1: **Contents**
2:
3: [[!toc levels=3]]
4:
5: # Encrypted iSCSI Devices on NetBSD
6:
7: ## Introduction
8:
9: This document shows how to set up and run an encrypted iSCSI device on NetBSD.
10: Encryption of devices can be used for maintaining privacy on devices located
11: remotely, possibly on co-located hardware, for instance, or on machines which
12: could be stolen, or to which others could gain access.
13:
14: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
15: NetBSD-6 and newer, and the standard cgd device. In all, setting up an encrypted
16: device in this manner should take less than 15 minutes, even for someone
17: unfamiliar with iSCSI or cgd.
18:
19: The approach is to layer a vnd on top of the "storage" file presented by the
20: iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
21: cgd device, which ensures that all data is encrypted on the iSCSI device.
22:
23: ### Device Initialisation
24:
25: This first section shows how to initialise the device, a one-time operation.
26:
27: Firstly, the initiator is started, pointing at the machine which is presenting
28: the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
29: this example, the target is running on the same machine as the initiator (a
30: laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
31: is being presented as target1.
32:
33: # iscsi-initiator -u agc -h inspiron1300.wherever.co.uk /mnt &
34: [1] 11196
35: # df
36: Filesystem 1K-blocks Used Avail %Cap Mounted on
37: /dev/dk0 28101396 20862004 5834324 78% /
38: kernfs 1 1 0 100% /kern
39: procfs 4 4 0 100% /proc
40: ptyfs 1 1 0 100% /dev/pts
41: /dev/puffs 0 0 0 100% /mnt
42:
43: Looking at the last line, we can see that the initiator is running via the puffs
44: device.
45:
46: We now add a vnd device on top of the storage which the target is presenting:
47:
48: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
49:
50: We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
51: is so that the encrypted device which we shall put on top of the vnd does not
52: clash with the vnd's label. You should set the cgd's type to "cgd".
53:
54: # disklabel -e vnd0
55:
56: # /dev/rvnd0d:
57: type: vnd
58: disk: vnd
59: label: fictitious
60: flags:
61: bytes/sector: 512
62: sectors/track: 32
63: tracks/cylinder: 64
64: sectors/cylinder: 2048
65: cylinders: 50
66: total sectors: 102400
67: rpm: 3600
68: interleave: 1
69: trackskew: 0
70: cylinderskew: 0
71: headswitch: 0 # microseconds
72: track-to-track seek: 0 # microseconds
73: drivedata: 0
74:
75: 4 partitions:
76: # size offset fstype [fsize bsize cpg/sgs]
77: a: 102336 63 cgd 2048 16384 28360 # (Cyl. 0 - 49)
78: d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
79:
80: We now set up the cgd device, pointing it at the vnd device.
81:
82: # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
83:
84: and then zero the cgd device's storage.
85:
86: # dd if=/dev/zero of=/dev/rcgd0d bs=32k
87: dd: /dev/rcgd0d: Invalid argument
88: 1601+0 records in
89: 1600+0 records out
90: 52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
91:
92: We now unconfigure the cgd device.
93:
94: # cgdconfig -u cgd0
95:
96: and then write using the disklabel verification method onto the cgd. Sometimes,
97: this process does not always complete properly, and so it has to be repeated.
98:
99: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
100: cgdconfig: could not calibrate pkcs5_pbkdf2
101: cgdconfig: Failed to generate defaults for keygen
102: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
103:
104: Now we have to add the password to the cgd device
105:
106: # cgdconfig -V re-enter cgd0 /dev/vnd0a
107: /dev/vnd0a's passphrase:
108: re-enter device's passphrase:
109:
110: and disklabel inside the cgd itself:
111:
112: # disklabel -I -e cgd0
113:
114: # /dev/rcgd0d:
115: type: cgd
116: disk: cgd
117: label: fictitious
118: flags:
119: bytes/sector: 512
120: sectors/track: 2048
121: tracks/cylinder: 1
122: sectors/cylinder: 2048
123: cylinders: 49
124: total sectors: 102336
125: rpm: 3600
126: interleave: 1
127: trackskew: 0
128: cylinderskew: 0
129: headswitch: 0 # microseconds
130: track-to-track seek: 0 # microseconds
131: drivedata: 0
132:
133: 4 partitions:
134: # size offset fstype [fsize bsize cpg/sgs]
135: a: 102336 0 4.2BSD 2048 16384 28360 # (Cyl. 0 - 49*)
136: d: 102336 0 unused 0 0 # (Cyl. 0 - 49*)
137:
138: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
139:
140: # newfs /dev/rcgd0a
141: /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
142: using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
143: super-block backups (for fsck_ffs -b #) at:
144: 32, 25616, 51200, 76784,
145:
146: We can then mount the new file system in the cgd on the /iscsi mount point:
147:
148: # df
149: Filesystem 1K-blocks Used Avail %Cap Mounted on
150: /dev/dk0 28101396 20910216 5786112 78% /
151: kernfs 1 1 0 100% /kern
152: procfs 4 4 0 100% /proc
153: ptyfs 1 1 0 100% /dev/pts
154: /dev/puffs 0 0 0 100% /mnt
155: # mount /dev/cgd0a /iscsi
156: # df
157: Filesystem 1K-blocks Used Avail %Cap Mounted on
158: /dev/dk0 28101396 20910216 5786112 78% /
159: kernfs 1 1 0 100% /kern
160: procfs 4 4 0 100% /proc
161: ptyfs 1 1 0 100% /dev/pts
162: /dev/puffs 0 0 0 100% /mnt
163: /dev/cgd0a 49519 1 47043 0% /iscsi
164:
165: The new file system, mounted on /iscsi, can now be used as normal.
166:
167: ### Unmounting the Encrypted Device
168:
169: The device can be freed up using the following commands:
170:
171: # umount /iscsi
172: # cgdconfig -u cgd0
173: # vnconfig -u vnd0
174:
175: ### Normal Usage
176:
177: In normal usage, the device can be mounted. Firstly, the initiator must be
178: configured to connect to the device:
179:
180: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
181: # cgdconfig cgd0 /dev/vnd0a
182: /dev/vnd0a's passphrase:
183:
184: I'm using dk devices on this machine, so I now have to access the cgd device
185: using the dk that was assigned in the cgdconfig step. If I wasn't using dk
186: devices, then I'd use the cgd device.
187:
188: So either do
189:
190: # mount /dev/cgd0a /iscsi OR
191:
192: or
193:
194: # mount /dev/dk3 /iscsi
195:
196: Then,
197:
198: # ls -al /iscsi
199: total 3
200: drwxr-xr-x 2 root wheel 512 Jan 1 1970 .
201: drwxr-xr-x 35 root wheel 1536 Jan 5 08:59 ..
202: # df
203: Filesystem 1K-blocks Used Avail %Cap Mounted on
204: /dev/dk0 28101396 20910100 5786228 78% /
205: kernfs 1 1 0 100% /kern
206: procfs 4 4 0 100% /proc
207: ptyfs 1 1 0 100% /dev/pts
208: /dev/puffs 0 0 0 100% /mnt
209: /dev/dk3 49519 1 47043 0% /iscsi
210:
211: ### Conclusion
212:
213: An iSCSI disk can be in a location over which complete control cannot be
214: assured. In order to ensure privacy, the cgd device can be used to encrypt the
215: data on the iSCSI device.
216:
217: This document has shown how to set up a cgd device on top of the iSCSI device,
218: and how to mount and unmount on a regular basis.
219:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb