CGD Setup

General Information

CGD info:

This report describes how to setup an encrypted filesystem on NetBSD/i386. All partitions (except root) shall be encrypted on an existing installation.

  • NetBSD Guide
  • I want my CGD
  • CryptoGraphic Disk Driver

Configuration

ONE

Take a record of the present disk setup:

df -h | lpr
mount | lpr
cat /etc/fstab | lpr
disklabel wd0 | lpr
fdisk > fdisk-output
vi fdisk-output

Edit and remove the control characters at the “bootmenu” entries. This was required to print out on my Brother HL-1430.

cat fdisk-output | lpr

TWO

Recompile the kernel with cgd support:

mkdir /usr/obj
vi /usr/src/sys/arch/i386/conf/GENERIC

Uncomment “psuedo-device cgd 4″

cd /usr/src/
./build.sh tools kernel=GENERIC
cd /usr/src/sys/arch/i386/compile/obj/GENERIC
make install
reboot

THREE

I used a OpenBSD/sparc64 host (ultra5) to store my backups. Create a directory on that box with enough space for the data (and set correct permissions).

Dump the existing filesystems:

cd /
dump -0f - /usr | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/usr.fs"
dump -0f - /var | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/var.fs"
dump -0f - /home | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/home.fs"

FOUR

Boot into single user mode and mount root read/write.

shutdow now
mount /dev/wd0a /

Delete the disklabel entries for swap usr, var and home.

disklabel -i -I wd0

Use “P” to print out the current disklabel.

Use “P” to print out the current disklabel.
Using the printouts from step ONE – I had to delete partitions wd0b, wd0e, wd0f and wd0g.
Type “b”. Then type “unused”, then “0″, “0″.
Type “e”. Then type “unused”, then “0″, “0″.
Type “f”. Then type “unused”, then “0″, “0″.
Type “g”. Then type “unused”, then “0″, “0″.
This will select each label entry, set it unused, and init the values to “0″.
If you type “P” again you’ll see the disklabels have been deleted.
Create a new disklabel for the CGD. I used “wd0e”.
Type “e”, then “ccd”, then “a”, then “$”. This will create a label for wd0e which starts after the root label (wd0a) and uses the remaining space.
Type “P” again to make sure everything is correct. When happy “W” then “Q” to exit.

FIVE

Scrub the wd0e partition:

cgdconfig -s cgd0 /dev/wd0e aes-cbc 128 < /dev/urandom
dd if=/dev/zero of=/dev/rcgd0d bs=32k
cgdconfig -u cgd0

SIX

Create the CGD:

cd /etc/
mkdir cgd
chmod 700 cgd
cgdconfig -g -V disklabel -o /etc/cgd/wd0e aes-cbc 256
cgdconfig -V re-enter cgd0 /dev/wd0e

[Enter a passphrase.]

SEVEN

Make new disklabels within the cgd device:

disklabel -i -I cgd0

Press "a", then "unused", "0", "0".
Press "b", then "swap", "0", "250M".
Press "e", then "4.2BSD", "b", "500M".
Press "f", then "4.2BSD", "e", "2000M".
Press "g", then "4.2BSD", "f", "$".
Press "P" to check layout is correct. Then "W" and "Q" to commit.

EIGHT

Create new filesystems on the CGD:

newfs /dev/rcgd0e
newfs /dev/rcgd0f
newfs /dev/rcgd0g

NINE

Edit configuration files.

The new "/etc/fstab" should read:

 /dev/wd0a / ffs rw 1 1
/dev/cgd0b none swap sw 0 0
/dev/cgd0b /tmp mfs rw,-s=250m
/dev/cgd0e /var ffs rw,softdep 1 2
/dev/cgd0f /home ffs rw,softdep 1 2
/dev/cgd0g /usr ffs rw,softdep 1 2

The "/etc/cgd/cgd.conf" file needs:

 cgd0   /dev/wd0e

And "/etc/rc.conf" must be modified:

 cgd=YES

Of course, at this stage only "/bin" and "/sbin" are available - which means no "vi" or "ssh".

Ashamed of my "ed" line editor skillset - I wrote those files while ssh'd into the OpenBSD server via a laptop. I used "rcp" to ferry them back onto the NetBSD box. The broadband modem was casually switched off at this stage.

On the OpenBSD/sparc64 server:

# vi /etc/rc.conf
inetd=YES

# vi /etc/inetd.conf
shell          stream  tcp     nowait  root    /usr/libexec/rshd       rshd -L

# vi /etc/hosts.equiv
+ +

reboot

To bring up the network (on the NetBSD box) while in single-user:

cd /etc/rc.d
./network start

Upload the required files to the server for editing:

cd /etc/
rcp fstab swm@ultra5:/usr/dumps/fstab
rcp rc.conf swm@ultra5:/usr/dumps/rc.conf
cd /etc/cgd
rcp cgd.conf swm@ultra5:/usr/dumps/cgd.conf

Then edit using "vi" on the server.

Transfer the files back into place:

cd /etc/
rcp swm@ultra5:/usr/dumps/fstab fstab
rcp swm@ultra5:/usr/dumps/rc.conf rc.conf
cd cgd
rcp swm@ultra5:/usr/dumps/cgd.conf cgd.conf

TEN

Restore the data from the dumps

mount -a
cd /var
rcp swm@ultra5:/usr/dumps/var.fs var.fs
cat var.fs | restore -rf -
rm var.fs ; rm rest*
cd /home
rcp swm@ultra5:/usr/dumps/home.fs home.fs
cat home.fs | restore -rf -
rm home.fs ; rm rest*
cd /usr
rcp swm@ultra5:/usr/dumps/usr.fs usr.fs
cat usr.fs | restore -rf -
rm usr.fs ; rm rest*

Check everything is where it should be. Then reset the NetBSD box:

reboot

CryptoGraphic Disk setup is now comlete and a passphrase is required at boot-time to access the disks.

REFERENCE

For your information:

# cat /etc/fstab
/dev/wd0a / ffs rw 1 1
/dev/cgd0b none swap sw 0 0
/dev/cgd0b /tmp mfs rw,-s=250m
/dev/cgd0e /var ffs rw,softdep 1 2
/dev/cgd0f /home ffs rw,softdep 1 2
/dev/cgd0g /usr ffs rw,softdep 1 2
kernfs /kern kernfs rw
/dev/cd0a /home/swm/cd cd9660 ro,noauto 0 0
procfs /emul/linux/proc procfs ro,linux


# df -h
Filesystem    Size     Used     Avail Capacity  Mounted on
/dev/wd0a     242M      26M      204M    11%    /
/dev/cgd0e    485M      16M      444M     3%    /var
/dev/cgd0g    5.9G     2.5G      3.0G    45%    /usr
mfs:316       242M     3.0K      230M     0%    /tmp
/dev/cgd0f    1.9G     4.6M      1.8G     0%    /home
kernfs        1.0K     1.0K        0B   100%    /kern
procfs        4.0K     4.0K        0B   100%    /usr/pkg/emul/linux/proc


# disklabel wd0
# /dev/rwd0d:
type: unknown
disk: Maxtor 5T020H2
label:
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 38792
total sectors: 39102336
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

16 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    512064  20480000     4.2BSD   1024  8192 42672  # (Cyl.  20317*-  20825*)
c:  18622336  20480000     unused      0     0        # (Cyl.  20317*-  38791)
d:  39102336         0     unused      0     0        # (Cyl.      0 -  38791)
e:  18110272  20992064        ccd                     # (Cyl.  20825*-  38791)


# disklabel cgd0
disklabel: Invalid signature in mbr record 0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: fictitious
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 8842
total sectors: 18110272
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

7 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
b:    512000         0       swap                     # (Cyl.      0 -    249)
d:  18110272         0     unused      0     0        # (Cyl.      0 -   8842*)
e:   1024000    512000     4.2BSD   1024  8192 46552  # (Cyl.    250 -    749)
f:   4096000   1536000     4.2BSD   2048 16384 27560  # (Cyl.    750 -   2749)
g:  12478272   5632000     4.2BSD   2048 16384 26216  # (Cyl.   2750 -   8842*)

This setup was done on a ~20GB disk shared with a Debian GNU/Linux distribution:

# fdisk
Disk: /dev/rwd0d
NetBSD disklabel disk geometry:
cylinders: 38792, heads: 16, sectors/track: 63 (1008 sectors/cylinder)
total sectors: 39102336

BIOS disk geometry:
cylinders: 1023, heads: 240, sectors/track: 63 (15120 sectors/cylinder)
total sectors: 39102336

Partition table:
0: NetBSD (sysid 169)
    bootmenu:
    start 20480000, size 18622336 (9093 MB, Cyls 1354/119/24-2586/32/1), Active
1: Linux native (sysid 131)
    bootmenu:
    start 63, size 979902 (478 MB, Cyls 0-64/195/1)
2: Linux swap or Prime or Solaris (sysid 130)
    bootmenu:
    start 979965, size 1959930 (957 MB, Cyls 64/195/1-194/105/1)
3: Extended partition (sysid 5)
    start 2939895, size 17526915 (8558 MB, Cyls 194/105/1-1353/150/1)
Extended partition table:
E0: Linux native (sysid 131)
    start 2939958, size 1959867 (957 MB, Cyls 194/105/1-324/15/1)
E1: Linux native (sysid 131)
    start 4899888, size 1959867 (957 MB, Cyls 324/15/1-453/165/1)
E2: Linux native (sysid 131)
    start 6859818, size 2923767 (1428 MB, Cyls 453/165/1-647/15/1)
E3: Linux native (sysid 131)
    start 9783648, size 10683162 (5216 MB, Cyls 647/15/1-1353/150/1)
Bootselector disabled.

Speak Your Mind

*