CGD(4) | Device Drivers Manual | CGD(4) |
cgd
—
cryptographic disk driver
pseudo-device cgd
The cgd
driver, configured with the
cgdconfig(8) tool,
implements a logical disk device by encrypting or decrypting disk sectors on
their way to and from a physical backing disk or partition.
As long as you keep the key secret, cgd
keeps the content of the disk secret from a
passive
adversary, such as a thief who steals your disk or a border patrol agent who
detains you and takes a snapshot of your laptop's disk while you are
crossing a border.
cgd
does not detect
tampering by an
active
adversary who can modify the content of the backing store, such as a
man-in-the-middle between you and an iSCSI target, or after the border
patrol returns your laptop to you.
The following ciphers are supported:
adiantum
(key size: 256 bits)
Adiantum provides the best security by encrypting entire disk sectors at a time (512 bytes), and generally provides the best performance on machines without CPU support for accelerating AES.
aes-cbc
(key sizes: 128, 192, or 256 bits)
aes-xts
(key sizes: 256 or 512 bits)
The following obsolete ciphers are supported for compatibility with old disks.
WARNING: These obsolete ciphers are implemented without timing side channel protection, so, for example, JavaScript code in a web browser that can measure the timing of disk activity may be able to recover the secret key. These are also based on 64-bit block ciphers and are therefore unsafe for disks much larger than a gigabyte. You should not use these except where compatibility with old disks is necessary.
3des-cbc
(key size: 192 bits)
Note: Internally, the ‘parity bits’ of the 192-bit key are ignored, so there are only 168 bits of key material, and owing to generic attacks on 64-bit block ciphers and to meet-in-the-middle attacks on compositions of ciphers as in EDE3 the security is much lower than one might expect even for a 168-bit key.
blowfish-cbc
(key sizes: 40, 48, 56, 64, ..., 432, 440, or 448 bits)
A very early version of cgd
had a bug in
the CBC-based ciphers aes-cbc
,
3des-cbc
, and blowfish-cbc
:
the CBC initialization vector was chosen to be the
eight-fold
encryption under the block cipher of the little-endian encoding of the disk
sector number, which has no impact on security but reduces performance. For
compatibility with such disks, the ‘IV method’ must be set to
encblkno8
. Otherwise the ‘IV method’
should always be encblkno1
. The parameter is
meaningless for adiantum
and
aes-xts
.
A cgd
responds to all of the standard disk
ioctl(2) calls defined in
sd(4), and also defines the
following:
CGDIOCSET
cgd
. This
ioctl(2) sets up the
encryption parameters and points the cgd
at the
underlying disk.CGDIOCCLR
cgd
.CGDIOCGET
cgd
.These ioctl(2)'s and
their associated data structures are defined in
<dev/cgdvar.h>
header.
It goes without saying that if you forget the passphrase that you
used to configure a cgd
, then you have irrevocably
lost all of the data on the disk. Please ensure that you are using an
appropriate backup strategy.
cgd
device special files.config(1), ioctl(2), sd(4), cgdconfig(8), MAKEDEV(8)
Roland C. Dowdeswell and John Ioannidis, The CryptoGraphic Disk Driver, Proceedings of the FREENIX Track: 2003 USENIX Annual Technical Conference, USENIX Association, https://www.usenix.org/event/usenix03/tech/freenix03/full_papers/dowdeswell/dowdeswell.pdf, 179-186, June 9-14, 2003.
Paul Crowley and Eric Biggers, Adiantum: length-preserving encryption for entry-level processors, International Association of Cryptologic Research, Transactions on Symmetric Cryptology, 4, 2018, https://doi.org/10.13154/tosc.v2018.i4.39-61, 39-61.
FIPS PUB 46-3: Data Encryption Standard (DES), National Institute of Standards and Technology, https://csrc.nist.gov/publications/detail/fips/46/3/archive/1999-10-25, United States Department of Commerce, October 25, 1999, withdrawn May 19, 2005.
FIPS PUB 197: Advanced Encryption Standard (AES), National Institute of Standards and Technology, https://csrc.nist.gov/publications/detail/fips/197/final, United States Department of Commerce, November 2001.
Morris Dworkin, Recommendation for Block Cipher Modes of Operation: Methods and Techniques, National Institute of Standards and Technology, https://csrc.nist.gov/publications/detail/sp/800-38a/final, United States Department of Commerce, December 2001, NIST Special Publication 800-38A.
Morris Dworkin, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices, National Institute of Standards and Technology, https://csrc.nist.gov/publications/detail/sp/800-38e/final, United States Department of Commerce, January 2010, NIST Special Publication 800-38E.
Bruce Schneier, The Blowfish Encryption Algorithm, https://www.schneier.com/academic/blowfish, superseded by Twofish, superseded by Threefish.
Karthikeyan Bhargavan and Gaëtan Leurent, Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN, https://sweet32.info.
The cgd
driver was written by Roland C.
Dowdeswell for NetBSD. The
cgd
driver originally appeared in
NetBSD 2.0. The aes-xts
cipher was added in NetBSD 8.0. The
adiantum
cipher was added in NetBSD
10.0.
September 27, 2024 | NetBSD 10.99 |