[BACK]Return to encrypted-iscsi.html CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / htdocs / docs

File: [cvs.NetBSD.org] / htdocs / docs / encrypted-iscsi.html (download) (as text)

Revision 1.46, Mon Apr 19 07:19:25 2021 UTC (5 months, 3 weeks ago) by nia
Branch: MAIN
CVS Tags: HEAD
Changes since 1.45: +1 -1 lines

regen

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="generator" content="Website XSL Stylesheet V2.6.0">
<link rel="home" href="../." title="Welcome to The NetBSD Project: Of course it runs NetBSD.">
<link rel="up" href="../docs/." title="NetBSD Documentation">
<link rel="previous" href="../docs/elf.html" title="NetBSD ELF FAQ">
<link rel="next" href="../docs/current/." title="Tracking NetBSD-current">
<link rel="first" href="../docs/Hardware/." title="Hardware Documentation">
<link rel="last" href="../docs/x/." title="NetBSD Documentation: The X Window System">
<link rel="stylesheet" href="../global.css" type="text/css">
<link rel="stylesheet" href="../donations/thermo/fundraiser.css" type="text/css">
    <title>Encrypted iSCSI Devices on NetBSD</title>
  </head>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<body class="website"><div class="webpage">
<a name="docs-encrypted-iscsi"></a><div id="top"><a href="#mainContent" id="skiplink" tabindex="1">Skip to main content.</a></div>
<input id="hamburger" type="checkbox"><label class="menuicon" for="hamburger"><span></span><span></span><span></span></label><div id="navBar" role="navigation">
<div id="centralHeader"><div id="logo">
<a href="../"><img id="projectLogo" alt="" height="120" src="../images/NetBSD-smaller-tb.png"></a><a href="/"><div id="fundraiser">
<br><div id="fundraiser-amount"><div id="fundraiser-raised"></div></div>
</div></a>
</div></div>
<span class="doNotDisplay">
	  Navigation:
	</span><ul>
<li>
<a href="../">
	  Home</a><ul>
<li><a href="../changes/">
	    Recent changes</a></li>
<li><a href="//blog.NetBSD.org/">
	    NetBSD blog</a></li>
<li><a href="../gallery/presentations/">
	    Presentations</a></li>
</ul>
</li>
<li>
<a href="../about/">
	  About</a><ul>
<li><a href="../people/developers.html">
	    Developers</a></li>
<li><a href="../gallery/">
	    Gallery</a></li>
<li><a href="//wiki.NetBSD.org/ports/">
	    Ports</a></li>
<li><a href="//www.pkgsrc.org/">
	    Packages</a></li>
</ul>
</li>
<li>
<a href="../docs/">
	  Documentation</a><ul>
<li><a href="../docs/misc/index.html">
	    FAQ &amp; HOWTOs</a></li>
<li><a href="../docs/guide/en/">
	    The Guide</a></li>
<li><a href="//man.NetBSD.org/">
	    Manual pages</a></li>
<li><a href="//wiki.NetBSD.org/">
	    Wiki</a></li>
</ul>
</li>
<li>
<a href="../support/">
	  Support</a><ul>
<li><a href="/community/">
	    Community</a></li>
<li><a href="/mailinglists/">
	    Mailing lists</a></li>
<li><a href="../support/send-pr.html">
	    Bug reports</a></li>
<li><a href="../support/security/">
	    Security</a></li>
</ul>
</li>
<li>
<a href="../developers/">
	  Developers</a><ul>
<li><a href="http://cvsweb.NetBSD.org/">
	    CVSWeb</a></li>
<li><a href="//anonhg.NetBSD.org/">
	    Mercurial</a></li>
<li><a href="//nxr.NetBSD.org/">
	    Cross-reference</a></li>
<li><a href="//releng.NetBSD.org/">
	    Release engineering</a></li>
<li><a href="//wiki.NetBSD.org/projects/">
	    Projects list</a></li>
</ul>
</li>
</ul>
</div>
<div id="content"><div id="mainContent" class="fullWidth"><div class="rowOfBoxes">
<h1>Encrypted iSCSI Devices on NetBSD</h1>
<div class="sect1">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="intro"></a>Introduction</h2></div></div></div>
    

    <p>
      This document shows how to set up and run an encrypted iSCSI device on
      NetBSD.  Encryption of devices can be used for maintaining privacy on
      devices located remotely, possibly on co-located hardware, for
      instance, or on machines which could be stolen, or to which others
      could gain access.
    </p>

    <p>
      To encrypt the iSCSI device, we use the NetBSD iSCSI initiator,
      available in NetBSD-current, and the standard cgd device.  In all,
      setting up an encrypted device in this manner should take less than 15
      minutes, even for someone unfamiliar with iSCSI or cgd.
    </p>

    <p>
      The approach is to layer a vnd on top of the "storage" file presented
      by the iSCSI target. This is exactly the same as normal. On top of that
      vnd, we layer a cgd device, which ensures that all data is encrypted
      on the iSCSI device.
    </p>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="devinit"></a>Device Initialisation</h3></div></div></div>
      

      <p>
	This first section shows how to initialise the device, a one-time
	operation.
      </p>

      <p>
	Firstly, the initiator is started, pointing at the machine which is
	presenting the iSCSI storage (i.e.  the machine on which the iSCSI
	target is running).  In this example, the target is running on the
	same machine as the initiator (a laptop called, in a moment of
	inspiration, inspiron1300).  A 50 MB iSCSI target is being presented
	as target1.
      </p>

      <pre class="programlisting">
	# obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &amp;
	[1] 11196
	#
	# df
	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
	/dev/dk0      28101396   20862004    5834324  78% /
	kernfs               1          1          0 100% /kern
	procfs               4          4          0 100% /proc
	ptyfs                1          1          0 100% /dev/pts
	/dev/puffs           0          0          0 100% /mnt
	#
      </pre>

      <p>
	Looking at the last line, we can see that the initiator is running
	via the puffs device.
      </p>

      <p>
	We now add a vnd device on top of the storage which the target is
	presenting:
      </p>

      <pre class="programlisting">
	# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
	#
      </pre>

      <p>
	We now add a disklabel, which is offset 63 blocks into the iSCSI device.
	This is so that the encrypted device which we shall put on top of the vnd
	does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on
	setting up a cgd device, recommends that the cgd's type be "ccd".
      </p>


      <pre class="programlisting">
	# disklabel -e vnd0

	# /dev/rvnd0d:
	type: vnd
	disk: vnd
	label: fictitious
	flags:
	bytes/sector: 512
	sectors/track: 32
	tracks/cylinder: 64
	sectors/cylinder: 2048
	cylinders: 50
	total sectors: 102400
	rpm: 3600
	interleave: 1
	trackskew: 0
	cylinderskew: 0
	headswitch: 0           # microseconds
	track-to-track seek: 0  # microseconds
	drivedata: 0

	4 partitions:
	#        size    offset     fstype [fsize bsize cpg/sgs]
	a:    102336        63     ccd      2048 16384 28360  # (Cyl.      0 -     49)
	d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
	~
	=== EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% ==
	#
      </pre>

      <p>
	We now set up the cgd device, pointing it at the vnd device.
      </p>

      <pre class="programlisting">
	# priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 &lt; /dev/urandom
	#
      </pre>

      <p>
	and then zero the cgd device's storage.
      </p>

      <pre class="programlisting">
	# dd if=/dev/zero of=/dev/rcgd0d bs=32k
	dd: /dev/rcgd0d: Invalid argument
	1601+0 records in
	1600+0 records out
	52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
	#
      </pre>
      
      <p>
	We now unconfigure the cgd device.
      </p>

      <pre class="programlisting">
	# cgdconfig -u cgd0
	#
      </pre>

      <p>
	and then write using the disklabel verification method onto the cgd. Sometimes,
	this process does not always complete properly, and so it has to be repeated.
      </p>

      <pre class="programlisting">
	# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
	cgdconfig: could not calibrate pkcs5_pbkdf2
	cgdconfig: Failed to generate defaults for keygen
	# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
	#
      </pre>
      
      <p>
	Now we have to add the password to the cgd device
      </p>

      <pre class="programlisting">
	# cgdconfig -V re-enter cgd0 /dev/vnd0a
	/dev/vnd0a's passphrase:
	re-enter device's passphrase:
	#
      </pre>

      <p>
	and disklabel inside the cgd itself:
      </p>

      <pre class="programlisting">
	# disklabel -I -e cgd0

	# /dev/rcgd0d:
	type: cgd
	disk: cgd
	label: fictitious
	flags:
	bytes/sector: 512
	sectors/track: 2048
	tracks/cylinder: 1
	sectors/cylinder: 2048
	cylinders: 49
	total sectors: 102336
	rpm: 3600
	interleave: 1
	trackskew: 0
	cylinderskew: 0
	headswitch: 0           # microseconds
	track-to-track seek: 0  # microseconds
	drivedata: 0

	4 partitions:
	#        size    offset     fstype [fsize bsize cpg/sgs]
	a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
	d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
	~
	~
	=== EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% ==
	#
      </pre>

      <p>
	Having placed a disklabel inside the cgd, we can now make a filesystem on there:
      </p>

      <pre class="programlisting">
	# newfs /dev/rcgd0a
	/dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
	using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
	super-block backups (for fsck_ffs -b #) at:
	32, 25616, 51200, 76784,
	#
      </pre>

      <p>
	we can then mount the new file system in the cgd on the
	<code class="filename">/iscsi</code> mount point:
      </p>

      <pre class="programlisting">
	# df
	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
	/dev/dk0      28101396   20910216    5786112  78% /
	kernfs               1          1          0 100% /kern
	procfs               4          4          0 100% /proc
	ptyfs                1          1          0 100% /dev/pts
	/dev/puffs           0          0          0 100% /mnt
	# mount /dev/cgd0a /iscsi
	# df
	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
	/dev/dk0      28101396   20910216    5786112  78% /
	kernfs               1          1          0 100% /kern
	procfs               4          4          0 100% /proc
	ptyfs                1          1          0 100% /dev/pts
	/dev/puffs           0          0          0 100% /mnt
	/dev/cgd0a       49519          1      47043   0% /iscsi
	#
      </pre>

      <p>
	The new file system, mounted on /iscsi, can now be used as normal.
      </p>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="unmounting"></a>Unmounting the Encrypted Device</h3></div></div></div>
      

      <p>
	The device can be freed up using the following commands:
      </p>

      <pre class="programlisting">
	# umount /iscsi
	# cgdconfig -u cgd0
	# vnconfig -u vnd0
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="usage"></a>Normal Usage</h3></div></div></div>
      

      <p>
	In normal usage, the device can be mounted. Firstly, the initiator
	must be configured to connect to the device:
      </p>

      <pre class="programlisting">
	# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
	# cgdconfig cgd0 /dev/vnd0a
	/dev/vnd0a's passphrase:
	#
      </pre>

      <p>
	I'm using dk devices on this machine, so I now have to access the cgd
	device using the dk that was assigned in the cgdconfig step.  If I
	wasn't using dk devices, then I'd use the cgd device.
      </p>

      <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!!</div>

      <pre class="programlisting">
	# mount /dev/cgd0a /iscsi OR
	# mount /dev/dk3 /iscsi
	# ls -al /iscsi
	total 3
	drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
	drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
	# df
	Filesystem   1K-blocks       Used      Avail %Cap Mounted on
	/dev/dk0      28101396   20910100    5786228  78% /
	kernfs               1          1          0 100% /kern
	procfs               4          4          0 100% /proc
	ptyfs                1          1          0 100% /dev/pts
	/dev/puffs           0          0          0 100% /mnt
	/dev/dk3         49519          1      47043   0% /iscsi
	#
      </pre>
    </div>

    <div class="sect2">
<div class="titlepage"><div><div><h3 class="title">
<a name="conclusion"></a>Conclusion</h3></div></div></div>
      

      <p>
	An iSCSI disk can be in a location over which complete control
	cannot be assured. In order to ensure privacy, the cgd device 
	can be used to encrypt the data on the iSCSI device.
      </p>

      <p>
	This document has shown how to set up a cgd device on top of the
	iSCSI device, and how to mount and unmount on a regular basis.
      </p>

      <p>
	Author: Alistar Crooks, Sat Jan  5 22:08:32 GMT 2008
      </p>
    </div>
  </div>
</div></div></div>
<div class="navfoot"></div>
<div id="footer"><div id="footerContent"><center>
<span class="footfeed"><a href="//www.NetBSD.org/cgi-bin/feedback.cgi">
	  Contact</a> |
      </span><span class="footcopy"><a href="../about/disclaimer.html">
      Disclaimer</a> |

      <span class="copyright">Copyright 1994-2021 The NetBSD Foundation, Inc. </span>ALL RIGHTS RESERVED.<br>NetBSD<sup>/sup> is a registered trademark of The NetBSD
	Foundation, Inc.</span>
</center></div></div>
</div></body>
</html>