The options are as follows:
/etc/cgd/cgd.conf
.
/dev/tty
.
Passphrases are separated by newlines.
Users of this flag must be able to predict the order in which passphrases
are prompted.
If this flag is specified then verification errors will cause the device
in question to be unconfigured rather than prompting for the passphrase
again.
For more information about the cryptographic algorithms and IV methods supported, please refer to cgd(4).
/dev/random
and uses the resulting bits as the key.
It does not require a passphrase to be entered.
This method is typically used to present disk devices that do not
need to survive a reboot, such as the swap partition.
It is also handy to facilitate overwriting the contents of
a disk volume with meaningless data prior to use.
/dev/urandom
and uses the resulting bits as the key. This is similar to the
randomkey
method, but it guarantees that cgdconfig will not stall waiting for
hard-random bits (useful when configuring a cgd for swap at boot time).
Note, however, that some or all of the bits used to generate the
key may be obtained from a pseudo-random number generator,
which may not be as secure as the entropy based hard-random
number generator.
/etc/cgd/cgd.conf
is used to configure
cgdconfig
if either of
-C
or
-U
are specified.
Each line of the file is composed of either two or three
tokens: cgd, target, and optional paramsfile.
A `#' character is interpreted as a comment and indicates that the rest of the line should be ignored. A `\' at the end of a line indicates that the next line is a continuation of the current line.
See
EXAMPLES
for an example of
/etc/cgd/cgd.conf
.
/etc/cgd/
to it.
E.g., if the target is
/dev/sd0h
,
then the default parameters file will be
/etc/cgd/sd0h
.
It is possible to have more than one parameters file for a given disk which use different key generation methods but will generate the same key. To create a parameters file that is equivalent to an existing parameters file, use cgdconfig with the -G flag. See EXAMPLES for an example of this usage.
The parameters file contains a list of statements each terminated with a semi-colon. Some statements can contain statement-blocks which are either a single unadorned statement, or a brace-enclosed list of semicolon terminated statements. Three types of data are understood:
The following statements are defined:
The keygen statement's statement block may contain the following statements:
/etc/cgd/
/etc/cgd/cgd.conf
# cgdconfig -g -o /etc/cgd/wd0e aes-cbc 192
# cgdconfig cgd0 /dev/wd0e
/dev/wd0e's passphrase:
When using verification methods, the first time that we configure the
disk the verification method will fail.
We overcome this by supplying
-V re-enter
when we configure the first time to set up the disk.
Here is the
sequence of commands that is recommended:
# cgdconfig -g -o /etc/cgd/wd0e -V disklabel aes-cbc
# cgdconfig -V re-enter cgd0 /dev/wd0e
/dev/wd0e's passphrase:
re-enter device's passphrase:
# disklabel -e -I cgd0
# cgdconfig -u cgd0
# cgdconfig cgd0 /dev/wd0e
/dev/wd0e's passphrase:
To create a new parameters file that will generate the same key as an old
parameters file:
# cgdconfig -G -o newparamsfile oldparamsfile
old file's passphrase:
new file's passphrase:
To configure a cgd that uses Blowfish with a 200 bit key that it
reads from stdin:
# cgdconfig -s cgd0 /dev/sd0h blowfish-cbc 200
An example parameters file which uses PKCS#5 PBKDF2:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6Kog \
dYJAobCHE=;
};
An example parameters file which stores its key locally:
algorithm aes-cbc;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen storedkey key AAABAK3QO6d7xzLfrXTdsgg4 \
ly2TdxkFqOkYYcbyUKu/f60L;
An example
# cgd target [paramsfile]
cgd0 /dev/wd0e
cgd1 /dev/sd0h /usr/local/etc/cgd/sd0h
/etc/cgd/cgd.conf
:
#
# /etc/cgd/cgd.conf
# Configuration file for cryptographic disk devices
#
Note that this will store the parameters file as
/etc/cgd/wd0e
.
And use the entered passphrase to generate the key.
``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories, March 25, 1999.