1Encrypted iSCSI Devices on NetBSD 2================================= 3 4This document shows how to set up and run an encrypted iSCSI device on 5NetBSD. Encryption of devices can be used for maintaining privacy on 6devices located remotely, possibly on co-located hardware, for 7instance, or on machines which could be stolen, or to which others 8could gain access. 9 10To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, 11available in NetBSD-current, and the standard cgd device. In all, 12setting up an encrypted device in this manner should take less than 15 13minutes, even for someone unfamiliar with iSCSI or cgd. 14 15The approach is to layer a vnd on top of the "storage" file presented 16by the iSCSI target. This is exactly the same as normal. On top of that 17vnd, we layer a cgd device, which ensures that all data is encrypted 18on the iSCSI device. 19 20 211. Device Initialisation 22======================== 23 24This first section shows how to initialise the device, a one-time 25operation. 26 27Firstly, the initiator is started, pointing at the machine which is 28presenting the iSCSI storage (i.e. the machine on which the iSCSI 29target is running). In this example, the target is running on the 30same machine as the initiator (a laptop called, in a moment of 31inspiration, inspiron1300). A 50 MB iSCSI target is being presented 32as target1. 33 34 # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt & 35 [1] 11196 36 # 37 # df 38 Filesystem 1K-blocks Used Avail %Cap Mounted on 39 /dev/dk0 28101396 20862004 5834324 78% / 40 kernfs 1 1 0 100% /kern 41 procfs 4 4 0 100% /proc 42 ptyfs 1 1 0 100% /dev/pts 43 /dev/puffs 0 0 0 100% /mnt 44 # 45 46Looking at the last line, we can see that the initiator is running 47via the puffs device. 48 49We now add a vnd device on top of the storage which the target is 50presenting: 51 52 # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage 53 # 54 55We now add a disklabel, which is offset 63 blocks into the iSCSI device. 56This is so that the encrypted device which we shall put on top of the vnd 57does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on 58setting up a cgd device, recommends that the cgd's type be "ccd". 59 60 # disklabel -e vnd0 61 62 # /dev/rvnd0d: 63 type: vnd 64 disk: vnd 65 label: fictitious 66 flags: 67 bytes/sector: 512 68 sectors/track: 32 69 tracks/cylinder: 64 70 sectors/cylinder: 2048 71 cylinders: 50 72 total sectors: 102400 73 rpm: 3600 74 interleave: 1 75 trackskew: 0 76 cylinderskew: 0 77 headswitch: 0 # microseconds 78 track-to-track seek: 0 # microseconds 79 drivedata: 0 80 81 4 partitions: 82 # size offset fstype [fsize bsize cpg/sgs] 83 a: 102336 63 ccd 2048 16384 28360 # (Cyl. 0 - 49) 84 d: 102400 0 unused 0 0 # (Cyl. 0 - 49) 85 ~ 86 === EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% == 87 # 88 89We now set up the cgd device, pointing it at the vnd device. 90 91 # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom 92 # 93 94and then zero the cgd device's storage. 95 96 # dd if=/dev/zero of=/dev/rcgd0d bs=32k 97 dd: /dev/rcgd0d: Invalid argument 98 1601+0 records in 99 1600+0 records out 100 52428800 bytes transferred in 16.633 secs (3152095 bytes/sec) 101 # 102 103We now unconfigure the cgd device. 104 105 # cgdconfig -u cgd0 106 # 107 108and then write using the disklabel verification method onto the cgd. Sometimes, 109this process does not always complete properly, and so it has to be repeated. 110 111 # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256 112 cgdconfig: could not calibrate pkcs5_pbkdf2 113 cgdconfig: Failed to generate defaults for keygen 114 # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256 115 # 116 117Now we have to add the password to the cgd device 118 119 # cgdconfig -V re-enter cgd0 /dev/vnd0a 120 /dev/vnd0a's passphrase: 121 re-enter device's passphrase: 122 # 123 124and disklabel inside the cgd itself: 125 126 # disklabel -I -e cgd0 127 128 # /dev/rcgd0d: 129 type: cgd 130 disk: cgd 131 label: fictitious 132 flags: 133 bytes/sector: 512 134 sectors/track: 2048 135 tracks/cylinder: 1 136 sectors/cylinder: 2048 137 cylinders: 49 138 total sectors: 102336 139 rpm: 3600 140 interleave: 1 141 trackskew: 0 142 cylinderskew: 0 143 headswitch: 0 # microseconds 144 track-to-track seek: 0 # microseconds 145 drivedata: 0 146 147 4 partitions: 148 # size offset fstype [fsize bsize cpg/sgs] 149 a: 102336 0 4.2BSD 2048 16384 28360 # (Cyl. 0 - 49*) 150 d: 102336 0 unused 0 0 # (Cyl. 0 - 49*) 151 ~ 152 ~ 153 === EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% == 154 # 155 156Having placed a disklabel inside the cgd, we can now make a filesystem on there: 157 158 # newfs /dev/rcgd0a 159 /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024 160 using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes. 161 super-block backups (for fsck_ffs -b #) at: 162 32, 25616, 51200, 76784, 163 # 164 165we can then mount the new file system in the cgd on the /iscsi mount 166point: 167 168 # df 169 Filesystem 1K-blocks Used Avail %Cap Mounted on 170 /dev/dk0 28101396 20910216 5786112 78% / 171 kernfs 1 1 0 100% /kern 172 procfs 4 4 0 100% /proc 173 ptyfs 1 1 0 100% /dev/pts 174 /dev/puffs 0 0 0 100% /mnt 175 # mount /dev/cgd0a /iscsi 176 # df 177 Filesystem 1K-blocks Used Avail %Cap Mounted on 178 /dev/dk0 28101396 20910216 5786112 78% / 179 kernfs 1 1 0 100% /kern 180 procfs 4 4 0 100% /proc 181 ptyfs 1 1 0 100% /dev/pts 182 /dev/puffs 0 0 0 100% /mnt 183 /dev/cgd0a 49519 1 47043 0% /iscsi 184 # 185 186The new file system, mounted on /iscsi, can now be used as normal. 187 188 1892. Unmounting the Encrypted Device 190================================== 191 192The device can be freed up using the following commands: 193 194 # umount /iscsi 195 # cgdconfig -u cgd0 196 # vnconfig -u vnd0 197 198 1993. Normal Usage 200=============== 201 202In normal usage, the device can be mounted. Firstly, the initiator 203must be configured to connect to the device: 204 205 # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage 206 # cgdconfig cgd0 /dev/vnd0a 207 /dev/vnd0a's passphrase: 208 # 209 210I'm using dk devices on this machine, so I now have to access the cgd 211device using the dk that was assigned in the cgdconfig step. If I 212wasn't using dk devices, then I'd use the cgd device. 213 214!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!! 215 216 # mount /dev/cgd0a /iscsi OR 217 # mount /dev/dk3 /iscsi 218 # ls -al /iscsi 219 total 3 220 drwxr-xr-x 2 root wheel 512 Jan 1 1970 . 221 drwxr-xr-x 35 root wheel 1536 Jan 5 08:59 .. 222 # df 223 Filesystem 1K-blocks Used Avail %Cap Mounted on 224 /dev/dk0 28101396 20910100 5786228 78% / 225 kernfs 1 1 0 100% /kern 226 procfs 4 4 0 100% /proc 227 ptyfs 1 1 0 100% /dev/pts 228 /dev/puffs 0 0 0 100% /mnt 229 /dev/dk3 49519 1 47043 0% /iscsi 230 # 231 232 2334. Conclusion 234============= 235 236An iSCSI disk can be in a location over which complete control 237cannot be assured. In order to ensure privacy, the cgd device 238can be used to encrypt the data on the iSCSI device. 239 240This document has shown how to set up a cgd device on top of the 241iSCSI device, and how to mount and unmount on a regular basis. 242 243 244Alistair Crooks 245Sat Jan 5 22:08:32 GMT 2008 246