File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_use_encrypted_swap_over_nfs.mdwn
Revision 1.4: download - view: text, annotated - select for diffs
Wed Sep 9 14:28:56 2020 UTC (4 months, 2 weeks ago) by kim
Branches: MAIN
CVS tags: HEAD
Use man template


[[!toc levels=3]]

#  Summary 

It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this: 
    server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0

But this can not be encrypted. We will however cheat and use a [[!template id=man name="vnd" section="4"]] on a nfs-share.  
This is how I did it on my Jornada 680 running 3.99.15. 

#  Things needed 

A kernel with both [[!template id=man name="vnd" section="4"]] and [[!template id=man name="cgd" section="4"]] support. 

#  Creation 

##  Making the swapspace 

First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr.  
Now run: 
    # dd if=/dev/zero of=/usr/swapfile bs=1m count=64

This will create a 64MB swapfile. Make sure it has the right permissions and owner. 
    # chown root:wheel /usr/swapfile
    # chmod 600 /usr/swapfile

##  Configuring the swapspace the first time 

Now we just have to configure it so the system can use it.  
Configure the paramsfile for [[!template id=man name="cgd" section="4"]]. 
# cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc

Now we can configure the device. 
    # vnconfig vnd0 /usr/swapfile
    # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile

Replace /dev/vnd0c with /dev/vnd0d if necessary.  
Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this. 
    # /dev/rcgd0c:
    type: cgd
    disk: cgd
    label: default label
    bytes/sector: 512
    sectors/track: 2048
    tracks/cylinder: 1
    sectors/cylinder: 2048
    cylinders: 64
    total sectors: 131072
    rpm: 3600
    interleave: 1
    trackskew: 0
    cylinderskew: 0
    headswitch: 0           # microseconds
    track-to-track seek: 0  # microseconds
    drivedata: 0 
    3 partitions:
    #        size    offset     fstype [fsize bsize cpg/sgs]
     c:    131072         0       swap                     # (Cyl.      0 -     63)

**Note**: Depending on which archictecture you use, you may need a different layout.  
Like this on an i386: 
     a:    131072         0       swap                     # (Cyl.      0 -    63)
     d:    131072         0     unused      0     0        # (Cyl.      0 -    63)

Depending on which partition your architecture uses as raw partition. If unsure, check with: 
    # sysctl kern.rawpartition

Back it up so it can be used later. 
    # disklabel cgd0 > /etc/cgd/swapfile.disklabel

Use it (finally). 
    # swapctl -a /dev/cgd0c

Now you have working encrypted swap over nfs. To check its status: 
    # swapctl -l
    Device      512-blocks     Used    Avail Capacity  Priority
    /dev/cgd0c      131072     9696   121376     7%    0

#  Use the swapspace at every reboot 

Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following. 
    # Initialize cgd over vnd swap, suitable for nfs-swap.
    # Note: We can NOT put this swapfile in /etc/fstab, this is why
    # this is relatively complicated. 
    # If this is the only swapspace you have configured then you can set
    # no_swap=YES in rc.conf, otherwise the system will complain every boot.
    # $swapfile has to be in $critical_filesystems_remote. /usr is by default
    RAW_PART="c"                    # <- change to suit your arch
    SWAP_PART="c"                   # <- change to same as the disklabel
    stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd
            # Since there is only one swap-variable in rc.conf we have to
            # check that we are being called from swap2.
            if [ $name = "swap1" ]; then
            if [ -f $swapfile ]; then
                    echo "Configuring cgd over vnd swap."
                    eval `stat -L -s $swapfile`
                    if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
                            echo "$swapfile MUST be owned by root and group wheel"
                            echo "$swapfile not used as swap."
                            return 1
                            if [ ! -f $swap_disklabel ]; then
                                    echo "No $swap_disklabel."
                                    echo "$swapfile can not be used as swap."
                                    return 1
                            if [ $st_mode != "0100600" ]; then
                                    echo "$swapfile MUST have permission 600"
                                    echo "$swapfile not used as swap."
                                    return 1
                    vnconfig $vnd_device $swapfile
                    cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
                    disklabel -R -r $cgd_device $swap_disklabel
                    swapctl -a /dev/${cgd_device}$SWAP_PART
            if [ $name = "swap2" ]; then
                    swapctl -d /dev/${cgd_device}$SWAP_PART
                    cgdconfig -u $cgd_device
                    vnconfig -u $vnd_device
                    swapctl -U -t noblk

#  Some issues and notes 

  * Do not include this cgd in _/etc/cgd/cgd.conf_
  * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [[!template id=man name="ne" section="4"]] NIC. 
  * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot. 

#  Additional Information 

  * [[!template id=man name="vnconfig" section="8"]] Manpage 
  * [[!template id=man name="cgdconfig" section="8"]] Manpage 
  * [[!template id=man name="swapctl" section="8"]] Manpage 
  * [[!template id=man name="disklabel" section="8"]] Manpage 

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb