File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_use_encrypted_swap_over_nfs.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Sun Feb 5 07:14:36 2012 UTC (8 years, 5 months ago) by schmonz
Branches: MAIN
CVS tags: HEAD
dos2unix

    1: **Contents**
    2: 
    3: [[!toc levels=3]]
    4: 
    5: #  Summary 
    6: 
    7: It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this: 
    8:     
    9:     server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0
   10:     
   11: 
   12: But this can not be encrypted. We will however cheat and use a [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) on a nfs-share.  
   13: This is how I did it on my Jornada 680 running 3.99.15. 
   14: 
   15: #  Things needed 
   16: 
   17: A kernel with both [vnd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vnd+4+NetBSD-current) and [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current) support. 
   18: 
   19: 
   20: #  Creation 
   21: 
   22: ##  Making the swapspace 
   23: 
   24: First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr.  
   25: Now run: 
   26:     
   27:     # dd if=/dev/zero of=/usr/swapfile bs=1m count=64
   28:     
   29: 
   30: This will create a 64MB swapfile. Make sure it has the right permissions and owner. 
   31:     
   32:     # chown root:wheel /usr/swapfile
   33:     # chmod 600 /usr/swapfile
   34:     
   35: 
   36: ##  Configuring the swapspace the first time 
   37: 
   38: Now we just have to configure it so the system can use it.  
   39: Configure the paramsfile for [cgd(4)](http://netbsd.gw.com/cgi-bin/man-cgi?cgd+4+NetBSD-current). 
   40:     
   41: # cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc
   42:     
   43: 
   44: Now we can configure the device. 
   45:     
   46:     # vnconfig vnd0 /usr/swapfile
   47:     # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile
   48:     
   49: 
   50: Replace /dev/vnd0c with /dev/vnd0d if necessary.  
   51: Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this. 
   52:     
   53:     # /dev/rcgd0c:
   54:     type: cgd
   55:     disk: cgd
   56:     label: default label
   57:     flags:
   58:     bytes/sector: 512
   59:     sectors/track: 2048
   60:     tracks/cylinder: 1
   61:     sectors/cylinder: 2048
   62:     cylinders: 64
   63:     total sectors: 131072
   64:     rpm: 3600
   65:     interleave: 1
   66:     trackskew: 0
   67:     cylinderskew: 0
   68:     headswitch: 0           # microseconds
   69:     track-to-track seek: 0  # microseconds
   70:     drivedata: 0 
   71:     
   72:     3 partitions:
   73:     #        size    offset     fstype [fsize bsize cpg/sgs]
   74:      c:    131072         0       swap                     # (Cyl.      0 -     63)
   75:     
   76: 
   77: **Note**: Depending on which archictecture you use, you may need a different layout.  
   78: Like this on an i386: 
   79:     
   80:      a:    131072         0       swap                     # (Cyl.      0 -    63)
   81:      d:    131072         0     unused      0     0        # (Cyl.      0 -    63)
   82:     
   83: 
   84: Depending on which partition your architecture uses as raw partition. If unsure, check with: 
   85:     
   86:     # sysctl kern.rawpartition
   87:     kern.rawpartion=3
   88:     
   89: 
   90: Back it up so it can be used later. 
   91:     
   92:     # disklabel cgd0 > /etc/cgd/swapfile.disklabel
   93:     
   94: 
   95: Use it (finally). 
   96:     
   97:     # swapctl -a /dev/cgd0c
   98:     
   99: 
  100: Now you have working encrypted swap over nfs. To check its status: 
  101:     
  102:     # swapctl -l
  103:     Device      512-blocks     Used    Avail Capacity  Priority
  104:     /dev/cgd0c      131072     9696   121376     7%    0
  105:     
  106: 
  107: #  Use the swapspace at every reboot 
  108: 
  109: Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following. 
  110:     
  111:     
  112:     # Initialize cgd over vnd swap, suitable for nfs-swap.
  113:     #
  114:     # Note: We can NOT put this swapfile in /etc/fstab, this is why
  115:     # this is relatively complicated. 
  116:     #
  117:     # If this is the only swapspace you have configured then you can set
  118:     # no_swap=YES in rc.conf, otherwise the system will complain every boot.
  119:     #
  120:     # IMPORTANT:
  121:     # $swapfile has to be in $critical_filesystems_remote. /usr is by default
  122:     #
  123:     vnd_device="vnd0"
  124:     cgd_device="cgd0"
  125:     swapfile="/usr/swapfile"
  126:     paramsfile="/etc/cgd/swapfile"
  127:     swap_disklabel="/etc/cgd/swapfile.disklabel"
  128:     RAW_PART="c"                    # <- change to suit your arch
  129:     SWAP_PART="c"                   # <- change to same as the disklabel
  130:     start_postcmd="cryptovnd_swap"
  131:     stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd
  132:     
  133:     cryptovnd_swap()
  134:     {
  135:             # Since there is only one swap-variable in rc.conf we have to
  136:             # check that we are being called from swap2.
  137:             if [ $name = "swap1" ]; then
  138:                     return
  139:             fi
  140:             if [ -f $swapfile ]; then
  141:                     echo "Configuring cgd over vnd swap."
  142:                     eval `stat -L -s $swapfile`
  143:                     if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
  144:                             echo "$swapfile MUST be owned by root and group wheel"
  145:                             echo "$swapfile not used as swap."
  146:                             return 1
  147:                     else
  148:                             if [ ! -f $swap_disklabel ]; then
  149:                                     echo "No $swap_disklabel."
  150:                                     echo "$swapfile can not be used as swap."
  151:                                     return 1
  152:                             fi
  153:                             if [ $st_mode != "0100600" ]; then
  154:                                     echo "$swapfile MUST have permission 600"
  155:                                     echo "$swapfile not used as swap."
  156:                                     return 1
  157:                             fi
  158:                     fi
  159:                     vnconfig $vnd_device $swapfile
  160:                     cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
  161:                     disklabel -R -r $cgd_device $swap_disklabel
  162:                     swapctl -a /dev/${cgd_device}$SWAP_PART
  163:             fi
  164:     }
  165:     
  166:     cryptovnd_stop()
  167:     {
  168:             if [ $name = "swap2" ]; then
  169:                     swapctl -d /dev/${cgd_device}$SWAP_PART
  170:                     cgdconfig -u $cgd_device
  171:                     vnconfig -u $vnd_device
  172:                     swapctl -U -t noblk
  173:             else
  174:                     swap1_stop
  175:             fi
  176:     }
  177:     
  178: 
  179: #  Some issues and notes 
  180: 
  181:   * Do not include this cgd in _/etc/cgd/cgd.conf_
  182:   * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-current) NIC. 
  183:   * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot. 
  184: 
  185: #  Additional Information 
  186: 
  187:   * [vnconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?vnconfig+8+NetBSD-current) Manpage 
  188:   * [cgdconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?cgdconfig+8+NetBSD-current) Manpage 
  189:   * [swapctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?swapctl+8+NetBSD-current) Manpage 
  190:   * [disklabel(8)](http://netbsd.gw.com/cgi-bin/man-cgi?disklabel+8+NetBSD-current) Manpage 
  191: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb