forked from NetBSD/src
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcgdconfig.8
656 lines (655 loc) · 17.3 KB
/
cgdconfig.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
.\" $NetBSD: cgdconfig.8,v 1.57 2022/08/12 10:49:47 riastradh Exp $
.\"
.\" Copyright (c) 2002, The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Roland C. Dowdeswell.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 4, 2021
.Dt CGDCONFIG 8
.Os
.Sh NAME
.Nm cgdconfig
.Nd configuration utility for the cryptographic disk driver
.Sh SYNOPSIS
.Nm
.Op Fl enpv
.Op Fl V Ar vmeth
.Ar cgd dev
.Op Ar paramsfile
.Nm
.Fl C
.Op Fl enpv
.Op Fl f Ar configfile
.Nm
.Fl G
.Op Fl enpv
.Op Fl i Ar ivmeth
.Op Fl k Ar kgmeth
.Op Fl o Ar outfile
.Ar paramsfile
.Nm
.Fl g
.Op Fl Sv
.Op Fl V Ar vmeth
.Op Fl i Ar ivmeth
.Op Fl k Ar kgmeth
.Op Fl o Ar outfile
.Op Fl P Ar paramsfile
.Ar alg
.Op Ar keylen
.Nm
.Fl T
.Op Fl f Ar configfile
.Nm
.Fl t
.Ar paramsfile
.Nm
.Fl l
.Op Fl v Ns Op Cm v
.Op Ar cgd
.Nm
.Fl s
.Op Fl nv
.Op Fl i Ar ivmeth
.Ar cgd
.Ar dev
.Ar alg
.Op Ar keylen
.Nm
.Fl U
.Op Fl nv
.Op Fl f Ar configfile
.Nm
.Fl u
.Op Fl nv
.Ar cgd
.Sh DESCRIPTION
.Nm
is used to configure and unconfigure cryptographic disk devices (cgds)
and to maintain the configuration files that are associated with them.
For more information about cryptographic disk devices see
.Xr cgd 4 .
.Pp
The options are as follows:
.Bl -tag -width configfilexxxx
.It Fl C
Configure all the devices listed in the cgd configuration file.
.It Fl e
Echo the passphrase.
.It Fl f Ar configfile
Specify the configuration file explicitly, rather than using the default
configuration file
.Pa /etc/cgd/cgd.conf .
.It Fl G
Generate a new paramsfile (to stdout) using the values from
.Ar paramsfile
which will generate the same key.
This may need to obtain multiple passphrases.
.It Fl g
Generate a paramsfile (to stdout).
.It Fl i Ar ivmeth
Specify the IV method (default: encblkno1).
.Pp
Setting the IV method is needed only for compatibility with disks
written with a very old version of
.Xr cgd 4
from before
.Nx 5.0 ,
released in 2010; see
.Xr cgd 4
for details.
.It Fl k Ar kgmeth
Specify the key generation method (default: pkcs5_pbkdf2/sha1).
.It Fl l Op Ar cgd
List state of all devices or just the one
.Ar cgd
device.
The verbosity level affects the output.
.It Fl n
Do not actually configure or unconfigure a cryptographic disk
device, but instead report the steps that would be taken.
.It Fl o Ar outfile
When generating a
.Ar paramsfile ,
store it in
.Ar outfile .
If
.Fl o
is not given, any paramsfile content is written to standard output.
.It Fl P Ar paramsfile
With the
.Fl S
option for the
.Fl g
or
.Fl G
actions, specify a parameters file with a shared key to reuse for
deriving this one as a subkey.
.It Fl p
Read all passphrases from stdin rather than
.Pa /dev/tty .
Passphrases are separated by newlines.
Users of this flag must be able to predict the order in which passphrases
are prompted.
If this flag is specified then verification errors will cause the device
in question to be unconfigured rather than prompting for the passphrase
again.
.It Fl S
When generating a parameters file with
.Fl g
or
.Fl G ,
arrange to use a subkey of a shared key.
If
.Fl P Ar paramsfile
is also specified, reuse the shared key of
.Ar paramsfile ;
otherwise a new one will be generated.
.It Fl s
Read the key (nb: not the passphrase) from stdin.
.It Fl T
Generate all keys for all the devices listed in the
.Nm
configuration file and print them to standard output encoded in
base64.
.It Fl t
Generate the key and print it to standard output encoded in base64.
.It Fl U
Unconfigure all the devices listed in the cgd configuration file.
.It Fl u
Unconfigure a cgd.
.It Fl V Ar vmeth
Specify the verification method (default: none).
.It Fl v
Be verbose.
May be specified multiple times.
.El
.Pp
For more information about the cryptographic algorithms supported,
please refer to
.Xr cgd 4 .
.Ss Key Generation Methods
To generate the key which it will use,
.Nm
evaluates all of the key generation methods in the parameters file
and uses the exclusive-or of the outputs of all the methods.
The methods and descriptions are as follows:
.Bl -tag -width indentxxxxxxxxxxx
.It argon2id
This method requires a passphrase which is entered at configuration
time.
Argon2 is a memory-hard password hashing scheme and winner of the
2013-2015 Password Hashing Competition.
It has numerous parameters allowing its hardness to scale with the
performance of the system.
Recommended for passphrase-based initialization.
.It pkcs5_pbkdf2/sha1
This method requires a passphrase which is entered at configuration
time.
It is a salted hmac-based scheme detailed in
.Dq PKCS#5 v2.0: Password-Based Cryptography Standard ,
RSA Laboratories, March 25, 1999, pages 8-10.
PKCS #5 was also republished as RFC 2898.
.It pkcs5_pbkdf2
This is an earlier, slightly incorrect and deprecated implementation
of the above algorithm.
It is retained for backwards compatibility with existing parameters
files, and will be removed.
Existing parameters files should be
converted to use the correct method using the
.Fl G
option, and a new passphrase.
.It storedkey
This method stores its key in the parameters file.
.It randomkey
The method simply reads
.Pa /dev/random
and uses the resulting bits as the key.
It does not require a passphrase to be entered.
This method is typically used to present disk devices that do not
need to survive a reboot.
It is also handy to facilitate overwriting the contents of
a disk volume with meaningless data prior to use.
.It urandomkey
The method simply reads
.Pa /dev/urandom
and uses the resulting bits as the key.
This is similar to the
.Pa randomkey
method, but it guarantees that
.Nm
will not stall waiting for 256 bits of entropy from a hardware RNG
or seed.
.It shell_cmd
This method executes a shell command via
.Xr popen 3
and reads the key from stdout.
.El
.Ss Verification Method
The verification method is how
.Nm
determines if the generated key is correct.
If the newly configured disk fails to verify, then
.Nm
will regenerate the key and re-configure the device.
It only makes sense to specify a verification method if at least one of the
key generation methods is error prone, e.g., uses a user-entered passphrase.
The following verification methods are supported:
.Pp
.Bl -tag -width indentxxx -compact
.It none
perform no verification.
.It disklabel
scan for a valid disklabel.
.It mbr
scan for a valid Master Boot Record.
.It gpt
scan for a valid GUID partition table.
.It ffs
scan for a valid FFS file system.
.It re-enter
prompt for passphrase twice, and ensure entered passphrases are
identical.
This method only works with the argon2id, pkcs5_pbkdf2/sha1, and
pkcs5_pbkdf2 key generators.
.El
.Ss /etc/cgd/cgd.conf
The file
.Pa /etc/cgd/cgd.conf
is used to configure
.Nm
if either of
.Fl C
or
.Fl U
are specified.
Each line of the file is composed of either two or three
tokens: cgd, target, and optional paramsfile.
.Pp
A
.Sq \&#
character is interpreted as a comment and indicates that the
rest of the line should be ignored.
A
.Sq \e
at the end of a line indicates that the next line is a continuation of
the current line.
.Pp
If the second field is of the form
.Dq NAME=<value>
then all the
.Xr dk 4
wedge partitions are searched for one that has a wedge name equal to
.Ar <value>
and the device corresponding to it is selected.
.Pp
If the second field starts with the prefix
.Dq ROOT.
the prefix is replaced with
.Dq /dev/[root_device] ,
where
.Bq root_device
is the value of the
.Dq kern.root_device
sysctl.
.Pp
See
.Sx EXAMPLES
for an example of
.Pa /etc/cgd/cgd.conf .
.Ss Parameters File
The Parameters File contains the required information to generate the
key and configure a device.
These files are typically generated by the
.Fl g
flag and not edited by hand.
When a device is configured the default parameters file is constructed
by taking the basename of the target disk and prepending
.Pa /etc/cgd/
to it.
E.g., if the target is
.Pa /dev/sd0h ,
then the default parameters file will be
.Pa /etc/cgd/sd0h .
.Pp
It is possible to have more than one parameters file for a given
disk which use different key generation methods but will generate
the same key.
To create a parameters file that is equivalent to an existing parameters
file, use
.Nm
with the
.Fl G
flag.
See
.Sx EXAMPLES
for an example of this usage.
.Pp
The parameters file contains a list of statements each terminated
with a semi-colon.
Some statements can contain statement-blocks which are either a
single unadorned statement, or a brace-enclosed list of semicolon
terminated statements.
Three types of data are understood:
.Pp
.Bl -tag -compact -width integerxx
.It integer
a 32 bit signed integer.
.It string
a string.
.It base64
a length-encoded base64 string.
.El
.Pp
The following statements are defined:
.Bl -tag -width indentxx
.It algorithm Ar string
Defines the cryptographic algorithm.
.It iv-method Ar string
Defines the IV generation method.
This should always be
.Sq encblkno1
except when dealing with disks written with a very old version of
.Xr cgd 4
from before
.Nx 5.0 ,
released in 2010; see
.Xr cgd 4
for details.
.It keylength Ar integer
Defines the length of the key.
.It verify_method Ar string
Defines the verification method.
.It keygen Ar string Ar statement_block
Defines a key generation method.
The
.Ar statement_block
contains statements that are specific to the key generation method.
.El
.Pp
The keygen statement's statement block may contain the following statements:
.Bl -tag -width indentxx
.It key Ar string
The key.
Only used for the storedkey key generation method.
.It cmd Ar string
The command to execute.
Only used for the shell_cmd key generation method.
.It iterations Ar integer
The number of iterations.
Only used for argon2id, pkcs5_pbkdf2/sha1, and pkcs5_pbkdf2.
.It salt Ar base64
The salt.
Only used for argon2id, pkcs5_pbkdf2/sha1, and pkcs5_pbkdf2.
.It memory Ar integer
Memory consumption in kilobytes.
Only used for argon2id.
.It parallelism Ar integer
Number of threads to use to compute the password hash.
Should be equivalent to the number of CPUs/hardware threads.
Only used for argon2id.
.It version Ar integer
Version of Argon2 to use.
Should be the most recent version, currently
.Dv 19 .
Only used for argon2id.
.It shared Ar name No algorithm Ar kdf No subkey Ar info
Makes the key generation take an extra step to derive a subkey from the
main key using the key derivation function
.Ar kdf
with input
.Ar info .
.Pp
This enables a single password entry, for example, to decrypt multiple
disks that use different keys, each derived as a subkey from the main
key generated from the password.
.Bl -tag -width 6n
.It Ar name
A string used to identify the same main key generation shared between
parameters files for different disks listed in a single
.Pa cgd.conf
configuration file.
.It Ar kdf
The name of a key derivation function used to derive a subkey from the
main key.
Supported values:
.Bl -tag -width 6n -offset indent
.It Li hkdf-hmac-sha256
The HKDF-Expand function of RFC 5869, instantiated with SHA-256.
.El
.It Ar info
A base64 length-encoded string to distinguish different subkeys derived
from a shared main key.
Need not be secret.
For example, it could be a nickname, or the disk's World-Wide Name, or
a UUID generated for the disk, or just a random string.
.El
.Pp
It is an error to reuse a shared key
.Ar name
with different keygen blocks, other than the
.Ar info
parameter,
between parameters files used by a single
.Pa cgd.conf
configuration file.
.El
.Sh FILES
.Bl -tag -width indentxxxxxxxxxxxxxxxxxx -compact
.It Pa /etc/cgd/
configuration directory, used to store paramsfiles.
.It Pa /etc/cgd/cgd.conf
cgd configuration file.
.El
.Sh EXAMPLES
To set up and configure a cgd that uses adiantum, which takes a 256-bit
key:
.Bd -literal
# cgdconfig -g -k argon2id -o /etc/cgd/wd0e adiantum 256
# cgdconfig cgd0 /dev/wd0e
/dev/wd0e's passphrase:
.Ed
.Pp
When using verification methods, the first time that we configure the
disk the verification method will fail.
We overcome this by supplying
.Fl V Ar re-enter
when we configure the first time to set up the disk.
Here is the
sequence of commands that is recommended:
.Bd -literal
# cgdconfig -g -k argon2id -o /etc/cgd/dk3 -V gpt adiantum
# cgdconfig -V re-enter cgd0 /dev/dk3
/dev/dk3's passphrase:
re-enter device's passphrase:
# gpt create cgd0
# cgdconfig -u cgd0
# cgdconfig cgd0 /dev/dk3
/dev/dk3's passphrase:
.Ed
.Pp
To scrub data from a disk before setting up a cgd:
.Bd -literal
# cgdconfig -s cgd0 /dev/sd0e adiantum 256 < /dev/urandom
# dd if=/dev/zero of=/dev/rcgd0d bs=32k progress=512
# cgdconfig -u cgd0
.Ed
.Pp
To create a new parameters file that will generate the same key as an old
parameters file:
.Bd -literal
# cgdconfig -G -o newparamsfile oldparamsfile
old file's passphrase:
new file's passphrase:
.Ed
.Pp
To create parameters files for three disks with subkeys derived from a
shared password-based key:
.Bd -literal
# cgdconfig -g -S -k argon2id -o /etc/cgd/wd0 -V gpt adiantum
# cgdconfig -g -S -P /etc/cgd/wd0 -o /etc/cgd/ld1 \e
-V disklabel aes-cbc 256
.Ed
.Pp
Listing these in the same
.Pa /etc/cgd/cgd.conf
will allow you to enter a password once to decrypt both disks with
.Cm cgdconfig -C .
.Pp
To configure a cgd that uses aes-cbc with a 192 bit key that it
reads from stdin:
.Bd -literal
# cgdconfig -s cgd0 /dev/sd0h aes-cbc 192
.Ed
.Pp
An example parameters file which uses PKCS#5 PBKDF2:
.Bd -literal
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6Kog \e
dYJAobCHE=;
};
.Ed
.Pp
An example parameters file which stores its key locally:
.Bd -literal
algorithm adiantum;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen storedkey key AAABAK3QO6d7xzLfrXTdsgg4 \e
ly2TdxkFqOkYYcbyUKu/f60L;
.Ed
.Pp
An example pair of configuration files which use shared keys so they
can be derived from a single passphrase entry, with the 64-bit
World-Wide Name of each disk (base64 length-encoded) as its subkey
info:
.Bl -tag -offset indent -width 6n
.It Pa /etc/cgd/wd0a
.Bd -literal
algorithm adiantum;
iv-method encblkno1;
keylength 256;
verify_method gpt;
keygen argon2id {
iterations 32;
memory 5214;
parallelism 2;
version 19;
salt AAAAgLZ5QgleU2m/Ib6wiPYxz98=;
shared "my laptop" algorithm hkdf-hmac-sha256 \e
subkey AAAAQEGELNr3bj3I;
};
.Ed
.It Pa /etc/cgd/wd1a
.Bd -literal
algorithm adiantum;
iv-method encblkno1;
keylength 256;
verify_method gpt;
keygen argon2id {
iterations 32;
memory 5214;
parallelism 2;
version 19;
salt AAAAgLZ5QgleU2m/Ib6wiPYxz98=;
shared "my laptop" algorithm hkdf-hmac-sha256 \e
subkey AAAAQHSC15pr1Pe4;
};
.Ed
.El
.Pp
An example
.Pa /etc/cgd/cgd.conf :
.Bd -literal
#
# /etc/cgd/cgd.conf
# Configuration file for cryptographic disk devices
#
# cgd target [paramsfile]
cgd0 /dev/wd0e
cgd1 NAME=mycgd /usr/local/etc/cgd/mycgd
.Ed
.Pp
Note the first entry will store the parameters file as
.Pa /etc/cgd/wd0e .
And use the entered passphrase to generate the key.
.Pp
Although not required, the partition type
.Ar cgd
should be used in the disklabel or GPT type field for the cgd partition.
.Sh DIAGNOSTICS
.Bl -diag
.It "cgdconfig: could not calibrate pkcs5_pbkdf2"
An error greater than 5% in calibration occurred.
This could be the result of dynamic processor frequency scaling technology.
Ensure that the processor clock frequency remains static throughout the
program's execution.
.El
.Sh SEE ALSO
.Xr cgd 4 ,
.Xr dk 4 ,
.Xr fstab 5 ,
.Xr disklabel 8 ,
.Xr gpt 8
.Rs
.%T "Argon2: the memory-hard function for password hashing and other applications"
.%A Alex Biryukov
.%A Daniel Dinu
.%A Dmitry Khovratovich
.%D 2017
.%I University of Luxembourg
.%U https://www.password-hashing.net/
.Re
.Rs
.%A H. Krawczyk
.%A P. Eronen
.%T HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
.%I Internet Engineering Task Force
.%U https://www.rfc-editor.org/rfc/rfc5869.html
.%N RFC 5869
.%D May 2010
.Re
.Pp
.Dq PKCS #5 v2.0: Password-Based Cryptography Standard ,
RSA Laboratories, March 25, 1999.
.Sh HISTORY
The
.Nm
utility appeared in
.Nx 2.0 .
.Pp
Support for
.Li argon2id
and for shared keys appeared in
.Nx 10.0 .
.Sh BUGS
Pass phrases are limited to 1023 bytes.