Subject: Re: New Documentation: Encrypted CDs/DVDs
To: None <netbsd-users@NetBSD.org, netbsd-advocacy@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: netbsd-advocacy
Date: 03/13/2005 10:40:20
On Sat, 12 Mar 2005, Steven M. Bellovin wrote:
> Second, it says to create the prototype file by dd'ing /dev/zero.
> That leaves zeros on the disk in unwritten sectors; these stick out
> like a sore thumb.  You could write /dev/urandom instead, though that
> can be slow.  What I recommend is a little odd.  Create the space with
> /dev/zero, as indicated.  When you're finished putting the content you
> really want on the file system, dd /dev/zero to the cgd partition,
> until it runs out of space.  Run sync, to make sure it's written
> out.  You can then delete that pad file and proceed with the unmount
> procedure.

(For "dd /dev/zero to the cgd partition" read "dd /dev/zero to a scratch
file in the filesystem that's in the cgd partition", I presume.)  With
that method, I'd be afraid that there were parts of the disk that
were reserved for file system meta-data but that were never written.

I recommend one of two methods:

A) First dd from /dev/urandom to to the backing file that will be used
by cgd, then vnconfig, cgdconfig, newfs, write the real data.  (This is
the same as Steve's first suggestion above.)

B) Create the backing file via dd from /dev/zero, then vnconfig and
cgdconfig, then dd from /dev/zero to the raw partition on the cgd device
(this will result in random-looking stuff being written to the backing
file, as cgd encrypts the zeros), then newfs and write the real data.

--apb (Alan Barrett)