2024-05-12 21:02:16 +03:00
|
|
|
.\" $NetBSD: cgdconfig.8,v 1.58 2024/05/12 18:02:16 christos Exp $
|
2002-10-04 22:37:19 +04:00
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 2002, The NetBSD Foundation, Inc.
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
|
|
.\" by Roland C. Dowdeswell.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
.\"
|
2024-05-12 21:02:16 +03:00
|
|
|
.Dd May 12, 2024
|
2002-10-04 22:37:19 +04:00
|
|
|
.Dt CGDCONFIG 8
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm cgdconfig
|
|
|
|
.Nd configuration utility for the cryptographic disk driver
|
|
|
|
.Sh SYNOPSIS
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2018-05-09 21:11:56 +03:00
|
|
|
.Op Fl enpv
|
2004-08-13 19:24:03 +04:00
|
|
|
.Op Fl V Ar vmeth
|
2002-10-04 22:37:19 +04:00
|
|
|
.Ar cgd dev
|
|
|
|
.Op Ar paramsfile
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2002-10-04 22:37:19 +04:00
|
|
|
.Fl C
|
2018-05-09 21:11:56 +03:00
|
|
|
.Op Fl enpv
|
2002-10-04 22:37:19 +04:00
|
|
|
.Op Fl f Ar configfile
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2003-03-24 05:02:49 +03:00
|
|
|
.Fl G
|
2018-05-09 21:11:56 +03:00
|
|
|
.Op Fl enpv
|
2004-08-13 19:24:03 +04:00
|
|
|
.Op Fl i Ar ivmeth
|
2003-03-24 05:02:49 +03:00
|
|
|
.Op Fl k Ar kgmeth
|
|
|
|
.Op Fl o Ar outfile
|
|
|
|
.Ar paramsfile
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2002-10-04 22:37:19 +04:00
|
|
|
.Fl g
|
2022-08-12 13:49:35 +03:00
|
|
|
.Op Fl Sv
|
2021-04-18 22:56:09 +03:00
|
|
|
.Op Fl V Ar vmeth
|
2002-10-04 22:37:19 +04:00
|
|
|
.Op Fl i Ar ivmeth
|
|
|
|
.Op Fl k Ar kgmeth
|
|
|
|
.Op Fl o Ar outfile
|
2022-08-12 13:49:35 +03:00
|
|
|
.Op Fl P Ar paramsfile
|
2002-10-04 22:37:19 +04:00
|
|
|
.Ar alg
|
|
|
|
.Op Ar keylen
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2022-08-12 13:48:44 +03:00
|
|
|
.Fl T
|
|
|
|
.Op Fl f Ar configfile
|
|
|
|
.Nm
|
2022-08-12 13:48:27 +03:00
|
|
|
.Fl t
|
|
|
|
.Ar paramsfile
|
|
|
|
.Nm
|
2012-12-05 06:23:20 +04:00
|
|
|
.Fl l
|
2018-05-09 17:27:41 +03:00
|
|
|
.Op Fl v Ns Op Cm v
|
|
|
|
.Op Ar cgd
|
2012-12-05 06:23:20 +04:00
|
|
|
.Nm
|
2002-10-04 22:37:19 +04:00
|
|
|
.Fl s
|
|
|
|
.Op Fl nv
|
|
|
|
.Op Fl i Ar ivmeth
|
|
|
|
.Ar cgd
|
|
|
|
.Ar dev
|
|
|
|
.Ar alg
|
|
|
|
.Op Ar keylen
|
2003-06-28 03:02:16 +04:00
|
|
|
.Nm
|
2012-12-05 06:23:20 +04:00
|
|
|
.Fl U
|
|
|
|
.Op Fl nv
|
|
|
|
.Op Fl f Ar configfile
|
|
|
|
.Nm
|
2002-10-04 22:37:19 +04:00
|
|
|
.Fl u
|
|
|
|
.Op Fl nv
|
|
|
|
.Ar cgd
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
.Nm
|
|
|
|
is used to configure and unconfigure cryptographic disk devices (cgds)
|
|
|
|
and to maintain the configuration files that are associated with them.
|
2003-03-24 05:02:49 +03:00
|
|
|
For more information about cryptographic disk devices see
|
2002-10-04 22:37:19 +04:00
|
|
|
.Xr cgd 4 .
|
|
|
|
.Pp
|
|
|
|
The options are as follows:
|
|
|
|
.Bl -tag -width configfilexxxx
|
|
|
|
.It Fl C
|
|
|
|
Configure all the devices listed in the cgd configuration file.
|
2018-05-09 21:11:56 +03:00
|
|
|
.It Fl e
|
2018-09-01 14:46:52 +03:00
|
|
|
Echo the passphrase.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl f Ar configfile
|
2003-03-24 05:02:49 +03:00
|
|
|
Specify the configuration file explicitly, rather than using the default
|
|
|
|
configuration file
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pa /etc/cgd/cgd.conf .
|
2003-03-24 05:02:49 +03:00
|
|
|
.It Fl G
|
|
|
|
Generate a new paramsfile (to stdout) using the values from
|
|
|
|
.Ar paramsfile
|
|
|
|
which will generate the same key.
|
2018-05-09 17:27:41 +03:00
|
|
|
This may need to obtain multiple passphrases.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl g
|
2002-10-05 03:47:03 +04:00
|
|
|
Generate a paramsfile (to stdout).
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl i Ar ivmeth
|
2008-09-12 20:51:54 +04:00
|
|
|
Specify the IV method (default: encblkno1).
|
2020-12-12 00:52:19 +03:00
|
|
|
.Pp
|
|
|
|
Setting the IV method is needed only for compatibility with disks
|
|
|
|
written with a very old version of
|
|
|
|
.Xr cgd 4
|
|
|
|
from before
|
|
|
|
.Nx 5.0 ,
|
|
|
|
released in 2010; see
|
|
|
|
.Xr cgd 4
|
|
|
|
for details.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl k Ar kgmeth
|
2004-03-17 04:29:13 +03:00
|
|
|
Specify the key generation method (default: pkcs5_pbkdf2/sha1).
|
2012-12-05 06:23:20 +04:00
|
|
|
.It Fl l Op Ar cgd
|
|
|
|
List state of all devices or just the one
|
|
|
|
.Ar cgd
|
|
|
|
device.
|
|
|
|
The verbosity level affects the output.
|
2009-10-19 18:35:04 +04:00
|
|
|
.It Fl n
|
|
|
|
Do not actually configure or unconfigure a cryptographic disk
|
|
|
|
device, but instead report the steps that would be taken.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl o Ar outfile
|
|
|
|
When generating a
|
|
|
|
.Ar paramsfile ,
|
|
|
|
store it in
|
|
|
|
.Ar outfile .
|
2018-05-09 17:27:41 +03:00
|
|
|
If
|
|
|
|
.Fl o
|
|
|
|
is not given, any paramsfile content is written to standard output.
|
2022-08-12 13:49:35 +03:00
|
|
|
.It Fl P Ar paramsfile
|
|
|
|
With the
|
|
|
|
.Fl S
|
|
|
|
option for the
|
|
|
|
.Fl g
|
2022-08-12 13:49:47 +03:00
|
|
|
or
|
|
|
|
.Fl G
|
|
|
|
actions, specify a parameters file with a shared key to reuse for
|
2022-08-12 13:49:35 +03:00
|
|
|
deriving this one as a subkey.
|
2008-05-11 01:38:40 +04:00
|
|
|
.It Fl p
|
|
|
|
Read all passphrases from stdin rather than
|
|
|
|
.Pa /dev/tty .
|
|
|
|
Passphrases are separated by newlines.
|
|
|
|
Users of this flag must be able to predict the order in which passphrases
|
|
|
|
are prompted.
|
|
|
|
If this flag is specified then verification errors will cause the device
|
|
|
|
in question to be unconfigured rather than prompting for the passphrase
|
|
|
|
again.
|
2022-08-12 13:49:35 +03:00
|
|
|
.It Fl S
|
|
|
|
When generating a parameters file with
|
2022-08-12 13:49:47 +03:00
|
|
|
.Fl g
|
|
|
|
or
|
|
|
|
.Fl G ,
|
2022-08-12 13:49:35 +03:00
|
|
|
arrange to use a subkey of a shared key.
|
|
|
|
If
|
|
|
|
.Fl P Ar paramsfile
|
|
|
|
is also specified, reuse the shared key of
|
|
|
|
.Ar paramsfile ;
|
|
|
|
otherwise a new one will be generated.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl s
|
2018-05-09 17:27:41 +03:00
|
|
|
Read the key (nb: not the passphrase) from stdin.
|
2022-08-12 13:48:44 +03:00
|
|
|
.It Fl T
|
|
|
|
Generate all keys for all the devices listed in the
|
|
|
|
.Nm
|
|
|
|
configuration file and print them to standard output encoded in
|
|
|
|
base64.
|
2022-08-12 13:48:27 +03:00
|
|
|
.It Fl t
|
|
|
|
Generate the key and print it to standard output encoded in base64.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl U
|
|
|
|
Unconfigure all the devices listed in the cgd configuration file.
|
|
|
|
.It Fl u
|
|
|
|
Unconfigure a cgd.
|
2002-10-13 01:10:31 +04:00
|
|
|
.It Fl V Ar vmeth
|
|
|
|
Specify the verification method (default: none).
|
2002-10-04 22:37:19 +04:00
|
|
|
.It Fl v
|
2002-10-05 19:45:52 +04:00
|
|
|
Be verbose.
|
|
|
|
May be specified multiple times.
|
2002-10-04 22:37:19 +04:00
|
|
|
.El
|
|
|
|
.Pp
|
2020-12-12 00:52:19 +03:00
|
|
|
For more information about the cryptographic algorithms supported,
|
|
|
|
please refer to
|
2002-10-04 22:37:19 +04:00
|
|
|
.Xr cgd 4 .
|
|
|
|
.Ss Key Generation Methods
|
2003-03-24 05:02:49 +03:00
|
|
|
To generate the key which it will use,
|
|
|
|
.Nm
|
|
|
|
evaluates all of the key generation methods in the parameters file
|
|
|
|
and uses the exclusive-or of the outputs of all the methods.
|
2002-10-04 22:37:19 +04:00
|
|
|
The methods and descriptions are as follows:
|
2004-03-17 04:29:13 +03:00
|
|
|
.Bl -tag -width indentxxxxxxxxxxx
|
2021-11-22 17:34:35 +03:00
|
|
|
.It argon2id
|
|
|
|
This method requires a passphrase which is entered at configuration
|
|
|
|
time.
|
|
|
|
Argon2 is a memory-hard password hashing scheme and winner of the
|
|
|
|
2013-2015 Password Hashing Competition.
|
|
|
|
It has numerous parameters allowing its hardness to scale with the
|
|
|
|
performance of the system.
|
|
|
|
Recommended for passphrase-based initialization.
|
2004-03-17 04:29:13 +03:00
|
|
|
.It pkcs5_pbkdf2/sha1
|
2002-10-04 22:37:19 +04:00
|
|
|
This method requires a passphrase which is entered at configuration
|
2002-10-05 19:45:52 +04:00
|
|
|
time.
|
|
|
|
It is a salted hmac-based scheme detailed in
|
|
|
|
.Dq PKCS#5 v2.0: Password-Based Cryptography Standard ,
|
|
|
|
RSA Laboratories, March 25, 1999, pages 8-10.
|
|
|
|
PKCS #5 was also republished as RFC 2898.
|
2004-03-17 04:29:13 +03:00
|
|
|
.It pkcs5_pbkdf2
|
|
|
|
This is an earlier, slightly incorrect and deprecated implementation
|
2004-03-17 04:40:34 +03:00
|
|
|
of the above algorithm.
|
2004-03-17 04:29:13 +03:00
|
|
|
It is retained for backwards compatibility with existing parameters
|
2004-03-17 04:40:34 +03:00
|
|
|
files, and will be removed.
|
|
|
|
Existing parameters files should be
|
2004-03-17 04:29:13 +03:00
|
|
|
converted to use the correct method using the
|
|
|
|
.Fl G
|
|
|
|
option, and a new passphrase.
|
2004-08-13 19:03:57 +04:00
|
|
|
.It storedkey
|
|
|
|
This method stores its key in the parameters file.
|
2002-10-04 22:37:19 +04:00
|
|
|
.It randomkey
|
|
|
|
The method simply reads
|
|
|
|
.Pa /dev/random
|
2002-10-05 19:45:52 +04:00
|
|
|
and uses the resulting bits as the key.
|
|
|
|
It does not require a passphrase to be entered.
|
2002-10-07 04:12:40 +04:00
|
|
|
This method is typically used to present disk devices that do not
|
2020-06-23 16:23:56 +03:00
|
|
|
need to survive a reboot.
|
2002-10-05 19:45:52 +04:00
|
|
|
It is also handy to facilitate overwriting the contents of
|
2002-10-05 04:34:35 +04:00
|
|
|
a disk volume with meaningless data prior to use.
|
2004-08-13 19:03:57 +04:00
|
|
|
.It urandomkey
|
|
|
|
The method simply reads
|
|
|
|
.Pa /dev/urandom
|
2012-12-05 12:56:54 +04:00
|
|
|
and uses the resulting bits as the key.
|
|
|
|
This is similar to the
|
2004-08-13 19:03:57 +04:00
|
|
|
.Pa randomkey
|
2020-06-23 17:08:01 +03:00
|
|
|
method, but it guarantees that
|
|
|
|
.Nm
|
|
|
|
will not stall waiting for 256 bits of entropy from a hardware RNG
|
|
|
|
or seed.
|
2008-05-11 07:15:21 +04:00
|
|
|
.It shell_cmd
|
|
|
|
This method executes a shell command via
|
|
|
|
.Xr popen 3
|
|
|
|
and reads the key from stdout.
|
2002-10-04 22:37:19 +04:00
|
|
|
.El
|
2002-10-13 01:10:31 +04:00
|
|
|
.Ss Verification Method
|
|
|
|
The verification method is how
|
|
|
|
.Nm
|
2003-03-24 05:02:49 +03:00
|
|
|
determines if the generated key is correct.
|
2002-10-13 01:10:31 +04:00
|
|
|
If the newly configured disk fails to verify, then
|
|
|
|
.Nm
|
2003-03-24 05:02:49 +03:00
|
|
|
will regenerate the key and re-configure the device.
|
2011-07-03 23:05:10 +04:00
|
|
|
It only makes sense to specify a verification method if at least one of the
|
2004-03-17 04:40:34 +03:00
|
|
|
key generation methods is error prone, e.g., uses a user-entered passphrase.
|
2002-10-13 01:10:31 +04:00
|
|
|
The following verification methods are supported:
|
|
|
|
.Pp
|
2003-03-24 05:02:49 +03:00
|
|
|
.Bl -tag -width indentxxx -compact
|
2002-10-13 01:10:31 +04:00
|
|
|
.It none
|
|
|
|
perform no verification.
|
|
|
|
.It disklabel
|
|
|
|
scan for a valid disklabel.
|
2014-12-14 15:31:39 +03:00
|
|
|
.It mbr
|
|
|
|
scan for a valid Master Boot Record.
|
|
|
|
.It gpt
|
2014-12-14 20:15:14 +03:00
|
|
|
scan for a valid GUID partition table.
|
2003-03-24 05:02:49 +03:00
|
|
|
.It ffs
|
|
|
|
scan for a valid FFS file system.
|
2024-05-12 21:02:16 +03:00
|
|
|
.It zfs
|
|
|
|
scan for a valid ZFS vdev label (if compiled with MKZFS).
|
2003-09-23 21:24:45 +04:00
|
|
|
.It re-enter
|
2003-09-24 01:25:20 +04:00
|
|
|
prompt for passphrase twice, and ensure entered passphrases are
|
|
|
|
identical.
|
2021-11-22 17:34:35 +03:00
|
|
|
This method only works with the argon2id, pkcs5_pbkdf2/sha1, and
|
|
|
|
pkcs5_pbkdf2 key generators.
|
2002-10-13 01:10:31 +04:00
|
|
|
.El
|
2002-10-04 22:37:19 +04:00
|
|
|
.Ss /etc/cgd/cgd.conf
|
|
|
|
The file
|
|
|
|
.Pa /etc/cgd/cgd.conf
|
|
|
|
is used to configure
|
|
|
|
.Nm
|
|
|
|
if either of
|
|
|
|
.Fl C
|
|
|
|
or
|
|
|
|
.Fl U
|
2002-10-05 19:45:52 +04:00
|
|
|
are specified.
|
|
|
|
Each line of the file is composed of either two or three
|
2002-10-04 22:37:19 +04:00
|
|
|
tokens: cgd, target, and optional paramsfile.
|
|
|
|
.Pp
|
|
|
|
A
|
|
|
|
.Sq \&#
|
2003-03-24 05:02:49 +03:00
|
|
|
character is interpreted as a comment and indicates that the
|
2002-10-05 19:45:52 +04:00
|
|
|
rest of the line should be ignored.
|
|
|
|
A
|
2002-10-04 22:37:19 +04:00
|
|
|
.Sq \e
|
|
|
|
at the end of a line indicates that the next line is a continuation of
|
|
|
|
the current line.
|
|
|
|
.Pp
|
2018-12-28 00:17:08 +03:00
|
|
|
If the second field is of the form
|
|
|
|
.Dq NAME=<value>
|
|
|
|
then all the
|
|
|
|
.Xr dk 4
|
|
|
|
wedge partitions are searched for one that has a wedge name equal to
|
|
|
|
.Ar <value>
|
|
|
|
and the device corresponding to it is selected.
|
|
|
|
.Pp
|
|
|
|
If the second field starts with the prefix
|
|
|
|
.Dq ROOT.
|
|
|
|
the prefix is replaced with
|
|
|
|
.Dq /dev/[root_device] ,
|
|
|
|
where
|
|
|
|
.Bq root_device
|
|
|
|
is the value of the
|
|
|
|
.Dq kern.root_device
|
|
|
|
sysctl.
|
|
|
|
.Pp
|
2002-10-04 22:37:19 +04:00
|
|
|
See
|
|
|
|
.Sx EXAMPLES
|
|
|
|
for an example of
|
|
|
|
.Pa /etc/cgd/cgd.conf .
|
|
|
|
.Ss Parameters File
|
|
|
|
The Parameters File contains the required information to generate the
|
2002-10-05 19:45:52 +04:00
|
|
|
key and configure a device.
|
2003-03-24 05:02:49 +03:00
|
|
|
These files are typically generated by the
|
2002-10-04 22:37:19 +04:00
|
|
|
.Fl g
|
2002-10-05 19:45:52 +04:00
|
|
|
flag and not edited by hand.
|
2002-10-07 04:12:40 +04:00
|
|
|
When a device is configured the default parameters file is constructed
|
|
|
|
by taking the basename of the target disk and prepending
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pa /etc/cgd/
|
2002-10-05 19:45:52 +04:00
|
|
|
to it.
|
2002-10-07 04:12:40 +04:00
|
|
|
E.g., if the target is
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pa /dev/sd0h ,
|
|
|
|
then the default parameters file will be
|
|
|
|
.Pa /etc/cgd/sd0h .
|
|
|
|
.Pp
|
2003-03-24 05:02:49 +03:00
|
|
|
It is possible to have more than one parameters file for a given
|
|
|
|
disk which use different key generation methods but will generate
|
|
|
|
the same key.
|
|
|
|
To create a parameters file that is equivalent to an existing parameters
|
|
|
|
file, use
|
|
|
|
.Nm
|
|
|
|
with the
|
|
|
|
.Fl G
|
|
|
|
flag.
|
|
|
|
See
|
|
|
|
.Sx EXAMPLES
|
|
|
|
for an example of this usage.
|
|
|
|
.Pp
|
|
|
|
The parameters file contains a list of statements each terminated
|
|
|
|
with a semi-colon.
|
|
|
|
Some statements can contain statement-blocks which are either a
|
|
|
|
single unadorned statement, or a brace-enclosed list of semicolon
|
|
|
|
terminated statements.
|
|
|
|
Three types of data are understood:
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pp
|
2003-03-24 05:02:49 +03:00
|
|
|
.Bl -tag -compact -width integerxx
|
|
|
|
.It integer
|
|
|
|
a 32 bit signed integer.
|
|
|
|
.It string
|
|
|
|
a string.
|
|
|
|
.It base64
|
|
|
|
a length-encoded base64 string.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The following statements are defined:
|
|
|
|
.Bl -tag -width indentxx
|
|
|
|
.It algorithm Ar string
|
|
|
|
Defines the cryptographic algorithm.
|
|
|
|
.It iv-method Ar string
|
|
|
|
Defines the IV generation method.
|
2020-12-12 00:52:19 +03:00
|
|
|
This should always be
|
|
|
|
.Sq encblkno1
|
|
|
|
except when dealing with disks written with a very old version of
|
|
|
|
.Xr cgd 4
|
|
|
|
from before
|
|
|
|
.Nx 5.0 ,
|
|
|
|
released in 2010; see
|
|
|
|
.Xr cgd 4
|
|
|
|
for details.
|
2003-03-24 05:02:49 +03:00
|
|
|
.It keylength Ar integer
|
|
|
|
Defines the length of the key.
|
|
|
|
.It verify_method Ar string
|
|
|
|
Defines the verification method.
|
|
|
|
.It keygen Ar string Ar statement_block
|
|
|
|
Defines a key generation method.
|
|
|
|
The
|
|
|
|
.Ar statement_block
|
|
|
|
contains statements that are specific to the key generation method.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The keygen statement's statement block may contain the following statements:
|
|
|
|
.Bl -tag -width indentxx
|
|
|
|
.It key Ar string
|
2004-03-17 04:40:34 +03:00
|
|
|
The key.
|
|
|
|
Only used for the storedkey key generation method.
|
2008-05-11 07:15:21 +04:00
|
|
|
.It cmd Ar string
|
|
|
|
The command to execute.
|
|
|
|
Only used for the shell_cmd key generation method.
|
2003-03-24 05:02:49 +03:00
|
|
|
.It iterations Ar integer
|
2004-03-17 04:40:34 +03:00
|
|
|
The number of iterations.
|
2021-11-22 17:34:35 +03:00
|
|
|
Only used for argon2id, pkcs5_pbkdf2/sha1, and pkcs5_pbkdf2.
|
2003-03-24 05:02:49 +03:00
|
|
|
.It salt Ar base64
|
2004-03-17 04:40:34 +03:00
|
|
|
The salt.
|
2021-11-22 17:34:35 +03:00
|
|
|
Only used for argon2id, pkcs5_pbkdf2/sha1, and pkcs5_pbkdf2.
|
|
|
|
.It memory Ar integer
|
|
|
|
Memory consumption in kilobytes.
|
|
|
|
Only used for argon2id.
|
|
|
|
.It parallelism Ar integer
|
|
|
|
Number of threads to use to compute the password hash.
|
|
|
|
Should be equivalent to the number of CPUs/hardware threads.
|
|
|
|
Only used for argon2id.
|
|
|
|
.It version Ar integer
|
|
|
|
Version of Argon2 to use.
|
|
|
|
Should be the most recent version, currently
|
|
|
|
.Dv 19 .
|
|
|
|
Only used for argon2id.
|
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 13:49:17 +03:00
|
|
|
.It shared Ar name No algorithm Ar kdf No subkey Ar info
|
|
|
|
Makes the key generation take an extra step to derive a subkey from the
|
|
|
|
main key using the key derivation function
|
|
|
|
.Ar kdf
|
|
|
|
with input
|
|
|
|
.Ar info .
|
|
|
|
.Pp
|
|
|
|
This enables a single password entry, for example, to decrypt multiple
|
|
|
|
disks that use different keys, each derived as a subkey from the main
|
|
|
|
key generated from the password.
|
|
|
|
.Bl -tag -width 6n
|
|
|
|
.It Ar name
|
|
|
|
A string used to identify the same main key generation shared between
|
|
|
|
parameters files for different disks listed in a single
|
|
|
|
.Pa cgd.conf
|
|
|
|
configuration file.
|
|
|
|
.It Ar kdf
|
|
|
|
The name of a key derivation function used to derive a subkey from the
|
|
|
|
main key.
|
|
|
|
Supported values:
|
|
|
|
.Bl -tag -width 6n -offset indent
|
|
|
|
.It Li hkdf-hmac-sha256
|
|
|
|
The HKDF-Expand function of RFC 5869, instantiated with SHA-256.
|
|
|
|
.El
|
|
|
|
.It Ar info
|
|
|
|
A base64 length-encoded string to distinguish different subkeys derived
|
|
|
|
from a shared main key.
|
|
|
|
Need not be secret.
|
|
|
|
For example, it could be a nickname, or the disk's World-Wide Name, or
|
|
|
|
a UUID generated for the disk, or just a random string.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
It is an error to reuse a shared key
|
|
|
|
.Ar name
|
|
|
|
with different keygen blocks, other than the
|
|
|
|
.Ar info
|
|
|
|
parameter,
|
|
|
|
between parameters files used by a single
|
|
|
|
.Pa cgd.conf
|
|
|
|
configuration file.
|
2002-10-04 22:37:19 +04:00
|
|
|
.El
|
|
|
|
.Sh FILES
|
|
|
|
.Bl -tag -width indentxxxxxxxxxxxxxxxxxx -compact
|
|
|
|
.It Pa /etc/cgd/
|
|
|
|
configuration directory, used to store paramsfiles.
|
|
|
|
.It Pa /etc/cgd/cgd.conf
|
|
|
|
cgd configuration file.
|
|
|
|
.El
|
|
|
|
.Sh EXAMPLES
|
2020-12-12 00:52:19 +03:00
|
|
|
To set up and configure a cgd that uses adiantum, which takes a 256-bit
|
|
|
|
key:
|
2002-10-04 22:37:19 +04:00
|
|
|
.Bd -literal
|
2021-12-04 18:03:58 +03:00
|
|
|
# cgdconfig -g -k argon2id -o /etc/cgd/wd0e adiantum 256
|
2002-10-04 22:37:19 +04:00
|
|
|
# cgdconfig cgd0 /dev/wd0e
|
|
|
|
/dev/wd0e's passphrase:
|
|
|
|
.Ed
|
|
|
|
.Pp
|
2003-03-24 05:02:49 +03:00
|
|
|
When using verification methods, the first time that we configure the
|
2004-03-17 04:40:34 +03:00
|
|
|
disk the verification method will fail.
|
|
|
|
We overcome this by supplying
|
2004-10-15 19:25:14 +04:00
|
|
|
.Fl V Ar re-enter
|
2004-03-17 04:40:34 +03:00
|
|
|
when we configure the first time to set up the disk.
|
|
|
|
Here is the
|
2003-03-24 05:02:49 +03:00
|
|
|
sequence of commands that is recommended:
|
|
|
|
.Bd -literal
|
2021-12-04 18:03:58 +03:00
|
|
|
# cgdconfig -g -k argon2id -o /etc/cgd/dk3 -V gpt adiantum
|
2021-05-01 00:07:34 +03:00
|
|
|
# cgdconfig -V re-enter cgd0 /dev/dk3
|
|
|
|
/dev/dk3's passphrase:
|
2012-12-05 06:23:20 +04:00
|
|
|
re-enter device's passphrase:
|
2021-05-01 00:07:34 +03:00
|
|
|
# gpt create cgd0
|
2012-12-05 06:23:20 +04:00
|
|
|
# cgdconfig -u cgd0
|
2021-05-01 00:07:34 +03:00
|
|
|
# cgdconfig cgd0 /dev/dk3
|
|
|
|
/dev/dk3's passphrase:
|
2012-12-05 06:23:20 +04:00
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
To scrub data from a disk before setting up a cgd:
|
|
|
|
.Bd -literal
|
2020-12-12 00:52:19 +03:00
|
|
|
# cgdconfig -s cgd0 /dev/sd0e adiantum 256 < /dev/urandom
|
2012-12-05 06:23:20 +04:00
|
|
|
# dd if=/dev/zero of=/dev/rcgd0d bs=32k progress=512
|
|
|
|
# cgdconfig -u cgd0
|
2003-03-24 05:02:49 +03:00
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
To create a new parameters file that will generate the same key as an old
|
|
|
|
parameters file:
|
|
|
|
.Bd -literal
|
2012-12-05 06:23:20 +04:00
|
|
|
# cgdconfig -G -o newparamsfile oldparamsfile
|
|
|
|
old file's passphrase:
|
|
|
|
new file's passphrase:
|
2003-03-24 05:02:49 +03:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2022-08-12 13:49:35 +03:00
|
|
|
To create parameters files for three disks with subkeys derived from a
|
|
|
|
shared password-based key:
|
|
|
|
.Bd -literal
|
|
|
|
# cgdconfig -g -S -k argon2id -o /etc/cgd/wd0 -V gpt adiantum
|
|
|
|
# cgdconfig -g -S -P /etc/cgd/wd0 -o /etc/cgd/ld1 \e
|
|
|
|
-V disklabel aes-cbc 256
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Listing these in the same
|
|
|
|
.Pa /etc/cgd/cgd.conf
|
|
|
|
will allow you to enter a password once to decrypt both disks with
|
|
|
|
.Cm cgdconfig -C .
|
|
|
|
.Pp
|
2020-12-12 00:52:19 +03:00
|
|
|
To configure a cgd that uses aes-cbc with a 192 bit key that it
|
2002-10-04 22:37:19 +04:00
|
|
|
reads from stdin:
|
|
|
|
.Bd -literal
|
2020-12-12 00:52:19 +03:00
|
|
|
# cgdconfig -s cgd0 /dev/sd0h aes-cbc 192
|
2002-10-04 22:37:19 +04:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2003-03-24 05:02:49 +03:00
|
|
|
An example parameters file which uses PKCS#5 PBKDF2:
|
|
|
|
.Bd -literal
|
|
|
|
algorithm aes-cbc;
|
2008-09-12 20:51:54 +04:00
|
|
|
iv-method encblkno1;
|
2003-03-24 05:02:49 +03:00
|
|
|
keylength 128;
|
|
|
|
verify_method none;
|
2004-03-17 04:29:13 +03:00
|
|
|
keygen pkcs5_pbkdf2/sha1 {
|
2003-03-24 05:02:49 +03:00
|
|
|
iterations 39361;
|
2010-03-30 18:26:55 +04:00
|
|
|
salt AAAAgMoHiYonye6Kog \e
|
2003-03-24 05:02:49 +03:00
|
|
|
dYJAobCHE=;
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
An example parameters file which stores its key locally:
|
|
|
|
.Bd -literal
|
2020-12-12 00:52:19 +03:00
|
|
|
algorithm adiantum;
|
2008-09-12 20:51:54 +04:00
|
|
|
iv-method encblkno1;
|
2003-03-24 05:02:49 +03:00
|
|
|
keylength 256;
|
|
|
|
verify_method none;
|
2010-03-30 18:26:55 +04:00
|
|
|
keygen storedkey key AAABAK3QO6d7xzLfrXTdsgg4 \e
|
2003-03-24 05:02:49 +03:00
|
|
|
ly2TdxkFqOkYYcbyUKu/f60L;
|
|
|
|
.Ed
|
|
|
|
.Pp
|
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 13:49:17 +03:00
|
|
|
An example pair of configuration files which use shared keys so they
|
|
|
|
can be derived from a single passphrase entry, with the 64-bit
|
|
|
|
World-Wide Name of each disk (base64 length-encoded) as its subkey
|
|
|
|
info:
|
|
|
|
.Bl -tag -offset indent -width 6n
|
|
|
|
.It Pa /etc/cgd/wd0a
|
|
|
|
.Bd -literal
|
|
|
|
algorithm adiantum;
|
|
|
|
iv-method encblkno1;
|
|
|
|
keylength 256;
|
|
|
|
verify_method gpt;
|
|
|
|
keygen argon2id {
|
|
|
|
iterations 32;
|
|
|
|
memory 5214;
|
|
|
|
parallelism 2;
|
|
|
|
version 19;
|
|
|
|
salt AAAAgLZ5QgleU2m/Ib6wiPYxz98=;
|
|
|
|
shared "my laptop" algorithm hkdf-hmac-sha256 \e
|
|
|
|
subkey AAAAQEGELNr3bj3I;
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.It Pa /etc/cgd/wd1a
|
|
|
|
.Bd -literal
|
|
|
|
algorithm adiantum;
|
|
|
|
iv-method encblkno1;
|
|
|
|
keylength 256;
|
|
|
|
verify_method gpt;
|
|
|
|
keygen argon2id {
|
|
|
|
iterations 32;
|
|
|
|
memory 5214;
|
|
|
|
parallelism 2;
|
|
|
|
version 19;
|
|
|
|
salt AAAAgLZ5QgleU2m/Ib6wiPYxz98=;
|
|
|
|
shared "my laptop" algorithm hkdf-hmac-sha256 \e
|
|
|
|
subkey AAAAQHSC15pr1Pe4;
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.El
|
|
|
|
.Pp
|
2002-10-04 22:37:19 +04:00
|
|
|
An example
|
|
|
|
.Pa /etc/cgd/cgd.conf :
|
|
|
|
.Bd -literal
|
|
|
|
#
|
|
|
|
# /etc/cgd/cgd.conf
|
|
|
|
# Configuration file for cryptographic disk devices
|
|
|
|
#
|
|
|
|
|
|
|
|
# cgd target [paramsfile]
|
|
|
|
cgd0 /dev/wd0e
|
2018-12-28 00:17:08 +03:00
|
|
|
cgd1 NAME=mycgd /usr/local/etc/cgd/mycgd
|
2002-10-04 22:37:19 +04:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2012-12-05 06:23:20 +04:00
|
|
|
Note the first entry will store the parameters file as
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pa /etc/cgd/wd0e .
|
|
|
|
And use the entered passphrase to generate the key.
|
2012-12-05 06:23:20 +04:00
|
|
|
.Pp
|
|
|
|
Although not required, the partition type
|
|
|
|
.Ar cgd
|
2018-05-09 17:27:41 +03:00
|
|
|
should be used in the disklabel or GPT type field for the cgd partition.
|
2007-02-23 23:00:04 +03:00
|
|
|
.Sh DIAGNOSTICS
|
|
|
|
.Bl -diag
|
|
|
|
.It "cgdconfig: could not calibrate pkcs5_pbkdf2"
|
2016-09-11 04:09:34 +03:00
|
|
|
An error greater than 5% in calibration occurred.
|
2007-02-23 23:00:04 +03:00
|
|
|
This could be the result of dynamic processor frequency scaling technology.
|
|
|
|
Ensure that the processor clock frequency remains static throughout the
|
|
|
|
program's execution.
|
|
|
|
.El
|
2002-10-04 22:37:19 +04:00
|
|
|
.Sh SEE ALSO
|
2018-05-09 20:35:03 +03:00
|
|
|
.Xr cgd 4 ,
|
2018-12-28 00:17:08 +03:00
|
|
|
.Xr dk 4 ,
|
|
|
|
.Xr fstab 5 ,
|
2018-12-29 21:34:01 +03:00
|
|
|
.Xr disklabel 8 ,
|
2018-05-09 17:27:41 +03:00
|
|
|
.Xr gpt 8
|
2021-11-22 17:34:35 +03:00
|
|
|
.Rs
|
|
|
|
.%T "Argon2: the memory-hard function for password hashing and other applications"
|
|
|
|
.%A Alex Biryukov
|
|
|
|
.%A Daniel Dinu
|
|
|
|
.%A Dmitry Khovratovich
|
|
|
|
.%D 2017
|
|
|
|
.%I University of Luxembourg
|
|
|
|
.%U https://www.password-hashing.net/
|
|
|
|
.Re
|
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 13:49:17 +03:00
|
|
|
.Rs
|
|
|
|
.%A H. Krawczyk
|
|
|
|
.%A P. Eronen
|
|
|
|
.%T HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
|
|
|
|
.%I Internet Engineering Task Force
|
|
|
|
.%U https://www.rfc-editor.org/rfc/rfc5869.html
|
|
|
|
.%N RFC 5869
|
|
|
|
.%D May 2010
|
|
|
|
.Re
|
2002-10-04 22:37:19 +04:00
|
|
|
.Pp
|
2002-10-05 19:45:52 +04:00
|
|
|
.Dq PKCS #5 v2.0: Password-Based Cryptography Standard ,
|
|
|
|
RSA Laboratories, March 25, 1999.
|
2002-10-04 22:37:19 +04:00
|
|
|
.Sh HISTORY
|
2002-10-05 19:45:52 +04:00
|
|
|
The
|
2002-10-04 22:37:19 +04:00
|
|
|
.Nm
|
|
|
|
utility appeared in
|
2003-01-20 00:25:36 +03:00
|
|
|
.Nx 2.0 .
|
2021-11-22 17:34:35 +03:00
|
|
|
.Pp
|
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 13:49:17 +03:00
|
|
|
Support for
|
2021-11-22 17:34:35 +03:00
|
|
|
.Li argon2id
|
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 13:49:17 +03:00
|
|
|
and for shared keys appeared in
|
2021-11-22 17:34:35 +03:00
|
|
|
.Nx 10.0 .
|
2002-10-04 22:37:19 +04:00
|
|
|
.Sh BUGS
|
2018-05-09 23:23:35 +03:00
|
|
|
Pass phrases are limited to 1023 bytes.
|