NetBSD/share/man/man4/cgd.4

195 lines
5.1 KiB
Groff
Raw Normal View History

2010-04-15 13:56:56 +04:00
.\" $NetBSD: cgd.4,v 1.16 2010/04/15 09:56:56 wiz Exp $
.\"
.\" Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Roland C. Dowdeswell.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
2010-04-15 12:28:41 +04:00
.Dd April 15, 2010
.Dt CGD 4
.Os
.Sh NAME
.Nm cgd
.Nd cryptographic disk driver
.Sh SYNOPSIS
.Cd "pseudo-device cgd" Op Ar count
.Sh DESCRIPTION
The
.Nm
driver provides the capability of encrypting blocks on their way
to and from a disk or partition.
.Pp
In order to compile support for the
.Nm
into your kernel, you must add the driver to your kernel configuration
file.
To do this, add a line similar to:
.Bd -unfilled -offset indent
pseudo-device cgd 4 # cryptographic disk driver
.Ed
.Pp
The count argument defines how many
2010-04-15 13:56:56 +04:00
.Nm
2010-04-15 12:28:41 +04:00
devices may be configured at a time.
.Ss Encryption Algorithms
Currently the following cryptographic algorithms are supported:
.Bl -tag -width indentxxxxxxx
2010-04-15 12:28:41 +04:00
.It Ic aes-cbc
.Tn AES
in
.Tn CBC
mode.
.Tn AES
uses a 128 bit blocksize and can accept keys of length 128, 192, or 256.
The default key length is 128.
2010-04-15 12:28:41 +04:00
.It Ic 3des-cbc
Triple
.Tn DES
in
.Tn CBC
mode.
Triple
.Tn DES
uses a 64 bit blocksize and is performed in
.Tn EDE3
mode with a 168 bit key.
The key passed to the kernel is 192 bits but the parity bits are ignored.
.It Ic blowfish-cbc
Blowfish in
.Tn CBC
mode.
Blowfish uses a 64 bit blocksize and can accept keys between 40 and
448 bits in multiples of 8.
It is strongly encouraged that keys be at least 128 bits long.
There are no performance advantages of using shorter keys.
The default key length is 128 bits.
.El
.Ss IV Methods
2010-04-15 12:28:41 +04:00
Currently, the following
.Tn IV
Methods are supported:
.Bl -tag -width encblkno1
2010-04-15 12:28:41 +04:00
.It Ic encblkno1
This method encrypts the block number of the physical disk block once with
2010-04-15 12:28:41 +04:00
the cipher and key provided and uses the result as the
.Tn IV
for
.Tn CBC
mode.
This method should ensure that each block has a different
.Tn IV
and that the
.Tn IV
is reasonably unpredictable.
This is the default method used by
.Xr cgdconfig 8
2010-04-15 12:28:41 +04:00
when configuring a new
2010-04-15 13:56:56 +04:00
.Nm .
2010-04-15 12:28:41 +04:00
.It Ic encblkno8
This is the original
.Tn IV
method used by
.Nm
2008-09-13 13:13:14 +04:00
and provided for backward compatibility.
It repeatedly encrypts the block number of the physical disk block
2010-04-15 12:28:41 +04:00
eight times and uses the result as the
.Tn IV
for
.Tn CBC
mode.
This method should ensure that each block has a different
.Tn IV
and that the
.Tn IV
is reasonably unpredictable.
The eightfold encryption was not intended and causes a notable
performance loss with little (if any) increase in security over a
single encryption.
.El
.Ss IOCTLS
A
.Nm
responds to all of the standard disk
.Xr ioctl 2
calls defined in
.Xr sd 4 ,
and also defines the following:
2010-04-15 12:28:41 +04:00
.Bl -tag -width CGDIOCSET -offset indent
.It Dv CGDIOCSET
Configure the
.Nm .
This
.Xr ioctl 2
sets up the encryption parameters and points the
.Nm
at the underlying disk.
2010-04-15 12:28:41 +04:00
.It Dv CGDIOCCLR
Unconfigure the
.Nm .
.El
.Pp
These
.Xr ioctl 2 Ns 's
and their associated data structures are defined in
2010-04-15 12:28:41 +04:00
.In dev/cgdvar.h
header.
.Sh WARNINGS
It goes without saying that if you forget the passphrase that you used
to configure a
.Nm ,
then you have irrevocably lost all of the data on the disk.
Please ensure that you are using an appropriate backup strategy.
.Sh FILES
.Bl -tag -width indentxxxxxxxxxxx
.It /dev/{,r}cgd*
.Nm
device special files.
.El
.Sh SEE ALSO
.Xr config 1 ,
.Xr ioctl 2 ,
.Xr sd 4 ,
2010-04-14 17:06:45 +04:00
.Xr cgdconfig 8 ,
.Xr MAKEDEV 8
2010-04-14 15:52:39 +04:00
.Rs
.%A Roland C. Dowdeswell
.%A John Ioannidis
.%T The CryptoGraphic Disk Driver
.%I USENIX Association
.%B Proceedings of the FREENIX Track: 2003 USENIX Annual Technical Conference
.%P 179-186
.%D June 9-14, 2003
2010-04-14 17:06:45 +04:00
.%U http://www.usenix.org/event/usenix03/tech/freenix03/full_papers/dowdeswell/dowdeswell.pdf
2010-04-14 15:52:39 +04:00
.Re
.Sh HISTORY
The
.Nm
driver was written by Roland C. Dowdeswell for
.Nx .
The
.Nm
driver originally appeared in
2003-01-20 00:25:36 +03:00
.Nx 2.0 .