Diff for /wikisrc/tutorials/how_to_use_encrypted_swap_over_nfs.mdwn between versions 1.1 and 1.2

version 1.1, 2011/11/20 20:55:21 version 1.2, 2012/02/05 07:14:36
Line 1 Line 1
 **Contents**  **Contents**
   
 [[!toc levels=3]]  [[!toc levels=3]]
   
 #  Summary  #  Summary 
   
 It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this:  It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this: 
          
     server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0      server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0
          
   
 But this can not be encrypted. We will however cheat and use a [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) on a nfs-share.    But this can not be encrypted. We will however cheat and use a [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) on a nfs-share.  
 This is how I did it on my Jornada 680 running 3.99.15.  This is how I did it on my Jornada 680 running 3.99.15. 
   
 #  Things needed  #  Things needed 
   
 A kernel with both [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) and [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current) support.  A kernel with both [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) and [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current) support. 
   
   
 #  Creation  #  Creation 
   
 ##  Making the swapspace  ##  Making the swapspace 
   
 First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr.    First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr.  
 Now run:  Now run: 
          
     # dd if=/dev/zero of=/usr/swapfile bs=1m count=64      # dd if=/dev/zero of=/usr/swapfile bs=1m count=64
          
   
 This will create a 64MB swapfile. Make sure it has the right permissions and owner.  This will create a 64MB swapfile. Make sure it has the right permissions and owner. 
          
     # chown root:wheel /usr/swapfile      # chown root:wheel /usr/swapfile
     # chmod 600 /usr/swapfile      # chmod 600 /usr/swapfile
          
   
 ##  Configuring the swapspace the first time  ##  Configuring the swapspace the first time 
   
 Now we just have to configure it so the system can use it.    Now we just have to configure it so the system can use it.  
 Configure the paramsfile for [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current).  Configure the paramsfile for [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current). 
          
 # cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc  # cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc
          
   
 Now we can configure the device.  Now we can configure the device. 
          
     # vnconfig vnd0 /usr/swapfile      # vnconfig vnd0 /usr/swapfile
     # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile      # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile
          
   
 Replace /dev/vnd0c with /dev/vnd0d if necessary.    Replace /dev/vnd0c with /dev/vnd0d if necessary.  
 Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this.  Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this. 
          
     # /dev/rcgd0c:      # /dev/rcgd0c:
     type: cgd      type: cgd
     disk: cgd      disk: cgd
     label: default label      label: default label
     flags:      flags:
     bytes/sector: 512      bytes/sector: 512
     sectors/track: 2048      sectors/track: 2048
     tracks/cylinder: 1      tracks/cylinder: 1
     sectors/cylinder: 2048      sectors/cylinder: 2048
     cylinders: 64      cylinders: 64
     total sectors: 131072      total sectors: 131072
     rpm: 3600      rpm: 3600
     interleave: 1      interleave: 1
     trackskew: 0      trackskew: 0
     cylinderskew: 0      cylinderskew: 0
     headswitch: 0           # microseconds      headswitch: 0           # microseconds
     track-to-track seek: 0  # microseconds      track-to-track seek: 0  # microseconds
     drivedata: 0      drivedata: 0 
          
     3 partitions:      3 partitions:
     #        size    offset     fstype [fsize bsize cpg/sgs]      #        size    offset     fstype [fsize bsize cpg/sgs]
      c:    131072         0       swap                     # (Cyl.      0 -     63)       c:    131072         0       swap                     # (Cyl.      0 -     63)
          
   
 **Note**: Depending on which archictecture you use, you may need a different layout.    **Note**: Depending on which archictecture you use, you may need a different layout.  
 Like this on an i386:  Like this on an i386: 
          
      a:    131072         0       swap                     # (Cyl.      0 -    63)       a:    131072         0       swap                     # (Cyl.      0 -    63)
      d:    131072         0     unused      0     0        # (Cyl.      0 -    63)       d:    131072         0     unused      0     0        # (Cyl.      0 -    63)
          
   
 Depending on which partition your architecture uses as raw partition. If unsure, check with:  Depending on which partition your architecture uses as raw partition. If unsure, check with: 
          
     # sysctl kern.rawpartition      # sysctl kern.rawpartition
     kern.rawpartion=3      kern.rawpartion=3
          
   
 Back it up so it can be used later.  Back it up so it can be used later. 
          
     # disklabel cgd0 > /etc/cgd/swapfile.disklabel      # disklabel cgd0 > /etc/cgd/swapfile.disklabel
          
   
 Use it (finally).  Use it (finally). 
          
     # swapctl -a /dev/cgd0c      # swapctl -a /dev/cgd0c
          
   
 Now you have working encrypted swap over nfs. To check its status:  Now you have working encrypted swap over nfs. To check its status: 
          
     # swapctl -l      # swapctl -l
     Device      512-blocks     Used    Avail Capacity  Priority      Device      512-blocks     Used    Avail Capacity  Priority
     /dev/cgd0c      131072     9696   121376     7%    0      /dev/cgd0c      131072     9696   121376     7%    0
          
   
 #  Use the swapspace at every reboot  #  Use the swapspace at every reboot 
   
 Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following.  Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following. 
          
          
     # Initialize cgd over vnd swap, suitable for nfs-swap.      # Initialize cgd over vnd swap, suitable for nfs-swap.
     #      #
     # Note: We can NOT put this swapfile in /etc/fstab, this is why      # Note: We can NOT put this swapfile in /etc/fstab, this is why
     # this is relatively complicated.      # this is relatively complicated. 
     #      #
     # If this is the only swapspace you have configured then you can set      # If this is the only swapspace you have configured then you can set
     # no_swap=YES in rc.conf, otherwise the system will complain every boot.      # no_swap=YES in rc.conf, otherwise the system will complain every boot.
     #      #
     # IMPORTANT:      # IMPORTANT:
     # $swapfile has to be in $critical_filesystems_remote. /usr is by default      # $swapfile has to be in $critical_filesystems_remote. /usr is by default
     #      #
     vnd_device="vnd0"      vnd_device="vnd0"
     cgd_device="cgd0"      cgd_device="cgd0"
     swapfile="/usr/swapfile"      swapfile="/usr/swapfile"
     paramsfile="/etc/cgd/swapfile"      paramsfile="/etc/cgd/swapfile"
     swap_disklabel="/etc/cgd/swapfile.disklabel"      swap_disklabel="/etc/cgd/swapfile.disklabel"
     RAW_PART="c"                    # <- change to suit your arch      RAW_PART="c"                    # <- change to suit your arch
     SWAP_PART="c"                   # <- change to same as the disklabel      SWAP_PART="c"                   # <- change to same as the disklabel
     start_postcmd="cryptovnd_swap"      start_postcmd="cryptovnd_swap"
     stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd      stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd
          
     cryptovnd_swap()      cryptovnd_swap()
     {      {
             # Since there is only one swap-variable in rc.conf we have to              # Since there is only one swap-variable in rc.conf we have to
             # check that we are being called from swap2.              # check that we are being called from swap2.
             if [ $name = "swap1" ]; then              if [ $name = "swap1" ]; then
                     return                      return
             fi              fi
             if [ -f $swapfile ]; then              if [ -f $swapfile ]; then
                     echo "Configuring cgd over vnd swap."                      echo "Configuring cgd over vnd swap."
                     eval `stat -L -s $swapfile`                      eval `stat -L -s $swapfile`
                     if [ `echo $st_uid+$st_gid|bc` != 0 ]; then                      if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
                             echo "$swapfile MUST be owned by root and group wheel"                              echo "$swapfile MUST be owned by root and group wheel"
                             echo "$swapfile not used as swap."                              echo "$swapfile not used as swap."
                             return 1                              return 1
                     else                      else
                             if [ ! -f $swap_disklabel ]; then                              if [ ! -f $swap_disklabel ]; then
                                     echo "No $swap_disklabel."                                      echo "No $swap_disklabel."
                                     echo "$swapfile can not be used as swap."                                      echo "$swapfile can not be used as swap."
                                     return 1                                      return 1
                             fi                              fi
                             if [ $st_mode != "0100600" ]; then                              if [ $st_mode != "0100600" ]; then
                                     echo "$swapfile MUST have permission 600"                                      echo "$swapfile MUST have permission 600"
                                     echo "$swapfile not used as swap."                                      echo "$swapfile not used as swap."
                                     return 1                                      return 1
                             fi                              fi
                     fi                      fi
                     vnconfig $vnd_device $swapfile                      vnconfig $vnd_device $swapfile
                     cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile                      cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
                     disklabel -R -r $cgd_device $swap_disklabel                      disklabel -R -r $cgd_device $swap_disklabel
                     swapctl -a /dev/${cgd_device}$SWAP_PART                      swapctl -a /dev/${cgd_device}$SWAP_PART
             fi              fi
     }      }
          
     cryptovnd_stop()      cryptovnd_stop()
     {      {
             if [ $name = "swap2" ]; then              if [ $name = "swap2" ]; then
                     swapctl -d /dev/${cgd_device}$SWAP_PART                      swapctl -d /dev/${cgd_device}$SWAP_PART
                     cgdconfig -u $cgd_device                      cgdconfig -u $cgd_device
                     vnconfig -u $vnd_device                      vnconfig -u $vnd_device
                     swapctl -U -t noblk                      swapctl -U -t noblk
             else              else
                     swap1_stop                      swap1_stop
             fi              fi
     }      }
          
   
 #  Some issues and notes  #  Some issues and notes 
   
   * Do not include this cgd in _/etc/cgd/cgd.conf_    * Do not include this cgd in _/etc/cgd/cgd.conf_
   * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-current) NIC.    * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-current) NIC. 
   * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot.    * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot. 
   
 #  Additional Information  #  Additional Information 
   
   * [vnconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?vnconfig+8+NetBSD-current) Manpage    * [vnconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?vnconfig+8+NetBSD-current) Manpage 
   * [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current) Manpage    * [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current) Manpage 
   * [swapctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?swapctl+8+NetBSD-current) Manpage    * [swapctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?swapctl+8+NetBSD-current) Manpage 
   * [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current) Manpage    * [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current) Manpage 
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb