General Information
CGD info:
NetBSD Guide
I want my CGD
CryptoGraphic Disk Driver
This report describes how to setup an encrypted filesystem on NetBSD/i386. All partitions (except root) shall be encrypted on an existing installation.
Configuration
ONE
Take a record of the present disk setup:
#
#
#
#
#
# |
df -h | lpr
mount | lpr
cat /etc/fstab | lpr
disklabel wd0 | lpr
fdisk > fdisk-output
vi fdisk-output |
Edit and remove the control characters at the "bootmenu" entries. This was required to print out on my Brother HL-1430.
TWO
Recompile the kernel with cgd support:
#
# |
mkdir /usr/obj
vi /usr/src/sys/arch/i386/conf/GENERIC |
Uncomment "psuedo-device cgd 4"
#
#
#
#
# |
cd /usr/src/
./build.sh tools kernel=GENERIC
cd /usr/src/sys/arch/i386/compile/obj/GENERIC
make install
reboot |
THREE
I used a OpenBSD/sparc64 host (ultra5) to store my backups. Create a directory on that box with enough space for the data (and set correct permissions).
Dump the existing filesystems:
#
#
#
# |
cd /
dump -0f - /usr | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/usr.fs"
dump -0f - /var | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/var.fs"
dump -0f - /home | ssh -o 'EscapeChar none' swm@ultra5 "cat > /usr/dumps/home.fs" |
FOUR
Boot into single user mode and mount root read/write.
#
# |
shutdow now
mount /dev/wd0a / |
Delete the disklabel entries for swap usr, var and home.
Use "P" to print out the current disklabel.
Using the printouts from step ONE - I had to delete partitions wd0b, wd0e, wd0f and wd0g.
Type "b". Then type "unused", then "0", "0".
Type "e". Then type "unused", then "0", "0".
Type "f". Then type "unused", then "0", "0".
Type "g". Then type "unused", then "0", "0".
This will select each label entry, set it unused, and init the values to "0".
If you type "P" again you'll see the disklabels have been deleted.
Create a new disklabel for the CGD. I used "wd0e".
Type "e", then "ccd", then "a", then "$". This will create a label for wd0e which starts after the root label (wd0a) and uses the remaining space.
Type "P" again to make sure everything is correct. When happy "W" then "Q" to exit.
FIVE
Scrub the wd0e partition:
#
#
# |
cgdconfig -s cgd0 /dev/wd0e aes-cbc 128 < /dev/urandom
dd if=/dev/zero of=/dev/rcgd0d bs=32k
cgdconfig -u cgd0 |
SIX
Create the CGD:
#
#
#
#
# |
cd /etc/
mkdir cgd
chmod 700 cgd
cgdconfig -g -V disklabel -o /etc/cgd/wd0e aes-cbc 256
cgdconfig -V re-enter cgd0 /dev/wd0e |
[Enter a passphrase.]
SEVEN
Make new disklabels within the cgd device:
Press "a", then "unused", "0", "0".
Press "b", then "swap", "0", "250M".
Press "e", then "4.2BSD", "b", "500M".
Press "f", then "4.2BSD", "e", "2000M".
Press "g", then "4.2BSD", "f", "$".
Press "P" to check layout is correct. Then "W" and "Q" to commit.
EIGHT
Create new filesystems on the CGD:
#
#
# |
newfs /dev/rcgd0e
newfs /dev/rcgd0f
newfs /dev/rcgd0g |
NINE
Edit configuration files.
The new "/etc/fstab" should read:
/dev/wd0a / ffs rw 1 1
/dev/cgd0b none swap sw 0 0
/dev/cgd0b /tmp mfs rw,-s=250m
/dev/cgd0e /var ffs rw,softdep 1 2
/dev/cgd0f /home ffs rw,softdep 1 2
/dev/cgd0g /usr ffs rw,softdep 1 2
|
The "/etc/cgd/cgd.conf" file needs:
And "/etc/rc.conf" must be modified:
Of course, at this stage only "/bin" and "/sbin" are available - which means no "vi" or "ssh".
Ashamed of my "ed" line editor skillset - I wrote those files while ssh'd into the OpenBSD server via a laptop. I used "rcp" to ferry them back onto the NetBSD box. The broadband modem was casually switched off at this stage.
On the OpenBSD/sparc64 server:
# vi /etc/rc.conf
inetd=YES
|
# vi /etc/inetd.conf
shell stream tcp nowait root /usr/libexec/rshd rshd -L
|
# vi /etc/hosts.equiv
+ +
|
To bring up the network (on the NetBSD box) while in single-user:
#
# |
cd /etc/rc.d
./network start |
Upload the required files to the server for editing:
#
#
#
#
# |
cd /etc/
rcp fstab swm@ultra5:/usr/dumps/fstab
rcp rc.conf swm@ultra5:/usr/dumps/rc.conf
cd /etc/cgd
rcp cgd.conf swm@ultra5:/usr/dumps/cgd.conf |
Then edit using "vi" on the server.
Transfer the files back into place:
#
#
#
#
# |
cd /etc/
rcp swm@ultra5:/usr/dumps/fstab fstab
rcp swm@ultra5:/usr/dumps/rc.conf rc.conf
cd cgd
rcp swm@ultra5:/usr/dumps/cgd.conf cgd.conf |
TEN
Restore the data from the dumps.
#
#
#
#
#
#
#
#
#
#
#
#
# |
mount -a
cd /var
rcp swm@ultra5:/usr/dumps/var.fs var.fs
cat var.fs | restore -rf -
rm var.fs ; rm rest*
cd /home
rcp swm@ultra5:/usr/dumps/home.fs home.fs
cat home.fs | restore -rf -
rm home.fs ; rm rest*
cd /usr
rcp swm@ultra5:/usr/dumps/usr.fs usr.fs
cat usr.fs | restore -rf -
rm usr.fs ; rm rest* |
Check everything is where it should be. Then reset the NetBSD box:
CryptoGraphic Disk setup is now comlete and a passphrase is required at boot-time to access the disks.
REFERENCE
For your information:
# cat /etc/fstab
/dev/wd0a / ffs rw 1 1
/dev/cgd0b none swap sw 0 0
/dev/cgd0b /tmp mfs rw,-s=250m
/dev/cgd0e /var ffs rw,softdep 1 2
/dev/cgd0f /home ffs rw,softdep 1 2
/dev/cgd0g /usr ffs rw,softdep 1 2
kernfs /kern kernfs rw
/dev/cd0a /home/swm/cd cd9660 ro,noauto 0 0
procfs /emul/linux/proc procfs ro,linux
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 242M 26M 204M 11% /
/dev/cgd0e 485M 16M 444M 3% /var
/dev/cgd0g 5.9G 2.5G 3.0G 45% /usr
mfs:316 242M 3.0K 230M 0% /tmp
/dev/cgd0f 1.9G 4.6M 1.8G 0% /home
kernfs 1.0K 1.0K 0B 100% /kern
procfs 4.0K 4.0K 0B 100% /usr/pkg/emul/linux/proc
# disklabel wd0
# /dev/rwd0d:
type: unknown
disk: Maxtor 5T020H2
label:
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 38792
total sectors: 39102336
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
16 partitions:
# size offset fstype [fsize bsize cpg/sgs]
a: 512064 20480000 4.2BSD 1024 8192 42672 # (Cyl. 20317*- 20825*)
c: 18622336 20480000 unused 0 0 # (Cyl. 20317*- 38791)
d: 39102336 0 unused 0 0 # (Cyl. 0 - 38791)
e: 18110272 20992064 ccd # (Cyl. 20825*- 38791)
# disklabel cgd0
disklabel: Invalid signature in mbr record 0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: fictitious
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 8842
total sectors: 18110272
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
7 partitions:
# size offset fstype [fsize bsize cpg/sgs]
b: 512000 0 swap # (Cyl. 0 - 249)
d: 18110272 0 unused 0 0 # (Cyl. 0 - 8842*)
e: 1024000 512000 4.2BSD 1024 8192 46552 # (Cyl. 250 - 749)
f: 4096000 1536000 4.2BSD 2048 16384 27560 # (Cyl. 750 - 2749)
g: 12478272 5632000 4.2BSD 2048 16384 26216 # (Cyl. 2750 - 8842*)
|
This setup was done on a ~20GB disk shared with a Debian GNU/Linux distribution:
# fdisk
Disk: /dev/rwd0d
NetBSD disklabel disk geometry:
cylinders: 38792, heads: 16, sectors/track: 63 (1008 sectors/cylinder)
total sectors: 39102336
BIOS disk geometry:
cylinders: 1023, heads: 240, sectors/track: 63 (15120 sectors/cylinder)
total sectors: 39102336
Partition table:
0: NetBSD (sysid 169)
bootmenu:
start 20480000, size 18622336 (9093 MB, Cyls 1354/119/24-2586/32/1), Active
1: Linux native (sysid 131)
bootmenu:
start 63, size 979902 (478 MB, Cyls 0-64/195/1)
2: Linux swap or Prime or Solaris (sysid 130)
bootmenu:
start 979965, size 1959930 (957 MB, Cyls 64/195/1-194/105/1)
3: Extended partition (sysid 5)
start 2939895, size 17526915 (8558 MB, Cyls 194/105/1-1353/150/1)
Extended partition table:
E0: Linux native (sysid 131)
start 2939958, size 1959867 (957 MB, Cyls 194/105/1-324/15/1)
E1: Linux native (sysid 131)
start 4899888, size 1959867 (957 MB, Cyls 324/15/1-453/165/1)
E2: Linux native (sysid 131)
start 6859818, size 2923767 (1428 MB, Cyls 453/165/1-647/15/1)
E3: Linux native (sysid 131)
start 9783648, size 10683162 (5216 MB, Cyls 647/15/1-1353/150/1)
Bootselector disabled.
|
Author: Stuart Mackie
stuart dot mackie at bcs dot org
