File:  [NetBSD Developer Wiki] / wikisrc / tutorials / Attic / how_to_encrypt_iscsi_devices.mdwn
Revision 1.1: download - view: text, annotated - select for diffs
Fri Mar 15 20:56:17 2013 UTC (8 years, 8 months ago) by jdf
Branches: MAIN
CVS tags: HEAD
Taken from the original article docs/encrypted-iscsi, written by Alistair Crooks
on Sat, Jan 5 2008, 22:08:32 GMZ.
This article was converted to Markdown by Michael Jin in the scope of Google
Code-In.

    1: **Contents**
    2: 
    3: [[!toc levels=3]]
    4: 
    5: # Encrypted iSCSI Devices on NetBSD
    6: 
    7: ## Introduction
    8: 
    9: This document shows how to set up and run an encrypted iSCSI device on NetBSD.
   10: Encryption of devices can be used for maintaining privacy on devices located
   11: remotely, possibly on co-located hardware, for instance, or on machines which
   12: could be stolen, or to which others could gain access.
   13: 
   14: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
   15: NetBSD-current, and the standard cgd device.  In all, setting up an encrypted
   16: device in this manner should take less than 15 minutes, even for someone
   17: unfamiliar with iSCSI or cgd.
   18: 
   19: The approach is to layer a vnd on top of the "storage" file presented by the
   20: iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
   21: cgd device, which ensures that all data is encrypted on the iSCSI device.
   22: 
   23: ### Device Initialisation
   24: 
   25: This first section shows how to initialise the device, a one-time operation.
   26: 
   27: Firstly, the initiator is started, pointing at the machine which is presenting
   28: the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
   29: this example, the target is running on the same machine as the initiator (a
   30: laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
   31: is being presented as target1.
   32: 
   33:     # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
   34:     [1] 11196
   35:     # df
   36:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
   37:     /dev/dk0      28101396   20862004    5834324  78% /
   38:     kernfs               1          1          0 100% /kern
   39:     procfs               4          4          0 100% /proc
   40:     ptyfs                1          1          0 100% /dev/pts
   41:     /dev/puffs           0          0          0 100% /mnt
   42: 
   43: Looking at the last line, we can see that the initiator is running via the puffs 
   44: device.
   45: 
   46: We now add a vnd device on top of the storage which the target is presenting:
   47: 
   48:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
   49: 
   50: We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
   51: is so that the encrypted device which we shall put on top of the vnd does not
   52: clash with the vnd's label. You should set the cgd's type to "cgd".
   53: 
   54:     # disklabel -e vnd0
   55:     
   56:     # /dev/rvnd0d:
   57:     type: vnd
   58:     disk: vnd
   59:     label: fictitious
   60:     flags:
   61:     bytes/sector: 512
   62:     sectors/track: 32
   63:     tracks/cylinder: 64
   64:     sectors/cylinder: 2048
   65:     cylinders: 50
   66:     total sectors: 102400
   67:     rpm: 3600
   68:     interleave: 1
   69:     trackskew: 0
   70:     cylinderskew: 0
   71:     headswitch: 0           # microseconds
   72:     track-to-track seek: 0  # microseconds
   73:     drivedata: 0
   74:     
   75:     4 partitions:
   76:     #        size    offset     fstype [fsize bsize cpg/sgs]
   77:      a:    102336        63        cgd   2048 16384 28360  # (Cyl.      0 -     49)
   78:      d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
   79: 
   80: We now set up the cgd device, pointing it at the vnd device.
   81: 
   82:     # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
   83: 
   84: and then zero the cgd device's storage.
   85: 
   86:     # dd if=/dev/zero of=/dev/rcgd0d bs=32k
   87:     dd: /dev/rcgd0d: Invalid argument
   88:     1601+0 records in
   89:     1600+0 records out
   90:     52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
   91: 
   92: We now unconfigure the cgd device.
   93: 
   94:     # cgdconfig -u cgd0
   95: 
   96: and then write using the disklabel verification method onto the cgd. Sometimes,
   97: this process does not always complete properly, and so it has to be repeated.
   98: 
   99:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
  100:     cgdconfig: could not calibrate pkcs5_pbkdf2
  101:     cgdconfig: Failed to generate defaults for keygen
  102:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
  103: 
  104: Now we have to add the password to the cgd device
  105: 
  106:     # cgdconfig -V re-enter cgd0 /dev/vnd0a
  107:     /dev/vnd0a's passphrase:
  108:     re-enter device's passphrase:
  109: 
  110: and disklabel inside the cgd itself:
  111: 
  112:     # disklabel -I -e cgd0
  113:     
  114:     # /dev/rcgd0d:
  115:     type: cgd
  116:     disk: cgd
  117:     label: fictitious
  118:     flags:
  119:     bytes/sector: 512
  120:     sectors/track: 2048
  121:     tracks/cylinder: 1
  122:     sectors/cylinder: 2048
  123:     cylinders: 49
  124:     total sectors: 102336
  125:     rpm: 3600
  126:     interleave: 1
  127:     trackskew: 0
  128:     cylinderskew: 0
  129:     headswitch: 0           # microseconds
  130:     track-to-track seek: 0  # microseconds
  131:     drivedata: 0
  132:     
  133:     4 partitions:
  134:     #        size    offset     fstype [fsize bsize cpg/sgs]
  135:      a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
  136:      d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
  137: 
  138: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
  139: 
  140:     # newfs /dev/rcgd0a
  141:     /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
  142:     using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
  143:     super-block backups (for fsck_ffs -b #) at:
  144:     32, 25616, 51200, 76784,
  145: 
  146: We can then mount the new file system in the cgd on the /iscsi mount point:
  147: 
  148:     # df
  149:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
  150:     /dev/dk0      28101396   20910216    5786112  78% /
  151:     kernfs               1          1          0 100% /kern
  152:     procfs               4          4          0 100% /proc
  153:     ptyfs                1          1          0 100% /dev/pts
  154:     /dev/puffs           0          0          0 100% /mnt
  155:     # mount /dev/cgd0a /iscsi
  156:     # df
  157:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
  158:     /dev/dk0      28101396   20910216    5786112  78% /
  159:     kernfs               1          1          0 100% /kern
  160:     procfs               4          4          0 100% /proc
  161:     ptyfs                1          1          0 100% /dev/pts
  162:     /dev/puffs           0          0          0 100% /mnt
  163:     /dev/cgd0a       49519          1      47043   0% /iscsi
  164: 
  165: The new file system, mounted on /iscsi, can now be used as normal.
  166: 
  167: ### Unmounting the Encrypted Device
  168: 
  169: The device can be freed up using the following commands:
  170: 
  171:     # umount /iscsi
  172:     # cgdconfig -u cgd0
  173:     # vnconfig -u vnd0
  174: 
  175: ### Normal Usage
  176: 
  177: In normal usage, the device can be mounted. Firstly, the initiator must be
  178: configured to connect to the device:
  179: 
  180:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
  181:     # cgdconfig cgd0 /dev/vnd0a
  182:     /dev/vnd0a's passphrase:
  183: 
  184: I'm using dk devices on this machine, so I now have to access the cgd device
  185: using the dk that was assigned in the cgdconfig step.  If I wasn't using dk
  186: devices, then I'd use the cgd device.
  187: 
  188: So either do
  189: 
  190:     # mount /dev/cgd0a /iscsi OR
  191: 
  192: or
  193: 
  194:     # mount /dev/dk3 /iscsi
  195: 
  196: Then,
  197: 
  198:     # ls -al /iscsi
  199:     total 3
  200:     drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
  201:     drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
  202:     # df
  203:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
  204:     /dev/dk0      28101396   20910100    5786228  78% /
  205:     kernfs               1          1          0 100% /kern
  206:     procfs               4          4          0 100% /proc
  207:     ptyfs                1          1          0 100% /dev/pts
  208:     /dev/puffs           0          0          0 100% /mnt
  209:     /dev/dk3         49519          1      47043   0% /iscsi
  210: 
  211: ### Conclusion
  212: 
  213: An iSCSI disk can be in a location over which complete control cannot be
  214: assured. In order to ensure privacy, the cgd device can be used to encrypt the
  215: data on the iSCSI device.
  216: 
  217: This document has shown how to set up a cgd device on top of the iSCSI device,
  218: and how to mount and unmount on a regular basis.
  219: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb