CGDCONFIG(8) | System Manager's Manual | CGDCONFIG(8) |
cgdconfig
—
cgdconfig |
[-enpv ] [-V
vmeth] cgd dev
[paramsfile] |
cgdconfig |
-C [-enpv ]
[-f configfile] |
cgdconfig |
-G [-enpv ]
[-i ivmeth]
[-k kgmeth]
[-o outfile]
paramsfile |
cgdconfig |
-g [-nv ]
[-i ivmeth]
[-k kgmeth]
[-o outfile]
alg [keylen] |
cgdconfig |
-l
[-v [v ]]
[cgd] |
cgdconfig |
-s [-nv ]
[-i ivmeth]
cgd dev
alg [keylen] |
cgdconfig |
-U [-nv ]
[-f configfile] |
cgdconfig |
-u [-nv ]
cgd |
cgdconfig
is used to configure and unconfigure
cryptographic disk devices (cgds) and to maintain the configuration files that
are associated with them. For more information about cryptographic disk
devices see cgd(4).
The options are as follows:
-C
-e
-f
configfile-G
-g
-i
ivmeth-k
kgmeth-l
[cgd]-n
-o
outfile-o
is not given,
any paramsfile content is written to standard output.-p
-s
-U
-u
-V
vmeth-v
For more information about the cryptographic algorithms and IV methods supported, please refer to cgd(4).
cgdconfig
evaluates all of the key generation methods in the parameters file and uses
the exclusive-or of the outputs of all the methods. The methods and
descriptions are as follows:
-G
option, and a new passphrase.cgdconfig
determines if
the generated key is correct. If the newly configured disk fails to verify,
then cgdconfig
will regenerate the key and
re-configure the device. It only makes sense to specify a verification method
if at least one of the key generation methods is error prone, e.g., uses a
user-entered passphrase. The following verification methods are supported:
cgdconfig
if either of -C
or
-U
are specified. Each line of the file is composed of
either two or three tokens: cgd, target, and optional paramsfile.
A ‘#’ character is interpreted as a comment and indicates that the rest of the line should be ignored. A ‘\’ at the end of a line indicates that the next line is a continuation of the current line.
If the second field is of the form “NAME=<value>” then all the dk(4) wedge partitions are searched for one that has a wedge name equal to <value> and the device corresponding to it is selected.
If the second field starts with the prefix “ROOT.” the prefix is replaced with “/dev/[root_device]”, where [root_device] is the value of the “kern.root_device” sysctl.
See EXAMPLES for an example of /etc/cgd/cgd.conf.
-g
flag and not edited by hand. When a device is
configured the default parameters file is constructed by taking the basename
of the target disk and prepending /etc/cgd/ to it.
E.g., if the target is /dev/sd0h, then the default
parameters file will be /etc/cgd/sd0h.
It is possible to have more than one parameters file for a given
disk which use different key generation methods but will generate the same
key. To create a parameters file that is equivalent to an existing
parameters file, use cgdconfig
with the
-G
flag. See
EXAMPLES for an example of this
usage.
The parameters file contains a list of statements each terminated with a semi-colon. Some statements can contain statement-blocks which are either a single unadorned statement, or a brace-enclosed list of semicolon terminated statements. Three types of data are understood:
The following statements are defined:
The keygen statement's statement block may contain the following statements:
# cgdconfig -g -o /etc/cgd/wd0e aes-cbc 192 # cgdconfig cgd0 /dev/wd0e /dev/wd0e's passphrase:
When using verification methods, the first time that we configure
the disk the verification method will fail. We overcome this by supplying
-V
re-enter when we configure
the first time to set up the disk. Here is the sequence of commands that is
recommended:
# cgdconfig -g -o /etc/cgd/wd0e -V disklabel aes-cbc # cgdconfig -V re-enter cgd0 /dev/wd0e /dev/wd0e's passphrase: re-enter device's passphrase: # disklabel -e -I cgd0 # cgdconfig -u cgd0 # cgdconfig cgd0 /dev/wd0e /dev/wd0e's passphrase:
To scrub data from a disk before setting up a cgd:
# cgdconfig -s cgd0 /dev/sd0e aes-cbc 256 < /dev/urandom # dd if=/dev/zero of=/dev/rcgd0d bs=32k progress=512 # cgdconfig -u cgd0
To create a new parameters file that will generate the same key as an old parameters file:
# cgdconfig -G -o newparamsfile oldparamsfile old file's passphrase: new file's passphrase:
To configure a cgd that uses Blowfish with a 200 bit key that it reads from stdin:
# cgdconfig -s cgd0 /dev/sd0h blowfish-cbc 200
An example parameters file which uses PKCS#5 PBKDF2:
algorithm aes-cbc; iv-method encblkno1; keylength 128; verify_method none; keygen pkcs5_pbkdf2/sha1 { iterations 39361; salt AAAAgMoHiYonye6Kog \ dYJAobCHE=; };
An example parameters file which stores its key locally:
algorithm aes-cbc; iv-method encblkno1; keylength 256; verify_method none; keygen storedkey key AAABAK3QO6d7xzLfrXTdsgg4 \ ly2TdxkFqOkYYcbyUKu/f60L;
An example /etc/cgd/cgd.conf:
# # /etc/cgd/cgd.conf # Configuration file for cryptographic disk devices # # cgd target [paramsfile] cgd0 /dev/wd0e cgd1 NAME=mycgd /usr/local/etc/cgd/mycgd
Note the first entry will store the parameters file as /etc/cgd/wd0e. And use the entered passphrase to generate the key.
Although not required, the partition type cgd should be used in the disklabel or GPT type field for the cgd partition.
“PKCS #5 v2.0: Password-Based Cryptography Standard”, RSA Laboratories, March 25, 1999.
cgdconfig
utility appeared in
NetBSD 2.0.
December 27, 2018 | NetBSD 9.4 |