EXOTIC SILICON
“Encrypt, decrypt or re-encrypt as desired!”
Manipulating disk images used with the vnd driver
How about a simple command line utility to:
  • Convert vnd images between unencrypted and encrypted.
  • Display the encryption key in hex notation.
  • Change the encryption passphrase.
  • Change the number of rounds used for key derivation.
  • Add, remove, or change the required salt file.
  • Add or remove the use of key derivation altogether.
Sounds good?
Quicker and easier than doing it manually?
Download vnformat and enjoy!
Download station
Download the vnformat source tar archive, which includes a manual page and checksums signed with our signify key.
Installation instructions
Installing vnformat is quick and easy.
Unpack the tar archive:
# tar -xvf vnformat_v2.1.tar
# cd vnformat_v2.1
Verify the signed checksums:
# signify -Cp /etc/signify/exoticsilicon.pub -x checksums.sig
Compile the source code:
# cc -lutil -O3 -o vnformat vnformat.c
# strip vnformat
Install the vnformat binary and manual page:
# mv vnformat /usr/local/sbin/
# mv vnformat.8 /usr/local/man/man8/
That's it! Installation is complete!
Using vnformat
For a comprehensive description of all of the command line options, please refer to the manual page.
At a minimum, basic usage of vnformat requires specifying the input and output files using -i and -o:
# vnformt -i input.img -o output.img
This will produce output similar to the following, assuming that input.img is a readable file of size 1 Gb:
Input: 'input.img' (unencrypted)
Output: 'output.img' (unencrypted)
Input: 1073741824 bytes, 2097152 512-byte blocks
Operation completed successfully
Since no other options were specified, data was simply copied unchanged, (although if the size of the input file had not been a multiple of 512, then the output would have been truncated).
To perform useful transformations, further options need to be supplied to vmutil.
By using the -K option, the output can be encrypted using a simple passphrase as the key:
# vnformat -i input.img -o encrypted.img -K foobar
Input: 'input.img' (unencrypted)
Output: 'encrypted.img' (encrypted with simple key), key: 'foobar'
Input: 1073741824 bytes, 2097152 512-byte blocks
Output key:
66 6f 6f 62 61 72
Operation completed successfully
The resulting file, encrypted.img, can now be configured as a vnode disk using vnconfig:
# vnconfig -k encrypted.img
You will be prompted to enter the encryption key interactively, and upon entering it, the vnd device is configured for use.
Working with encrypted vnd devices, especially doing automated bulk conversion, just got easier!
Manual page summary
VNFORMAT(8)
NAME
vnformat - encrypt and decrypt vnode disk images
SYNOPSIS
vnformat [-i file] [-f keyfile] [-k key] [-r rounds] [-s saltfile] [-o file] [-F keyfile] [-K key] [-R rounds] [-S saltfile] [-T saltfile]
DESCRIPTION
vnformat reads and writes vnode disk images, as created and used by vnd(4).
The type of encryption, (if any), and encryption parameters, (key, salt, and number of rounds), can be specified separately for input and output. This allows existing disk image files to be converted between encrypted and unencrypted, as well as between different encryption configurations.
The vnformat utility can also be used to view the actual binary encryption key that is used for encryption or decryption.
The options are as follows:
-i file
Specifies the input file. This should have a file size that is a multiple of 512 bytes. This option is required.
-f keyfile
Specifies a file to read the input key from. This option is mutually exclusive with -k. See the next entry for information about how specifying a key interacts with other options. See the CAVEATS section for important information about reading keys from files.
-k key
Specifies the encryption key for the input. If rounds or saltfile are also specified for the input file, then the supplied key will not be used directly as an input to the encryption algorithm but will instead be passed through a key derivation function first.
-r rounds
Specifies the number of rounds to use during key derivation for the input. The valid range is from 1000 to INT_MAX. If a saltfile is supplied via -s without an explicit rounds parameter, then rounds will default to 1000.
-s saltfile
Specifies the salt file for the input. This should contain 128 bytes of random data, and will be used as an input to the key derivation function mentioned above.
-o file
Specifies the output file. If file does not already exist, it will be created with 0600 permissions. If file already exists and is writable, it will be truncated before writing. This option is required.
-F keyfile
Specifies a file to read the output key from. This option is mutually exclusive with -K. See the entry for -k for information about how specifying a key interacts with other options. See the CAVEATS section for important information about reading keys from files.
-K key
Specifies the encryption key for the output. If rounds or saltfile are also specified for the ouput file, then the supplied key will be used via a key derivation function as described above for the input key.
-R rounds
Specifies the number of rounds to use during key derivation for the output. The valid range is from 1000 to INT_MAX. If a saltfile is supplied via either -S or -T without an explicit rounds parameter, then rounds will default to 1000.
-S saltfile
Specifies the salt file for the output. This should contain 128 bytes of random data, and will be used as an input to the key derivation function.
-T saltfile
This option will write 128 bytes of random data to saltfile and use that as the salt for the key derivation function for the output. This is equivalent to creating such a salt file manually and then specifying it with -S.
This is just a web-based summary of the manual page.
The full version is included in the source archive.