Annotation of htdocs/docs/encrypted-iscsi.html, Revision 1.2
1.1 dsieger 1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5: <meta name="generator" content="Website XSL Stylesheet V2.6.0">
6: <link rel="stylesheet" href="/global.css" type="text/css">
7: <title>Encrypted iSCSI Devices on NetBSD</title>
8: </head>
9: <body class="website"><div class="webpage">
10: <a name="docs-encrypted-iscsi"></a><div id="top"><a href="#mainContent" class="doNotDisplay doNotPrint">Skip to main content.</a></div>
11: <div id="header">
12: <div class="topNavigation">
13: <span>» </span><a href="../docs/guide/en/">
14: The Guide</a> |
15: <a href="http://man.NetBSD.org/">Manual pages</a> |
16: <a href="../mailinglists/">
17: Mailing lists</a> and
18: <a href="http://mail-index.NetBSD.org/">Archives</a> |
19: <a href="http://cvsweb.NetBSD.org/">CVS repository</a> |
20: <a href="http://www.NetBSD.org/cgi-bin/sendpr.cgi?gndb=netbsd">Report</a>
21: or
22: <a href="../support/query-pr.html">
23: query</a> a bug |
24: <a href="../docs/software/packages.html">
25: Software Packages
26: </a>
27: </div>
28: <div class="centralHeader">
29: <a href="../"><img alt="[NetBSD Logo]" width="506" height="90" src="../images/NetBSD-headerlogo.png"></a><div class="headerTools"><div id="headerSearch"><form method="get" action="http://www.google.com/custom">
30: <input class="whiteOnBlack" type="text" name="q" onfocus="if(this.value==this.defaultValue ) this.value='';" size="12" maxlength="255" value="Search"><input type="hidden" name="cof" value="L:http://www.NetBSD.org/images/NetBSD-smaller.png;LH:200;LW:200;AH:center;AWFID:4f6b0499f0f58d2c;"><input type="hidden" name="domains" value="NetBSD.org"><input type="hidden" name="sitesearch" value="www.NetBSD.org"><input type="submit" value="Search">
31: </form></div></div>
32: </div>
33: <div class="navBar">
34: <span class="doNotDisplay">
35: Navigation:
36: </span><a href="../">
37: Home</a> |
38: <a href="../about/">
39: About</a> |
40: <a href="../releases/">
41: Download</a> |
42: <a href="../docs/">
43: Documentation</a> |
44: <a href="../support/">
45: Support</a> |
46: <a href="../community/">
47: Community</a> |
48: <a href="../ports/">
49: Ports</a>
50: </div>
51: </div>
52: <div id="content"><div class="fullWidth"><div class="rowOfBoxes">
53: <h1>Encrypted iSCSI Devices on NetBSD</h1>
54: <div class="sect1" lang="en">
55: <div class="titlepage"><div><div><h2 class="title" style="clear: both">
56: <a name="intro"></a>Introduction</h2></div></div></div>
57:
58:
59: <p>
60: This document shows how to set up and run an encrypted iSCSI device on
61: NetBSD. Encryption of devices can be used for maintaining privacy on
62: devices located remotely, possibly on co-located hardware, for
63: instance, or on machines which could be stolen, or to which others
64: could gain access.
65: </p>
66:
67: <p>
68: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator,
69: available in NetBSD-current, and the standard cgd device. In all,
70: setting up an encrypted device in this manner should take less than 15
71: minutes, even for someone unfamiliar with iSCSI or cgd.
72: </p>
73:
74: <p>
75: The approach is to layer a vnd on top of the "storage" file presented
76: by the iSCSI target. This is exactly the same as normal. On top of that
77: vnd, we layer a cgd device, which ensures that all data is encrypted
78: on the iSCSI device.
79: </p>
80:
81: <div class="sect2" lang="en">
82: <div class="titlepage"><div><div><h3 class="title">
83: <a name="devinit"></a>Device Initialisation</h3></div></div></div>
84:
85:
86: <p>
87: This first section shows how to initialise the device, a one-time
88: operation.
89: </p>
90:
91: <p>
92: Firstly, the initiator is started, pointing at the machine which is
93: presenting the iSCSI storage (i.e. the machine on which the iSCSI
94: target is running). In this example, the target is running on the
95: same machine as the initiator (a laptop called, in a moment of
96: inspiration, inspiron1300). A 50 MB iSCSI target is being presented
97: as target1.
98: </p>
99:
100: <pre class="programlisting">
101: # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
102: [1] 11196
103: #
104: # df
105: Filesystem 1K-blocks Used Avail %Cap Mounted on
106: /dev/dk0 28101396 20862004 5834324 78% /
107: kernfs 1 1 0 100% /kern
108: procfs 4 4 0 100% /proc
109: ptyfs 1 1 0 100% /dev/pts
110: /dev/puffs 0 0 0 100% /mnt
111: #
112: </pre>
113:
114: <p>
115: Looking at the last line, we can see that the initiator is running
116: via the puffs device.
117: </p>
118:
119: <p>
120: We now add a vnd device on top of the storage which the target is
121: presenting:
122: </p>
123:
124: <pre class="programlisting">
125: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
126: #
127: </pre>
128:
129: <p>
130: We now add a disklabel, which is offset 63 blocks into the iSCSI device.
131: This is so that the encrypted device which we shall put on top of the vnd
132: does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on
133: setting up a cgd device, recommends that the cgd's type be "ccd".
134: </p>
135:
136:
137: <pre class="programlisting">
138: # disklabel -e vnd0
139:
140: # /dev/rvnd0d:
141: type: vnd
142: disk: vnd
143: label: fictitious
144: flags:
145: bytes/sector: 512
146: sectors/track: 32
147: tracks/cylinder: 64
148: sectors/cylinder: 2048
149: cylinders: 50
150: total sectors: 102400
151: rpm: 3600
152: interleave: 1
153: trackskew: 0
154: cylinderskew: 0
155: headswitch: 0 # microseconds
156: track-to-track seek: 0 # microseconds
157: drivedata: 0
158:
159: 4 partitions:
160: # size offset fstype [fsize bsize cpg/sgs]
161: a: 102336 63 ccd 2048 16384 28360 # (Cyl. 0 - 49)
162: d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
163: ~
164: === EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% ==
165: #
166: </pre>
167:
168: <p>
169: We now set up the cgd device, pointing it at the vnd device.
170: </p>
171:
172: <pre class="programlisting">
173: # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
174: #
175: </pre>
176:
177: <p>
178: and then zero the cgd device's storage.
179: </p>
180:
181: <pre class="programlisting">
182: # dd if=/dev/zero of=/dev/rcgd0d bs=32k
183: dd: /dev/rcgd0d: Invalid argument
184: 1601+0 records in
185: 1600+0 records out
186: 52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
187: #
188: </pre>
189:
190: <p>
191: We now unconfigure the cgd device.
192: </p>
193:
194: <pre class="programlisting">
195: # cgdconfig -u cgd0
196: #
197: </pre>
198:
199: <p>
200: and then write using the disklabel verification method onto the cgd. Sometimes,
201: this process does not always complete properly, and so it has to be repeated.
202: </p>
203:
204: <pre class="programlisting">
205: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
206: cgdconfig: could not calibrate pkcs5_pbkdf2
207: cgdconfig: Failed to generate defaults for keygen
208: # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
209: #
210: </pre>
211:
212: <p>
213: Now we have to add the password to the cgd device
214: </p>
215:
216: <pre class="programlisting">
217: # cgdconfig -V re-enter cgd0 /dev/vnd0a
218: /dev/vnd0a's passphrase:
219: re-enter device's passphrase:
220: #
221: </pre>
222:
223: <p>
224: and disklabel inside the cgd itself:
225: </p>
226:
227: <pre class="programlisting">
228: # disklabel -I -e cgd0
229:
230: # /dev/rcgd0d:
231: type: cgd
232: disk: cgd
233: label: fictitious
234: flags:
235: bytes/sector: 512
236: sectors/track: 2048
237: tracks/cylinder: 1
238: sectors/cylinder: 2048
239: cylinders: 49
240: total sectors: 102336
241: rpm: 3600
242: interleave: 1
243: trackskew: 0
244: cylinderskew: 0
245: headswitch: 0 # microseconds
246: track-to-track seek: 0 # microseconds
247: drivedata: 0
248:
249: 4 partitions:
250: # size offset fstype [fsize bsize cpg/sgs]
251: a: 102336 0 4.2BSD 2048 16384 28360 # (Cyl. 0 - 49*)
252: d: 102336 0 unused 0 0 # (Cyl. 0 - 49*)
253: ~
254: ~
255: === EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% ==
256: #
257: </pre>
258:
259: <p>
260: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
261: </p>
262:
263: <pre class="programlisting">
264: # newfs /dev/rcgd0a
265: /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
266: using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
267: super-block backups (for fsck_ffs -b #) at:
268: 32, 25616, 51200, 76784,
269: #
270: </pre>
271:
272: <p>
273: we can then mount the new file system in the cgd on the
274: <code class="filename">/iscsi</code> mount point:
275: </p>
276:
277: <pre class="programlisting">
278: # df
279: Filesystem 1K-blocks Used Avail %Cap Mounted on
280: /dev/dk0 28101396 20910216 5786112 78% /
281: kernfs 1 1 0 100% /kern
282: procfs 4 4 0 100% /proc
283: ptyfs 1 1 0 100% /dev/pts
284: /dev/puffs 0 0 0 100% /mnt
285: # mount /dev/cgd0a /iscsi
286: # df
287: Filesystem 1K-blocks Used Avail %Cap Mounted on
288: /dev/dk0 28101396 20910216 5786112 78% /
289: kernfs 1 1 0 100% /kern
290: procfs 4 4 0 100% /proc
291: ptyfs 1 1 0 100% /dev/pts
292: /dev/puffs 0 0 0 100% /mnt
293: /dev/cgd0a 49519 1 47043 0% /iscsi
294: #
295: </pre>
296:
297: <p>
298: The new file system, mounted on /iscsi, can now be used as normal.
299: </p>
300: </div>
301:
302: <div class="sect2" lang="en">
303: <div class="titlepage"><div><div><h3 class="title">
304: <a name="unmounting"></a>Unmounting the Encrypted Device</h3></div></div></div>
305:
306:
307: <p>
308: The device can be freed up using the following commands:
309: </p>
310:
311: <pre class="programlisting">
312: # umount /iscsi
313: # cgdconfig -u cgd0
314: # vnconfig -u vnd0
315: </pre>
316: </div>
317:
318: <div class="sect2" lang="en">
319: <div class="titlepage"><div><div><h3 class="title">
320: <a name="usage"></a>Normal Usage</h3></div></div></div>
321:
322:
323: <p>
324: In normal usage, the device can be mounted. Firstly, the initiator
325: must be configured to connect to the device:
326: </p>
327:
328: <pre class="programlisting">
329: # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
330: # cgdconfig cgd0 /dev/vnd0a
331: /dev/vnd0a's passphrase:
332: #
333: </pre>
334:
335: <p>
336: I'm using dk devices on this machine, so I now have to access the cgd
337: device using the dk that was assigned in the cgdconfig step. If I
338: wasn't using dk devices, then I'd use the cgd device.
339: </p>
340:
341: <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
342: <h3 class="title">Warning</h3>!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!!</div>
343:
344: <pre class="programlisting">
345: # mount /dev/cgd0a /iscsi OR
346: # mount /dev/dk3 /iscsi
347: # ls -al /iscsi
348: total 3
349: drwxr-xr-x 2 root wheel 512 Jan 1 1970 .
350: drwxr-xr-x 35 root wheel 1536 Jan 5 08:59 ..
351: # df
352: Filesystem 1K-blocks Used Avail %Cap Mounted on
353: /dev/dk0 28101396 20910100 5786228 78% /
354: kernfs 1 1 0 100% /kern
355: procfs 4 4 0 100% /proc
356: ptyfs 1 1 0 100% /dev/pts
357: /dev/puffs 0 0 0 100% /mnt
358: /dev/dk3 49519 1 47043 0% /iscsi
359: #
360: </pre>
361: </div>
362:
363: <div class="sect2" lang="en">
364: <div class="titlepage"><div><div><h3 class="title">
365: <a name="conclusion"></a>Conclusion</h3></div></div></div>
366:
367:
368: <p>
369: An iSCSI disk can be in a location over which complete control
370: cannot be assured. In order to ensure privacy, the cgd device
371: can be used to encrypt the data on the iSCSI device.
372: </p>
373:
374: <p>
375: This document has shown how to set up a cgd device on top of the
376: iSCSI device, and how to mount and unmount on a regular basis.
377: </p>
1.2 ! dsieger 378:
! 379: <p>
! 380: Author: Alistar Crooks, Sat Jan 5 22:08:32 GMT 2008
! 381: </p>
1.1 dsieger 382: </div>
383: </div>
384: </div></div></div>
385: <div class="navfoot"></div>
386: <div id="footer"><center>
387: <span class="footfeed"><a href="http://www.NetBSD.org/cgi-bin/feedback.cgi">
388: Contact</a> |
389: </span><span class="footcopy"><a href="../about/disclaimer.html">
390: Disclaimer</a> |
391:
392: <span class="copyright">Copyright © 1994-2008 The NetBSD Foundation, Inc. </span>ALL RIGHTS RESERVED.<br>NetBSD<sup>®</sup> is a registered trademark of The NetBSD
393: Foundation, Inc.</span>
394: </center></div>
395: </div></body>
396: </html>
CVSweb <webmaster@jp.NetBSD.org>