This was tested on NetBSD 3.99.16, however the instructions should be applicable to any version with cgd support
Note:In my example, we will be using a vnode disk, the vnd specific steps may be omitted if not applicable.
First, you will need to have pseudo-device cgd compiled into the kernel.
pseudo-device cgd 4 # cryptographic disk devices
Now, let us begin by generating a 50 meg file that will become our crypto disk.
# dd if=/dev/zero of=encrypted.img bs=1m count=50 50+0 records in 50+0 records out 52428800 bytes transferred in 0.623 secs (84155377 bytes/sec)
Now that we have our 50 meg file, map it to a vnode disk, vnd0 is used throughout our example.
# vnconfig vnd0 encrypted.img
Now we need to disklabel vnd0, disklabel is the verification method we will employ for our crypto disk.
# disklabel -e -I vnd0 # /dev/rvnd0d: type: vnd disk: vnd label: fictitious flags: bytes/sector: 512 sectors/track: 32 tracks/cylinder: 64 sectors/cylinder: 2048 cylinders: 50 total sectors: 102400 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 4 partitions: # size offset fstype [fsize bsize cpg/sgs] a: 102400 0 4.2BSD 1024 8192 12800 # (Cyl. 0 - 49) d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
Note the sectors/track value, this value should be used for the offset for partition a, the same value should also be subtracted from partition a’s size, as shown below. Don’t forget to write these changes.
# /dev/rvnd0d: type: vnd disk: vnd label: fictitious flags: bytes/sector: 512 sectors/track: 32 tracks/cylinder: 64 sectors/cylinder: 2048 cylinders: 50 total sectors: 102400 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 4 partitions: # size offset fstype [fsize bsize cpg/sgs] a: 102368 32 4.2BSD 1024 8192 12800 # (Cyl. 0 - 49) d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
With the vnode disk’s disklabel now written, we will procede to configure our crypto disk. The important part here, and purpose of this walk through is of course to create a crypto disk that leverages two-factor authentication.
Note: We run cgdconfig with two separate -k arguments, one is for the storedkey, the other is for the passphrase.
Note 2: The params file will hold the storedkey. This should be stored on a device that you maintain control of (i.e. usb thumb drive).
# cgdconfig -g -o /path/to/params -k storedkey -k pkcs5_pbkdf2/sha1 -V disklabel aes-cbc
This command requires a fair amount of entropy (see rndctl(8)). You can help move this along by generating entropy (i.e. via disk i/o)
You may also see the following error returned, on the occasions that I have seen this occur, rerunning the above command (perhaps more than once) has resulted in successful execution.
cgdconfig: could not calibrate pkcs5_pbkdf2 cgdconfig: Failed to generate defaults for keygen
Now we procede to chose a passphrase for the crypto disk.
# cgdconfig -V re-enter cgd0 /dev/vnd0a /path/to/params /dev/vnd0a's passphrase:passphrasere-enter device's passphrase:passphrase
Now that you’ve chosen a passphrase, newfs the cryto disk so you can actually use it.
# newfs /dev/cgd0a
/dev/cgd0a: 50.0MB (102368 sectors) block size 8192, fragment size 1024
using 4 cylinder groups of 12.50MB, 1600 blks, 3136 inodes.
super-block backups (for fsck_ffs -b #) at:
32, 25632, 51232, 76832,
Unconfigure the crypto disk, we’re about to test out if we were successful
# cgdconfig -u cgd0
Try to configure the crypto disk.
# cgdconfig cgd0 /dev/vnd0a /path/to/params /dev/vnd0a's passphrase:passphrase
If you were successful, it will just return to the prompt, now you’re free to mount the encrypted partition where you chose.
# mount /dev/cgd0a /mnt