![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Last Fall I'd mentioned that for external backup drives I would be shifting the relevant computer to NetBSD. What I have not yet mentioned is how needlessly irritating the disk encryption setup was. With LUKS or bioctl -c C or their ilk I would specify the underlying raw disk partition and a keyfile and whatever and be handed a mountable virtual disk bearing the plaintext.
NetBSD's cgdconfig is quite different. I must provide it a file that says which underlying device corresponds to which virtual device then I am supposed to use a command to generate another file that tells the system how to provide me a decrypted volume from the raw. Both the file-generation command and the file format are incompletely documented and not set up for my just providing a binary key in a file for ad hoc choice of device du jour. Whatever use case was in mind, it wasn't mine: I feel as if I actually want whatever the offered interface is a veneer over.
In the end I did get things working, mostly by creating the generated file by hand and being guided by the error messsages along the way then testing empirically that it appeared to do what I expected: e.g., it is actually reading the key I provided because if I change it for a different one then I can no longer mount the volume.
I am grateful that disk encryption is offered at all, I was just unprepared for the hoops NetBSD seemed to put in the way of,
NetBSD's cgdconfig is quite different. I must provide it a file that says which underlying device corresponds to which virtual device then I am supposed to use a command to generate another file that tells the system how to provide me a decrypted volume from the raw. Both the file-generation command and the file format are incompletely documented and not set up for my just providing a binary key in a file for ad hoc choice of device du jour. Whatever use case was in mind, it wasn't mine: I feel as if I actually want whatever the offered interface is a veneer over.
In the end I did get things working, mostly by creating the generated file by hand and being guided by the error messsages along the way then testing empirically that it appeared to do what I expected: e.g., it is actually reading the key I provided because if I change it for a different one then I can no longer mount the volume.
I am grateful that disk encryption is offered at all, I was just unprepared for the hoops NetBSD seemed to put in the way of,
Somehow keyed against this random binary file, let me now use the given device as an encrypted volume. At least having figured it out once I have been able to reuse the recipe since.
