    187: 
                    188: So either do
                    189: 
                    190:     # mount /dev/cgd0a /iscsi OR
                    191: 
                    192: or
                    193: 
                    194:     # mount /dev/dk3 /iscsi
                    195: 
                    196: Then,
                    197: 
                    198:     # ls -al /iscsi
                    199:     total 3
                    200:     drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
                    201:     drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
                    202:     # df
                    203:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    204:     /dev/dk0      28101396   20910100    5786228  78% /
                    205:     kernfs               1          1          0 100% /kern
                    206:     procfs               4          4          0 100% /proc
                    207:     ptyfs                1          1          0 100% /dev/pts
                    208:     /dev/puffs           0          0          0 100% /mnt
                    209:     /dev/dk3         49519          1      47043   0% /iscsi
                    210: 
                    211: ### Conclusion
                    212: 
                    213: An iSCSI disk can be in a location over which complete control cannot be
                    214: assured. In order to ensure privacy, the cgd device can be used to encrypt the
                    215: data on the iSCSI device.
                    216: 
                    217: This document has shown how to set up a cgd device on top of the iSCSI device,
                    218: and how to mount and unmount on a regular basis.
                    219: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb