[BACK]Return to encrypted-iscsi.html CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / htdocs / docs

Annotation of htdocs/docs/encrypted-iscsi.html, Revision 1.2

1.1       dsieger     1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
                      2: <html>
                      3: <head>
                      4: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
                      5: <meta name="generator" content="Website XSL Stylesheet V2.6.0">
                      6: <link rel="stylesheet" href="/global.css" type="text/css">
                      7:     <title>Encrypted iSCSI Devices on NetBSD</title>
                      8:   </head>
                      9: <body class="website"><div class="webpage">
                     10: <a name="docs-encrypted-iscsi"></a><div id="top"><a href="#mainContent" class="doNotDisplay doNotPrint">Skip to main content.</a></div>
                     11: <div id="header">
                     12: <div class="topNavigation">
                     13: <span>» </span><a href="../docs/guide/en/">
                     14:          The Guide</a> |
                     15:        <a href="http://man.NetBSD.org/">Manual pages</a> |
                     16:        <a href="../mailinglists/">
                     17:          Mailing lists</a> and
                     18:        <a href="http://mail-index.NetBSD.org/">Archives</a> |
                     19:        <a href="http://cvsweb.NetBSD.org/">CVS repository</a> |
                     20:        <a href="http://www.NetBSD.org/cgi-bin/sendpr.cgi?gndb=netbsd">Report</a>
                     21:        or
                     22:        <a href="../support/query-pr.html">
                     23:          query</a> a bug |
                     24:        <a href="../docs/software/packages.html">
                     25:          Software Packages
                     26:        </a>
                     27: </div>
                     28: <div class="centralHeader">
                     29: <a href="../"><img alt="[NetBSD Logo]" width="506" height="90" src="../images/NetBSD-headerlogo.png"></a><div class="headerTools"><div id="headerSearch"><form method="get" action="http://www.google.com/custom">
                     30: <input class="whiteOnBlack" type="text" name="q" onfocus="if(this.value==this.defaultValue ) this.value='';" size="12" maxlength="255" value="Search"><input type="hidden" name="cof" value="L:http://www.NetBSD.org/images/NetBSD-smaller.png;LH:200;LW:200;AH:center;AWFID:4f6b0499f0f58d2c;"><input type="hidden" name="domains" value="NetBSD.org"><input type="hidden" name="sitesearch" value="www.NetBSD.org"><input type="submit" value="Search">
                     31: </form></div></div>
                     32: </div>
                     33: <div class="navBar">
                     34: <span class="doNotDisplay">
                     35:          Navigation:
                     36:        </span><a href="../">
                     37:          Home</a> | 
                     38:        <a href="../about/">
                     39:          About</a> | 
                     40:        <a href="../releases/">
                     41:          Download</a> | 
                     42:        <a href="../docs/">
                     43:          Documentation</a> | 
                     44:        <a href="../support/">
                     45:          Support</a> | 
                     46:        <a href="../community/">
                     47:          Community</a> | 
                     48:        <a href="../ports/">
                     49:          Ports</a>
                     50: </div>
                     51: </div>
                     52: <div id="content"><div class="fullWidth"><div class="rowOfBoxes">
                     53: <h1>Encrypted iSCSI Devices on NetBSD</h1>
                     54: <div class="sect1" lang="en">
                     55: <div class="titlepage"><div><div><h2 class="title" style="clear: both">
                     56: <a name="intro"></a>Introduction</h2></div></div></div>
                     57:
                     58:
                     59:     <p>
                     60:       This document shows how to set up and run an encrypted iSCSI device on
                     61:       NetBSD.  Encryption of devices can be used for maintaining privacy on
                     62:       devices located remotely, possibly on co-located hardware, for
                     63:       instance, or on machines which could be stolen, or to which others
                     64:       could gain access.
                     65:     </p>
                     66:
                     67:     <p>
                     68:       To encrypt the iSCSI device, we use the NetBSD iSCSI initiator,
                     69:       available in NetBSD-current, and the standard cgd device.  In all,
                     70:       setting up an encrypted device in this manner should take less than 15
                     71:       minutes, even for someone unfamiliar with iSCSI or cgd.
                     72:     </p>
                     73:
                     74:     <p>
                     75:       The approach is to layer a vnd on top of the "storage" file presented
                     76:       by the iSCSI target. This is exactly the same as normal. On top of that
                     77:       vnd, we layer a cgd device, which ensures that all data is encrypted
                     78:       on the iSCSI device.
                     79:     </p>
                     80:
                     81:     <div class="sect2" lang="en">
                     82: <div class="titlepage"><div><div><h3 class="title">
                     83: <a name="devinit"></a>Device Initialisation</h3></div></div></div>
                     84:
                     85:
                     86:       <p>
                     87:        This first section shows how to initialise the device, a one-time
                     88:        operation.
                     89:       </p>
                     90:
                     91:       <p>
                     92:        Firstly, the initiator is started, pointing at the machine which is
                     93:        presenting the iSCSI storage (i.e.  the machine on which the iSCSI
                     94:        target is running).  In this example, the target is running on the
                     95:        same machine as the initiator (a laptop called, in a moment of
                     96:        inspiration, inspiron1300).  A 50 MB iSCSI target is being presented
                     97:        as target1.
                     98:       </p>
                     99:
                    100:       <pre class="programlisting">
                    101:        # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &amp;
                    102:        [1] 11196
                    103:        #
                    104:        # df
                    105:        Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    106:        /dev/dk0      28101396   20862004    5834324  78% /
                    107:        kernfs               1          1          0 100% /kern
                    108:        procfs               4          4          0 100% /proc
                    109:        ptyfs                1          1          0 100% /dev/pts
                    110:        /dev/puffs           0          0          0 100% /mnt
                    111:        #
                    112:       </pre>
                    113:
                    114:       <p>
                    115:        Looking at the last line, we can see that the initiator is running
                    116:        via the puffs device.
                    117:       </p>
                    118:
                    119:       <p>
                    120:        We now add a vnd device on top of the storage which the target is
                    121:        presenting:
                    122:       </p>
                    123:
                    124:       <pre class="programlisting">
                    125:        # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
                    126:        #
                    127:       </pre>
                    128:
                    129:       <p>
                    130:        We now add a disklabel, which is offset 63 blocks into the iSCSI device.
                    131:        This is so that the encrypted device which we shall put on top of the vnd
                    132:        does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on
                    133:        setting up a cgd device, recommends that the cgd's type be "ccd".
                    134:       </p>
                    135:
                    136:
                    137:       <pre class="programlisting">
                    138:        # disklabel -e vnd0
                    139:
                    140:        # /dev/rvnd0d:
                    141:        type: vnd
                    142:        disk: vnd
                    143:        label: fictitious
                    144:        flags:
                    145:        bytes/sector: 512
                    146:        sectors/track: 32
                    147:        tracks/cylinder: 64
                    148:        sectors/cylinder: 2048
                    149:        cylinders: 50
                    150:        total sectors: 102400
                    151:        rpm: 3600
                    152:        interleave: 1
                    153:        trackskew: 0
                    154:        cylinderskew: 0
                    155:        headswitch: 0           # microseconds
                    156:        track-to-track seek: 0  # microseconds
                    157:        drivedata: 0
                    158:
                    159:        4 partitions:
                    160:        #        size    offset     fstype [fsize bsize cpg/sgs]
                    161:        a:    102336        63     ccd      2048 16384 28360  # (Cyl.      0 -     49)
                    162:        d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
                    163:        ~
                    164:        === EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% ==
                    165:        #
                    166:       </pre>
                    167:
                    168:       <p>
                    169:        We now set up the cgd device, pointing it at the vnd device.
                    170:       </p>
                    171:
                    172:       <pre class="programlisting">
                    173:        # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 &lt; /dev/urandom
                    174:        #
                    175:       </pre>
                    176:
                    177:       <p>
                    178:        and then zero the cgd device's storage.
                    179:       </p>
                    180:
                    181:       <pre class="programlisting">
                    182:        # dd if=/dev/zero of=/dev/rcgd0d bs=32k
                    183:        dd: /dev/rcgd0d: Invalid argument
                    184:        1601+0 records in
                    185:        1600+0 records out
                    186:        52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
                    187:        #
                    188:       </pre>
                    189:
                    190:       <p>
                    191:        We now unconfigure the cgd device.
                    192:       </p>
                    193:
                    194:       <pre class="programlisting">
                    195:        # cgdconfig -u cgd0
                    196:        #
                    197:       </pre>
                    198:
                    199:       <p>
                    200:        and then write using the disklabel verification method onto the cgd. Sometimes,
                    201:        this process does not always complete properly, and so it has to be repeated.
                    202:       </p>
                    203:
                    204:       <pre class="programlisting">
                    205:        # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
                    206:        cgdconfig: could not calibrate pkcs5_pbkdf2
                    207:        cgdconfig: Failed to generate defaults for keygen
                    208:        # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
                    209:        #
                    210:       </pre>
                    211:
                    212:       <p>
                    213:        Now we have to add the password to the cgd device
                    214:       </p>
                    215:
                    216:       <pre class="programlisting">
                    217:        # cgdconfig -V re-enter cgd0 /dev/vnd0a
                    218:        /dev/vnd0a's passphrase:
                    219:        re-enter device's passphrase:
                    220:        #
                    221:       </pre>
                    222:
                    223:       <p>
                    224:        and disklabel inside the cgd itself:
                    225:       </p>
                    226:
                    227:       <pre class="programlisting">
                    228:        # disklabel -I -e cgd0
                    229:
                    230:        # /dev/rcgd0d:
                    231:        type: cgd
                    232:        disk: cgd
                    233:        label: fictitious
                    234:        flags:
                    235:        bytes/sector: 512
                    236:        sectors/track: 2048
                    237:        tracks/cylinder: 1
                    238:        sectors/cylinder: 2048
                    239:        cylinders: 49
                    240:        total sectors: 102336
                    241:        rpm: 3600
                    242:        interleave: 1
                    243:        trackskew: 0
                    244:        cylinderskew: 0
                    245:        headswitch: 0           # microseconds
                    246:        track-to-track seek: 0  # microseconds
                    247:        drivedata: 0
                    248:
                    249:        4 partitions:
                    250:        #        size    offset     fstype [fsize bsize cpg/sgs]
                    251:        a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
                    252:        d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
                    253:        ~
                    254:        ~
                    255:        === EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% ==
                    256:        #
                    257:       </pre>
                    258:
                    259:       <p>
                    260:        Having placed a disklabel inside the cgd, we can now make a filesystem on there:
                    261:       </p>
                    262:
                    263:       <pre class="programlisting">
                    264:        # newfs /dev/rcgd0a
                    265:        /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
                    266:        using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
                    267:        super-block backups (for fsck_ffs -b #) at:
                    268:        32, 25616, 51200, 76784,
                    269:        #
                    270:       </pre>
                    271:
                    272:       <p>
                    273:        we can then mount the new file system in the cgd on the
                    274:        <code class="filename">/iscsi</code> mount point:
                    275:       </p>
                    276:
                    277:       <pre class="programlisting">
                    278:        # df
                    279:        Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    280:        /dev/dk0      28101396   20910216    5786112  78% /
                    281:        kernfs               1          1          0 100% /kern
                    282:        procfs               4          4          0 100% /proc
                    283:        ptyfs                1          1          0 100% /dev/pts
                    284:        /dev/puffs           0          0          0 100% /mnt
                    285:        # mount /dev/cgd0a /iscsi
                    286:        # df
                    287:        Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    288:        /dev/dk0      28101396   20910216    5786112  78% /
                    289:        kernfs               1          1          0 100% /kern
                    290:        procfs               4          4          0 100% /proc
                    291:        ptyfs                1          1          0 100% /dev/pts
                    292:        /dev/puffs           0          0          0 100% /mnt
                    293:        /dev/cgd0a       49519          1      47043   0% /iscsi
                    294:        #
                    295:       </pre>
                    296:
                    297:       <p>
                    298:        The new file system, mounted on /iscsi, can now be used as normal.
                    299:       </p>
                    300:     </div>
                    301:
                    302:     <div class="sect2" lang="en">
                    303: <div class="titlepage"><div><div><h3 class="title">
                    304: <a name="unmounting"></a>Unmounting the Encrypted Device</h3></div></div></div>
                    305:
                    306:
                    307:       <p>
                    308:        The device can be freed up using the following commands:
                    309:       </p>
                    310:
                    311:       <pre class="programlisting">
                    312:        # umount /iscsi
                    313:        # cgdconfig -u cgd0
                    314:        # vnconfig -u vnd0
                    315:       </pre>
                    316:     </div>
                    317:
                    318:     <div class="sect2" lang="en">
                    319: <div class="titlepage"><div><div><h3 class="title">
                    320: <a name="usage"></a>Normal Usage</h3></div></div></div>
                    321:
                    322:
                    323:       <p>
                    324:        In normal usage, the device can be mounted. Firstly, the initiator
                    325:        must be configured to connect to the device:
                    326:       </p>
                    327:
                    328:       <pre class="programlisting">
                    329:        # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
                    330:        # cgdconfig cgd0 /dev/vnd0a
                    331:        /dev/vnd0a's passphrase:
                    332:        #
                    333:       </pre>
                    334:
                    335:       <p>
                    336:        I'm using dk devices on this machine, so I now have to access the cgd
                    337:        device using the dk that was assigned in the cgdconfig step.  If I
                    338:        wasn't using dk devices, then I'd use the cgd device.
                    339:       </p>
                    340:
                    341:       <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
                    342: <h3 class="title">Warning</h3>!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!!</div>
                    343:
                    344:       <pre class="programlisting">
                    345:        # mount /dev/cgd0a /iscsi OR
                    346:        # mount /dev/dk3 /iscsi
                    347:        # ls -al /iscsi
                    348:        total 3
                    349:        drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
                    350:        drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
                    351:        # df
                    352:        Filesystem   1K-blocks       Used      Avail %Cap Mounted on
                    353:        /dev/dk0      28101396   20910100    5786228  78% /
                    354:        kernfs               1          1          0 100% /kern
                    355:        procfs               4          4          0 100% /proc
                    356:        ptyfs                1          1          0 100% /dev/pts
                    357:        /dev/puffs           0          0          0 100% /mnt
                    358:        /dev/dk3         49519          1      47043   0% /iscsi
                    359:        #
                    360:       </pre>
                    361:     </div>
                    362:
                    363:     <div class="sect2" lang="en">
                    364: <div class="titlepage"><div><div><h3 class="title">
                    365: <a name="conclusion"></a>Conclusion</h3></div></div></div>
                    366:
                    367:
                    368:       <p>
                    369:        An iSCSI disk can be in a location over which complete control
                    370:        cannot be assured. In order to ensure privacy, the cgd device
                    371:        can be used to encrypt the data on the iSCSI device.
                    372:       </p>
                    373:
                    374:       <p>
                    375:        This document has shown how to set up a cgd device on top of the
                    376:        iSCSI device, and how to mount and unmount on a regular basis.
                    377:       </p>
1.2     ! dsieger   378:
        !           379:       <p>
        !           380:        Author: Alistar Crooks, Sat Jan  5 22:08:32 GMT 2008
        !           381:       </p>
1.1       dsieger   382:     </div>
                    383:   </div>
                    384: </div></div></div>
                    385: <div class="navfoot"></div>
                    386: <div id="footer"><center>
                    387: <span class="footfeed"><a href="http://www.NetBSD.org/cgi-bin/feedback.cgi">
                    388:          Contact</a> |
                    389:       </span><span class="footcopy"><a href="../about/disclaimer.html">
                    390:       Disclaimer</a> |
                    391:
                    392:       <span class="copyright">Copyright © 1994-2008 The NetBSD Foundation, Inc. </span>ALL RIGHTS RESERVED.<br>NetBSD<sup>®</sup> is a registered trademark of The NetBSD
                    393:        Foundation, Inc.</span>
                    394: </center></div>
                    395: </div></body>
                    396: </html>

CVSweb <webmaster@jp.NetBSD.org>