Annotation of wikisrc/tutorials/how_to_use_encrypted_swap_over_nfs.mdwn, revision 1.1

1.1     ! mspo        1: **Contents**
        !             2: 
        !             3: [[!toc levels=3]]
        !             4: 
        !             5: #  Summary 
        !             6: 
        !             7: It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this: 
        !             8:     
        !             9:     server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0
        !            10:     
        !            11: 
        !            12: But this can not be encrypted. We will however cheat and use a [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) on a nfs-share.  
        !            13: This is how I did it on my Jornada 680 running 3.99.15. 
        !            14: 
        !            15: #  Things needed 
        !            16: 
        !            17: A kernel with both [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) and [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current) support. 
        !            18: 
        !            19: 
        !            20: #  Creation 
        !            21: 
        !            22: ##  Making the swapspace 
        !            23: 
        !            24: First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr.  
        !            25: Now run: 
        !            26:     
        !            27:     # dd if=/dev/zero of=/usr/swapfile bs=1m count=64
        !            28:     
        !            29: 
        !            30: This will create a 64MB swapfile. Make sure it has the right permissions and owner. 
        !            31:     
        !            32:     # chown root:wheel /usr/swapfile
        !            33:     # chmod 600 /usr/swapfile
        !            34:     
        !            35: 
        !            36: ##  Configuring the swapspace the first time 
        !            37: 
        !            38: Now we just have to configure it so the system can use it.  
        !            39: Configure the paramsfile for [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current). 
        !            40:     
        !            41: # cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc
        !            42:     
        !            43: 
        !            44: Now we can configure the device. 
        !            45:     
        !            46:     # vnconfig vnd0 /usr/swapfile
        !            47:     # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile
        !            48:     
        !            49: 
        !            50: Replace /dev/vnd0c with /dev/vnd0d if necessary.  
        !            51: Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this. 
        !            52:     
        !            53:     # /dev/rcgd0c:
        !            54:     type: cgd
        !            55:     disk: cgd
        !            56:     label: default label
        !            57:     flags:
        !            58:     bytes/sector: 512
        !            59:     sectors/track: 2048
        !            60:     tracks/cylinder: 1
        !            61:     sectors/cylinder: 2048
        !            62:     cylinders: 64
        !            63:     total sectors: 131072
        !            64:     rpm: 3600
        !            65:     interleave: 1
        !            66:     trackskew: 0
        !            67:     cylinderskew: 0
        !            68:     headswitch: 0           # microseconds
        !            69:     track-to-track seek: 0  # microseconds
        !            70:     drivedata: 0 
        !            71:     
        !            72:     3 partitions:
        !            73:     #        size    offset     fstype [fsize bsize cpg/sgs]
        !            74:      c:    131072         0       swap                     # (Cyl.      0 -     63)
        !            75:     
        !            76: 
        !            77: **Note**: Depending on which archictecture you use, you may need a different layout.  
        !            78: Like this on an i386: 
        !            79:     
        !            80:      a:    131072         0       swap                     # (Cyl.      0 -    63)
        !            81:      d:    131072         0     unused      0     0        # (Cyl.      0 -    63)
        !            82:     
        !            83: 
        !            84: Depending on which partition your architecture uses as raw partition. If unsure, check with: 
        !            85:     
        !            86:     # sysctl kern.rawpartition
        !            87:     kern.rawpartion=3
        !            88:     
        !            89: 
        !            90: Back it up so it can be used later. 
        !            91:     
        !            92:     # disklabel cgd0 > /etc/cgd/swapfile.disklabel
        !            93:     
        !            94: 
        !            95: Use it (finally). 
        !            96:     
        !            97:     # swapctl -a /dev/cgd0c
        !            98:     
        !            99: 
        !           100: Now you have working encrypted swap over nfs. To check its status: 
        !           101:     
        !           102:     # swapctl -l
        !           103:     Device      512-blocks     Used    Avail Capacity  Priority
        !           104:     /dev/cgd0c      131072     9696   121376     7%    0
        !           105:     
        !           106: 
        !           107: #  Use the swapspace at every reboot 
        !           108: 
        !           109: Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following. 
        !           110:     
        !           111:     
        !           112:     # Initialize cgd over vnd swap, suitable for nfs-swap.
        !           113:     #
        !           114:     # Note: We can NOT put this swapfile in /etc/fstab, this is why
        !           115:     # this is relatively complicated. 
        !           116:     #
        !           117:     # If this is the only swapspace you have configured then you can set
        !           118:     # no_swap=YES in rc.conf, otherwise the system will complain every boot.
        !           119:     #
        !           120:     # IMPORTANT:
        !           121:     # $swapfile has to be in $critical_filesystems_remote. /usr is by default
        !           122:     #
        !           123:     vnd_device="vnd0"
        !           124:     cgd_device="cgd0"
        !           125:     swapfile="/usr/swapfile"
        !           126:     paramsfile="/etc/cgd/swapfile"
        !           127:     swap_disklabel="/etc/cgd/swapfile.disklabel"
        !           128:     RAW_PART="c"                    # <- change to suit your arch
        !           129:     SWAP_PART="c"                   # <- change to same as the disklabel
        !           130:     start_postcmd="cryptovnd_swap"
        !           131:     stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd
        !           132:     
        !           133:     cryptovnd_swap()
        !           134:     {
        !           135:             # Since there is only one swap-variable in rc.conf we have to
        !           136:             # check that we are being called from swap2.
        !           137:             if [ $name = "swap1" ]; then
        !           138:                     return
        !           139:             fi
        !           140:             if [ -f $swapfile ]; then
        !           141:                     echo "Configuring cgd over vnd swap."
        !           142:                     eval `stat -L -s $swapfile`
        !           143:                     if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
        !           144:                             echo "$swapfile MUST be owned by root and group wheel"
        !           145:                             echo "$swapfile not used as swap."
        !           146:                             return 1
        !           147:                     else
        !           148:                             if [ ! -f $swap_disklabel ]; then
        !           149:                                     echo "No $swap_disklabel."
        !           150:                                     echo "$swapfile can not be used as swap."
        !           151:                                     return 1
        !           152:                             fi
        !           153:                             if [ $st_mode != "0100600" ]; then
        !           154:                                     echo "$swapfile MUST have permission 600"
        !           155:                                     echo "$swapfile not used as swap."
        !           156:                                     return 1
        !           157:                             fi
        !           158:                     fi
        !           159:                     vnconfig $vnd_device $swapfile
        !           160:                     cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
        !           161:                     disklabel -R -r $cgd_device $swap_disklabel
        !           162:                     swapctl -a /dev/${cgd_device}$SWAP_PART
        !           163:             fi
        !           164:     }
        !           165:     
        !           166:     cryptovnd_stop()
        !           167:     {
        !           168:             if [ $name = "swap2" ]; then
        !           169:                     swapctl -d /dev/${cgd_device}$SWAP_PART
        !           170:                     cgdconfig -u $cgd_device
        !           171:                     vnconfig -u $vnd_device
        !           172:                     swapctl -U -t noblk
        !           173:             else
        !           174:                     swap1_stop
        !           175:             fi
        !           176:     }
        !           177:     
        !           178: 
        !           179: #  Some issues and notes 
        !           180: 
        !           181:   * Do not include this cgd in _/etc/cgd/cgd.conf_
        !           182:   * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-current) NIC. 
        !           183:   * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot. 
        !           184: 
        !           185: #  Additional Information 
        !           186: 
        !           187:   * [vnconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?vnconfig+8+NetBSD-current) Manpage 
        !           188:   * [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current) Manpage 
        !           189:   * [swapctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?swapctl+8+NetBSD-current) Manpage 
        !           190:   * [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current) Manpage 
        !           191: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb