Re: cgd questions

[Thomas Klausner <wiz%NetBSD.org@localhost>]

On Sun, Oct 01, 2023 at 09:31:03AM -0400, Greg Troxel wrote:
> Thomas Klausner <wiz%NetBSD.org@localhost> writes:
> 
> > When I pick up a cgd disk and want to use it on a NetBSD system to
> > which it was not connected before, what do I need?
> >
> > - the passphrase
> > - the /etc/cgd/foo file?
> >
> > If you need the /etc/cgd/foo file too, how do people handle those for
> > cgds used as backup disks?
> 
> Yes, you need the /etc/cgd/foo file because the passphrase is salted,
> and you might need an iv depending on iv method.  IMHO this is a design
> bug in cgd.  At least as a normal path, one should be able to access
> with just the passphrase.
> 
> My setup is
> 
>   (this is for a 512-sector disk)
>   GPT partition on disk
>   index 2: 16384 sectors starting at 64, ffs
>   index 1: rest of disk, cgd
> 
>   in index 2, newfs and then rsync all my cgd init files.
>   in index 1, cgconfig
> 
> Thus, any backup disk has the params for all of them.

That is a great idea. I should have thought of that before creating
partitions on my backup disks :|

> > The other question is that the cgd man page says that some ciphers are
> > obsolete. How can I switch from an obsolete cipher to a new one - is
> > the only method to make a new cgd with the new cipher and copy the
> > data manually?
> 
> I believe that's the only way.  I can't even figure out how to change
> the passphrase without doing that.

IIUC the cgdconfig man page correctly, this is how you do that:

     To create a new parameters file that will generate the same key as an old
     parameters file:

             # cgdconfig -G -o newparamsfile oldparamsfile
             old file's passphrase:
             new file's passphrase:

 Thomas