General Information
CGD info:
This report describes how to setup an encrypted filesystem on NetBSD/i386. All partitions (except root) shall be encrypted on an existing installation.
- NetBSD Guide
- I want my CGD
- CryptoGraphic Disk Driver
Configuration
ONE
Take a record of the present disk setup:
df -h | lpr mount | lpr cat /etc/fstab | lpr disklabel wd0 | lpr fdisk > fdisk-output vi fdisk-output
Edit and remove the control characters at the “bootmenu” entries. This was required to print out on my Brother HL-1430.
cat fdisk-output | lpr
TWO
Recompile the kernel with cgd support:
mkdir /usr/obj vi /usr/src/sys/arch/i386/conf/GENERIC
Uncomment “psuedo-device cgd 4″
cd /usr/src/ ./build.sh tools kernel=GENERIC cd /usr/src/sys/arch/i386/compile/obj/GENERIC make install reboot
THREE
I used a OpenBSD/sparc64 host (ultra5) to store my backups. Create a directory on that box with enough space for the data (and set correct permissions).
Dump the existing filesystems:
cd / dump -0f - /usr | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/usr.fs" dump -0f - /var | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/var.fs" dump -0f - /home | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/home.fs"
FOUR
Boot into single user mode and mount root read/write.
shutdow now mount /dev/wd0a /
Delete the disklabel entries for swap usr, var and home.
disklabel -i -I wd0
Use “P” to print out the current disklabel.
Use “P” to print out the current disklabel.
Using the printouts from step ONE – I had to delete partitions wd0b, wd0e, wd0f and wd0g.
Type “b”. Then type “unused”, then “0″, “0″.
Type “e”. Then type “unused”, then “0″, “0″.
Type “f”. Then type “unused”, then “0″, “0″.
Type “g”. Then type “unused”, then “0″, “0″.
This will select each label entry, set it unused, and init the values to “0″.
If you type “P” again you’ll see the disklabels have been deleted.
Create a new disklabel for the CGD. I used “wd0e”.
Type “e”, then “ccd”, then “a”, then “$”. This will create a label for wd0e which starts after the root label (wd0a) and uses the remaining space.
Type “P” again to make sure everything is correct. When happy “W” then “Q” to exit.
FIVE
Scrub the wd0e partition:
cgdconfig -s cgd0 /dev/wd0e aes-cbc 128 < /dev/urandom dd if=/dev/zero of=/dev/rcgd0d bs=32k cgdconfig -u cgd0
SIX
Create the CGD:
cd /etc/ mkdir cgd chmod 700 cgd cgdconfig -g -V disklabel -o /etc/cgd/wd0e aes-cbc 256 cgdconfig -V re-enter cgd0 /dev/wd0e
[Enter a passphrase.]
SEVEN
Make new disklabels within the cgd device:
disklabel -i -I cgd0
Press "a", then "unused", "0", "0".
Press "b", then "swap", "0", "250M".
Press "e", then "4.2BSD", "b", "500M".
Press "f", then "4.2BSD", "e", "2000M".
Press "g", then "4.2BSD", "f", "$".
Press "P" to check layout is correct. Then "W" and "Q" to commit.
EIGHT
Create new filesystems on the CGD:
newfs /dev/rcgd0e newfs /dev/rcgd0f newfs /dev/rcgd0g
NINE
Edit configuration files.
The new "/etc/fstab" should read:
/dev/wd0a / ffs rw 1 1 /dev/cgd0b none swap sw 0 0 /dev/cgd0b /tmp mfs rw,-s=250m /dev/cgd0e /var ffs rw,softdep 1 2 /dev/cgd0f /home ffs rw,softdep 1 2 /dev/cgd0g /usr ffs rw,softdep 1 2
The "/etc/cgd/cgd.conf" file needs:
cgd0 /dev/wd0e
And "/etc/rc.conf" must be modified:
cgd=YES
Of course, at this stage only "/bin" and "/sbin" are available - which means no "vi" or "ssh".
Ashamed of my "ed" line editor skillset - I wrote those files while ssh'd into the OpenBSD server via a laptop. I used "rcp" to ferry them back onto the NetBSD box. The broadband modem was casually switched off at this stage.
On the OpenBSD/sparc64 server:
# vi /etc/rc.conf inetd=YES
# vi /etc/inetd.conf shell stream tcp nowait root /usr/libexec/rshd rshd -L
# vi /etc/hosts.equiv + +
reboot
To bring up the network (on the NetBSD box) while in single-user:
cd /etc/rc.d ./network start
Upload the required files to the server for editing:
cd /etc/ rcp fstab swm@ultra5:/usr/dumps/fstab rcp rc.conf swm@ultra5:/usr/dumps/rc.conf cd /etc/cgd rcp cgd.conf swm@ultra5:/usr/dumps/cgd.conf
Then edit using "vi" on the server.
Transfer the files back into place:
cd /etc/ rcp swm@ultra5:/usr/dumps/fstab fstab rcp swm@ultra5:/usr/dumps/rc.conf rc.conf cd cgd rcp swm@ultra5:/usr/dumps/cgd.conf cgd.conf
TEN
Restore the data from the dumps
mount -a cd /var rcp swm@ultra5:/usr/dumps/var.fs var.fs cat var.fs | restore -rf - rm var.fs ; rm rest* cd /home rcp swm@ultra5:/usr/dumps/home.fs home.fs cat home.fs | restore -rf - rm home.fs ; rm rest* cd /usr rcp swm@ultra5:/usr/dumps/usr.fs usr.fs cat usr.fs | restore -rf - rm usr.fs ; rm rest*
Check everything is where it should be. Then reset the NetBSD box:
reboot
CryptoGraphic Disk setup is now comlete and a passphrase is required at boot-time to access the disks.
REFERENCE
For your information:
# cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/cgd0b none swap sw 0 0 /dev/cgd0b /tmp mfs rw,-s=250m /dev/cgd0e /var ffs rw,softdep 1 2 /dev/cgd0f /home ffs rw,softdep 1 2 /dev/cgd0g /usr ffs rw,softdep 1 2 kernfs /kern kernfs rw /dev/cd0a /home/swm/cd cd9660 ro,noauto 0 0 procfs /emul/linux/proc procfs ro,linux # df -h Filesystem Size Used Avail Capacity Mounted on /dev/wd0a 242M 26M 204M 11% / /dev/cgd0e 485M 16M 444M 3% /var /dev/cgd0g 5.9G 2.5G 3.0G 45% /usr mfs:316 242M 3.0K 230M 0% /tmp /dev/cgd0f 1.9G 4.6M 1.8G 0% /home kernfs 1.0K 1.0K 0B 100% /kern procfs 4.0K 4.0K 0B 100% /usr/pkg/emul/linux/proc # disklabel wd0 # /dev/rwd0d: type: unknown disk: Maxtor 5T020H2 label: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 38792 total sectors: 39102336 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg/sgs] a: 512064 20480000 4.2BSD 1024 8192 42672 # (Cyl. 20317*- 20825*) c: 18622336 20480000 unused 0 0 # (Cyl. 20317*- 38791) d: 39102336 0 unused 0 0 # (Cyl. 0 - 38791) e: 18110272 20992064 ccd # (Cyl. 20825*- 38791) # disklabel cgd0 disklabel: Invalid signature in mbr record 0 # /dev/rcgd0d: type: cgd disk: cgd label: fictitious flags: bytes/sector: 512 sectors/track: 2048 tracks/cylinder: 1 sectors/cylinder: 2048 cylinders: 8842 total sectors: 18110272 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 7 partitions: # size offset fstype [fsize bsize cpg/sgs] b: 512000 0 swap # (Cyl. 0 - 249) d: 18110272 0 unused 0 0 # (Cyl. 0 - 8842*) e: 1024000 512000 4.2BSD 1024 8192 46552 # (Cyl. 250 - 749) f: 4096000 1536000 4.2BSD 2048 16384 27560 # (Cyl. 750 - 2749) g: 12478272 5632000 4.2BSD 2048 16384 26216 # (Cyl. 2750 - 8842*)
This setup was done on a ~20GB disk shared with a Debian GNU/Linux distribution:
# fdisk
Disk: /dev/rwd0d
NetBSD disklabel disk geometry:
cylinders: 38792, heads: 16, sectors/track: 63 (1008 sectors/cylinder)
total sectors: 39102336
BIOS disk geometry:
cylinders: 1023, heads: 240, sectors/track: 63 (15120 sectors/cylinder)
total sectors: 39102336
Partition table:
0: NetBSD (sysid 169)
bootmenu:
start 20480000, size 18622336 (9093 MB, Cyls 1354/119/24-2586/32/1), Active
1: Linux native (sysid 131)
bootmenu:
start 63, size 979902 (478 MB, Cyls 0-64/195/1)
2: Linux swap or Prime or Solaris (sysid 130)
bootmenu:
start 979965, size 1959930 (957 MB, Cyls 64/195/1-194/105/1)
3: Extended partition (sysid 5)
start 2939895, size 17526915 (8558 MB, Cyls 194/105/1-1353/150/1)
Extended partition table:
E0: Linux native (sysid 131)
start 2939958, size 1959867 (957 MB, Cyls 194/105/1-324/15/1)
E1: Linux native (sysid 131)
start 4899888, size 1959867 (957 MB, Cyls 324/15/1-453/165/1)
E2: Linux native (sysid 131)
start 6859818, size 2923767 (1428 MB, Cyls 453/165/1-647/15/1)
E3: Linux native (sysid 131)
start 9783648, size 10683162 (5216 MB, Cyls 647/15/1-1353/150/1)
Bootselector disabled.