On Sun, Oct 01, 2023 at 09:31:03AM -0400, Greg Troxel wrote:
> Thomas Klausner <w...@netbsd.org> writes:
>
> > When I pick up a cgd disk and want to use it on a NetBSD system to
> > which it was not connected before, what do I need?
> >
> > - the passphrase
> > - the /etc/cgd/foo file?
> >
> > If you need the /etc/cgd/foo file too, how do people handle those for
> > cgds used as backup disks?
>
> Yes, you need the /etc/cgd/foo file because the passphrase is salted,
> and you might need an iv depending on iv method. IMHO this is a design
> bug in cgd. At least as a normal path, one should be able to access
> with just the passphrase.
>
> My setup is
>
> (this is for a 512-sector disk)
> GPT partition on disk
> index 2: 16384 sectors starting at 64, ffs
> index 1: rest of disk, cgd
>
> in index 2, newfs and then rsync all my cgd init files.
> in index 1, cgconfig
>
> Thus, any backup disk has the params for all of them.
That is a great idea. I should have thought of that before creating
partitions on my backup disks :|
> > The other question is that the cgd man page says that some ciphers are
> > obsolete. How can I switch from an obsolete cipher to a new one - is
> > the only method to make a new cgd with the new cipher and copy the
> > data manually?
>
> I believe that's the only way. I can't even figure out how to change
> the passphrase without doing that.
IIUC the cgdconfig man page correctly, this is how you do that:
To create a new parameters file that will generate the same key as an old
parameters file:
# cgdconfig -G -o newparamsfile oldparamsfile
old file's passphrase:
new file's passphrase:
Thomas
