1Encrypted iSCSI Devices on NetBSD
2=================================
3
4This document shows how to set up and run an encrypted iSCSI device on
5NetBSD.  Encryption of devices can be used for maintaining privacy on
6devices located remotely, possibly on co-located hardware, for
7instance, or on machines which could be stolen, or to which others
8could gain access.
9
10To encrypt the iSCSI device, we use the NetBSD iSCSI initiator,
11available in NetBSD-current, and the standard cgd device.  In all,
12setting up an encrypted device in this manner should take less than 15
13minutes, even for someone unfamiliar with iSCSI or cgd.
14
15The approach is to layer a vnd on top of the "storage" file presented
16by the iSCSI target. This is exactly the same as normal. On top of that
17vnd, we layer a cgd device, which ensures that all data is encrypted
18on the iSCSI device.
19
20
211. Device Initialisation
22========================
23
24This first section shows how to initialise the device, a one-time
25operation.
26
27Firstly, the initiator is started, pointing at the machine which is
28presenting the iSCSI storage (i.e.  the machine on which the iSCSI
29target is running).  In this example, the target is running on the
30same machine as the initiator (a laptop called, in a moment of
31inspiration, inspiron1300).  A 50 MB iSCSI target is being presented
32as target1.
33
34	# obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
35	[1] 11196
36	#
37	# df
38	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
39	/dev/dk0      28101396   20862004    5834324  78% /
40	kernfs               1          1          0 100% /kern
41	procfs               4          4          0 100% /proc
42	ptyfs                1          1          0 100% /dev/pts
43	/dev/puffs           0          0          0 100% /mnt
44	#
45
46Looking at the last line, we can see that the initiator is running
47via the puffs device.
48
49We now add a vnd device on top of the storage which the target is
50presenting:
51
52	# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
53	#
54
55We now add a disklabel, which is offset 63 blocks into the iSCSI device.
56This is so that the encrypted device which we shall put on top of the vnd
57does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on
58setting up a cgd device, recommends that the cgd's type be "ccd".
59
60	# disklabel -e vnd0
61
62	# /dev/rvnd0d:
63	type: vnd
64	disk: vnd
65	label: fictitious
66	flags:
67	bytes/sector: 512
68	sectors/track: 32
69	tracks/cylinder: 64
70	sectors/cylinder: 2048
71	cylinders: 50
72	total sectors: 102400
73	rpm: 3600
74	interleave: 1
75	trackskew: 0
76	cylinderskew: 0
77	headswitch: 0           # microseconds
78	track-to-track seek: 0  # microseconds
79	drivedata: 0
80
81	4 partitions:
82	#        size    offset     fstype [fsize bsize cpg/sgs]
83	 a:    102336        63     ccd      2048 16384 28360  # (Cyl.      0 -     49)
84	 d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
85	~
86	=== EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% ==
87	#
88
89We now set up the cgd device, pointing it at the vnd device.
90
91	# priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
92	#
93
94and then zero the cgd device's storage.
95
96	# dd if=/dev/zero of=/dev/rcgd0d bs=32k
97	dd: /dev/rcgd0d: Invalid argument
98	1601+0 records in
99	1600+0 records out
100	52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
101	#
102
103We now unconfigure the cgd device.
104
105	# cgdconfig -u cgd0
106	#
107
108and then write using the disklabel verification method onto the cgd. Sometimes,
109this process does not always complete properly, and so it has to be repeated.
110
111	# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
112	cgdconfig: could not calibrate pkcs5_pbkdf2
113	cgdconfig: Failed to generate defaults for keygen
114	# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
115	#
116
117Now we have to add the password to the cgd device
118
119	# cgdconfig -V re-enter cgd0 /dev/vnd0a
120	/dev/vnd0a's passphrase:
121	re-enter device's passphrase:
122	#
123
124and disklabel inside the cgd itself:
125
126	# disklabel -I -e cgd0
127
128	# /dev/rcgd0d:
129	type: cgd
130	disk: cgd
131	label: fictitious
132	flags:
133	bytes/sector: 512
134	sectors/track: 2048
135	tracks/cylinder: 1
136	sectors/cylinder: 2048
137	cylinders: 49
138	total sectors: 102336
139	rpm: 3600
140	interleave: 1
141	trackskew: 0
142	cylinderskew: 0
143	headswitch: 0           # microseconds
144	track-to-track seek: 0  # microseconds
145	drivedata: 0
146
147	4 partitions:
148	#        size    offset     fstype [fsize bsize cpg/sgs]
149	 a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
150	 d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
151	~
152	~
153	=== EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% ==
154	#
155
156Having placed a disklabel inside the cgd, we can now make a filesystem on there:
157
158	# newfs /dev/rcgd0a
159	/dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
160		using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
161	super-block backups (for fsck_ffs -b #) at:
162	32, 25616, 51200, 76784,
163	#
164
165we can then mount the new file system in the cgd on the /iscsi mount
166point:
167
168	# df
169	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
170	/dev/dk0      28101396   20910216    5786112  78% /
171	kernfs               1          1          0 100% /kern
172	procfs               4          4          0 100% /proc
173	ptyfs                1          1          0 100% /dev/pts
174	/dev/puffs           0          0          0 100% /mnt
175	# mount /dev/cgd0a /iscsi
176	# df
177	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
178	/dev/dk0      28101396   20910216    5786112  78% /
179	kernfs               1          1          0 100% /kern
180	procfs               4          4          0 100% /proc
181	ptyfs                1          1          0 100% /dev/pts
182	/dev/puffs           0          0          0 100% /mnt
183	/dev/cgd0a       49519          1      47043   0% /iscsi
184	#
185
186The new file system, mounted on /iscsi, can now be used as normal.
187
188
1892. Unmounting the Encrypted Device
190==================================
191
192The device can be freed up using the following commands:
193
194	# umount /iscsi
195	# cgdconfig -u cgd0
196	# vnconfig -u vnd0
197
198
1993. Normal Usage
200===============
201
202In normal usage, the device can be mounted. Firstly, the initiator
203must be configured to connect to the device:
204
205	# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
206	# cgdconfig cgd0 /dev/vnd0a
207	/dev/vnd0a's passphrase:
208	#
209
210I'm using dk devices on this machine, so I now have to access the cgd
211device using the dk that was assigned in the cgdconfig step.  If I
212wasn't using dk devices, then I'd use the cgd device.
213
214!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!!
215
216	# mount /dev/cgd0a /iscsi OR
217	# mount /dev/dk3 /iscsi
218	# ls -al /iscsi
219	total 3
220	drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
221	drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
222	# df
223	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
224	/dev/dk0      28101396   20910100    5786228  78% /
225	kernfs               1          1          0 100% /kern
226	procfs               4          4          0 100% /proc
227	ptyfs                1          1          0 100% /dev/pts
228	/dev/puffs           0          0          0 100% /mnt
229	/dev/dk3         49519          1      47043   0% /iscsi
230	#
231
232
2334. Conclusion
234=============
235
236An iSCSI disk can be in a location over which complete control
237cannot be assured. In order to ensure privacy, the cgd device 
238can be used to encrypt the data on the iSCSI device.
239
240This document has shown how to set up a cgd device on top of the
241iSCSI device, and how to mount and unmount on a regular basis.
242
243
244Alistair Crooks
245Sat Jan  5 22:08:32 GMT 2008
246