File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_encrypt_iscsi_devices.mdwn
Revision 1.1: download - view: text, annotated - select for diffs
Fri Mar 15 20:56:17 2013 UTC (13 months ago) by jdf
Branches: MAIN
CVS tags: HEAD
Taken from the original article docs/encrypted-iscsi, written by Alistair Crooks
on Sat, Jan 5 2008, 22:08:32 GMZ.
This article was converted to Markdown by Michael Jin in the scope of Google
Code-In.

**Contents**

[[!toc levels=3]]

# Encrypted iSCSI Devices on NetBSD

## Introduction

This document shows how to set up and run an encrypted iSCSI device on NetBSD.
Encryption of devices can be used for maintaining privacy on devices located
remotely, possibly on co-located hardware, for instance, or on machines which
could be stolen, or to which others could gain access.

To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
NetBSD-current, and the standard cgd device.  In all, setting up an encrypted
device in this manner should take less than 15 minutes, even for someone
unfamiliar with iSCSI or cgd.

The approach is to layer a vnd on top of the "storage" file presented by the
iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
cgd device, which ensures that all data is encrypted on the iSCSI device.

### Device Initialisation

This first section shows how to initialise the device, a one-time operation.

Firstly, the initiator is started, pointing at the machine which is presenting
the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
this example, the target is running on the same machine as the initiator (a
laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
is being presented as target1.

    # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
    [1] 11196
    # df
    Filesystem   1K-blocks       Used      Avail %Cap Mounted on
    /dev/dk0      28101396   20862004    5834324  78% /
    kernfs               1          1          0 100% /kern
    procfs               4          4          0 100% /proc
    ptyfs                1          1          0 100% /dev/pts
    /dev/puffs           0          0          0 100% /mnt

Looking at the last line, we can see that the initiator is running via the puffs 
device.

We now add a vnd device on top of the storage which the target is presenting:

    # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage

We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
is so that the encrypted device which we shall put on top of the vnd does not
clash with the vnd's label. You should set the cgd's type to "cgd".

    # disklabel -e vnd0
    
    # /dev/rvnd0d:
    type: vnd
    disk: vnd
    label: fictitious
    flags:
    bytes/sector: 512
    sectors/track: 32
    tracks/cylinder: 64
    sectors/cylinder: 2048
    cylinders: 50
    total sectors: 102400
    rpm: 3600
    interleave: 1
    trackskew: 0
    cylinderskew: 0
    headswitch: 0           # microseconds
    track-to-track seek: 0  # microseconds
    drivedata: 0
    
    4 partitions:
    #        size    offset     fstype [fsize bsize cpg/sgs]
     a:    102336        63        cgd   2048 16384 28360  # (Cyl.      0 -     49)
     d:    102400         0     unused      0     0        # (Cyl.      0 -     49)

We now set up the cgd device, pointing it at the vnd device.

    # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom

and then zero the cgd device's storage.

    # dd if=/dev/zero of=/dev/rcgd0d bs=32k
    dd: /dev/rcgd0d: Invalid argument
    1601+0 records in
    1600+0 records out
    52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)

We now unconfigure the cgd device.

    # cgdconfig -u cgd0

and then write using the disklabel verification method onto the cgd. Sometimes,
this process does not always complete properly, and so it has to be repeated.

    # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
    cgdconfig: could not calibrate pkcs5_pbkdf2
    cgdconfig: Failed to generate defaults for keygen
    # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256

Now we have to add the password to the cgd device

    # cgdconfig -V re-enter cgd0 /dev/vnd0a
    /dev/vnd0a's passphrase:
    re-enter device's passphrase:

and disklabel inside the cgd itself:

    # disklabel -I -e cgd0
    
    # /dev/rcgd0d:
    type: cgd
    disk: cgd
    label: fictitious
    flags:
    bytes/sector: 512
    sectors/track: 2048
    tracks/cylinder: 1
    sectors/cylinder: 2048
    cylinders: 49
    total sectors: 102336
    rpm: 3600
    interleave: 1
    trackskew: 0
    cylinderskew: 0
    headswitch: 0           # microseconds
    track-to-track seek: 0  # microseconds
    drivedata: 0
    
    4 partitions:
    #        size    offset     fstype [fsize bsize cpg/sgs]
     a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
     d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)

Having placed a disklabel inside the cgd, we can now make a filesystem on there:

    # newfs /dev/rcgd0a
    /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
    using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
    super-block backups (for fsck_ffs -b #) at:
    32, 25616, 51200, 76784,

We can then mount the new file system in the cgd on the /iscsi mount point:

    # df
    Filesystem   1K-blocks       Used      Avail %Cap Mounted on
    /dev/dk0      28101396   20910216    5786112  78% /
    kernfs               1          1          0 100% /kern
    procfs               4          4          0 100% /proc
    ptyfs                1          1          0 100% /dev/pts
    /dev/puffs           0          0          0 100% /mnt
    # mount /dev/cgd0a /iscsi
    # df
    Filesystem   1K-blocks       Used      Avail %Cap Mounted on
    /dev/dk0      28101396   20910216    5786112  78% /
    kernfs               1          1          0 100% /kern
    procfs               4          4          0 100% /proc
    ptyfs                1          1          0 100% /dev/pts
    /dev/puffs           0          0          0 100% /mnt
    /dev/cgd0a       49519          1      47043   0% /iscsi

The new file system, mounted on /iscsi, can now be used as normal.

### Unmounting the Encrypted Device

The device can be freed up using the following commands:

    # umount /iscsi
    # cgdconfig -u cgd0
    # vnconfig -u vnd0

### Normal Usage

In normal usage, the device can be mounted. Firstly, the initiator must be
configured to connect to the device:

    # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
    # cgdconfig cgd0 /dev/vnd0a
    /dev/vnd0a's passphrase:

I'm using dk devices on this machine, so I now have to access the cgd device
using the dk that was assigned in the cgdconfig step.  If I wasn't using dk
devices, then I'd use the cgd device.

So either do

    # mount /dev/cgd0a /iscsi OR

or

    # mount /dev/dk3 /iscsi

Then,

    # ls -al /iscsi
    total 3
    drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
    drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
    # df
    Filesystem   1K-blocks       Used      Avail %Cap Mounted on
    /dev/dk0      28101396   20910100    5786228  78% /
    kernfs               1          1          0 100% /kern
    procfs               4          4          0 100% /proc
    ptyfs                1          1          0 100% /dev/pts
    /dev/puffs           0          0          0 100% /mnt
    /dev/dk3         49519          1      47043   0% /iscsi

### Conclusion

An iSCSI disk can be in a location over which complete control cannot be
assured. In order to ensure privacy, the cgd device can be used to encrypt the
data on the iSCSI device.

This document has shown how to set up a cgd device on top of the iSCSI device,
and how to mount and unmount on a regular basis.


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb