Subject: encrypted swap with cgd(4)
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: tech-security
Date: 04/17/2003 01:11:02
--hSZb4FHl1C2xfsUy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
hi,
since the topic of swap encryption pops up from time to time, this
information could be useful for some people who are instersted in
encrypting their swap space but are not sure how to set it up.
currently there is one limitation, cgd devices are created with
disklabel containing only one slice marked as 4.2BSD which is not
suitable for swapping into. this is the reason why using cgd drive
as a swap device is not straightforward. Roland Dowdeswell is looking
into this and it should be resolved in the near future.
a real world example:
our swap device wd0b will be configured as cgd1, using 256 bit aes-cbc
key. step by step instructions follows:
1) generate a paramsfile for the cgd device. the default file would be
/etc/cgd/wd0b but i will use /etc/cgd/swap for better illustration:
# cgdconfig -g -V none -k randomkey aes-cbc > /etc/cgd/swap
2) configure the cgd device over wd0b, (make sure wd0b is not used as a
swap device at this moment):
# cgdconfig cgd1 /dev/wd0b /etc/cgd/swap
3) edit disklabel for cgd1, we need to create a valid swap slice. save
the disklabel to a file:
# disklabel -e -I cgd1
# /dev/rcgd1d:
type: cgd
disk: cgd
label: default label
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 263655
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
4 partitions:
# size offset fstype [fsize bsize cpg/sgs]
d: 263655 0 4.2BSD 0 0 0 # (Cyl. 0 - 128*)
create a swap slice and change label (that's not really necessary, just for
our information):
# /dev/rcgd1d:
type: cgd
disk: cgd
label: swap
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 263655
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
4 partitions:
# size offset fstype [fsize bsize cpg/sgs]
a: 263655 0 swap # (Cyl. 0 - 128*)
and save it to a file:
# disklabel cgd1 > /etc/cgd/swap.disklabel
4) set up the cgd device to be configured automatically at boot. add the
following line into your /etc/cgd/cgd.conf:
cgd1 /dev/wd0b /etc/cgd/swap
5) now we need to restore our disklabel to the newly created cgd device at
boot time. create /etc/rc.conf.d/cgd with this simple function:
swap_device="cgd1"
swap_disklabel="/etc/cgd/swap.disklabel"
start_postcmd="cgd_swap"
cgd_swap()
{
if [ -f $swap_disklabel ]; then
disklabel -R -r $swap_device $swap_disklabel
fi
}
6) add the cgd device into /etc/fstab as a swap device:
/dev/cgd1a none swap sw 0 0
that's all. now you can activate your swap partition with 'swapctl -a
/dev/cgd1a' or just reboot.
what you see above is a setup from my laptop.
Device 1K-blocks Used Avail Capacity Priority
/dev/cgd1a 131827 8828 122999 7% 0
HTH,
regards,
--
-- Lubomir Sedlacik <salo@Xtrmntr.org> --
-- <salo@silcnet.org> --
--hSZb4FHl1C2xfsUy
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)
iD8DBQE+neMGiwjDDlS8cmMRAjOXAKCRY/bi/JebEUJ5VyfVJjxBuYrqSwCeISbP
K+vMrKzuAjF3GDInyoJXenY=
=C726
-----END PGP SIGNATURE-----
--hSZb4FHl1C2xfsUy--