Introduction

This lab will show you how to created an encrypted disk. This is useful especially on laptop computers, to prevent data theft. 'CGD' (Cryptograpic Disk driver) is the NetBSD utility that we will use to create a logical disk, that is encrypted. We will be using the well known cypher AES (Advanced Encryption Standard), in CBC (Cipher-Block Chaining) mode.

Steps

First, do a NetBSD install in VMWare (Not Virtual PC, VMWare is 300% faster), and make sure to follow this partitioning scheme:

		    /			remaining space
		    /tmp		0 (mfs)
		    /usr		5g
		    /var		5g
                    /home               0 (none)
		    /spare		1g

The next step is to recompile the kernel with the 'cgd' device enabled.
First, fetch all of the source files (using mget *.tar.gz in ftp) (REMEMBER TO USE 'bin' MODE ON FTP!)
extract them with this command:

Commands:

	sh -c 'for file in *.tar.gz; do tar -xzf $file -C /usr;done'

Commands:

	    cd /usr/src/sys/arch/i386/conf
	    cp GENERIC CGD
			    (edit CGD and enable the 'cgd' device)
	    config CGD
	    cd ../compile/CGD
	    make depend
	    make
	    mv /netbsd /netbsd.old	(backup the old kernel incase)
	    cp netbsd /netbsd		(install our new kernel, GENERIC + cgd)
	    reboot
We are now ready to proceed with the lab.

Warning:

Do not forget the passphrase you use for the CGD device, there is absolutely no way to recover it, all of your data will be lost.

Commands:

	    umount /dev/wd0g
	    cgdconfig -g -V none -o /etc/cgd/wd0g aes-cbc 256
	    cgdconfig -V re-enter cgd0 /dev/wd0g
	    newfs /dev/rcgd0a

Add the following line to /etc/cgd/cgd.conf:

cgd0 /dev/wd0g

this will use the /etc/cgd/wd0g file to configure /dev/cgd0
next, enable cgd in rc.conf
start CGD (hint: rc.d)
You will be prompted for the password.
now, configure CGD so it won't start at bootup (you must actually set it to NO, not just remove it, because the default is YES)
reconfigure the /spare partition in /etc/fstab so it points to the right device (/dev/cgd0a), and name it /crypt (create this empty directory as well) and set it so it won't be mounted automatically, and so it won't be scanned by fsck at bootup
reboot
start cgd (to start an rc.d script when it is set to NO in rc.conf, use 'onestart' instead of 'start'
manually mount the /crypt partition
add a new user, and make their home directory on the /crypt partition

Questions:

What happens if you mount a CGD partition with the wrong password?


Why should you not use the -V option 'none' in cgdconfig?


What does the number '256' signify in the first cgdconfig command


What what is the block size for AES-CBC encryption?


What what is the block size for Blowfish-CBC encryption?


What are the maximum key lengths for AES and Blowfish?


Why don't we want to start CGD and mount the partition on bootup?


Last updated: 2008-02-05
Updated by: Allan Jude

Written by: Allan Jude (2008)