Editorial review of Encrypted Swap chapter.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
16f30dcb88
commit
194060c1b3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44503
1 changed files with 23 additions and 35 deletions
|
|
@ -3192,7 +3192,7 @@ geli_da2_flags="-p -k /root/da2.key"</programlisting>
|
|||
|
||||
<sect1 xml:id="swap-encrypting">
|
||||
<info>
|
||||
<title>Encrypting Swap Space</title>
|
||||
<title>Encrypting Swap</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
|
|
@ -3213,23 +3213,21 @@ geli_da2_flags="-p -k /root/da2.key"</programlisting>
|
|||
<para>Like the encryption of disk partitions, encryption of swap
|
||||
space is used to protect sensitive information. Consider an
|
||||
application that deals with passwords. As long as these
|
||||
passwords stay in physical memory, these passwords will not be
|
||||
written to disk and be cleared after a reboot. If &os; starts
|
||||
swapping out memory pages to free space for other applications,
|
||||
the passwords may be written to the disk platters unencrypted.
|
||||
passwords stay in physical memory, they are not
|
||||
written to disk and will be cleared after a reboot. However, if &os; starts
|
||||
swapping out memory pages to free space,
|
||||
the passwords may be written to the disk unencrypted.
|
||||
Encrypting swap space can be a solution for this
|
||||
scenario.</para>
|
||||
|
||||
<para>The &man.gbde.8; or &man.geli.8; encryption systems may be
|
||||
used for swap encryption. Both systems use the
|
||||
<filename>encswap</filename>
|
||||
<link linkend="configtuning-rcd">rc.d</link> script.</para>
|
||||
|
||||
<note>
|
||||
<para>For the remainder of this section,
|
||||
<filename>ad0s1b</filename> will be the swap
|
||||
<para>This section demonstrates how to configure an encrypted
|
||||
swap partition using &man.gbde.8; or &man.geli.8; encryption.
|
||||
It assumes a <acronym>UFS</acronym> file system where
|
||||
<filename>/dev/ad0s1b</filename> is the swap
|
||||
partition.</para>
|
||||
</note>
|
||||
|
||||
<sect2>
|
||||
<title>Configuring Encrypted Swap</title>
|
||||
|
||||
<para>Swap partitions are not encrypted by default and should
|
||||
be cleared of any sensitive data before continuing. To
|
||||
|
|
@ -3238,42 +3236,32 @@ geli_da2_flags="-p -k /root/da2.key"</programlisting>
|
|||
|
||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
|
||||
|
||||
<sect2>
|
||||
<title>Swap Encryption with &man.gbde.8;</title>
|
||||
|
||||
<para>The <literal>.bde</literal> suffix should be added to the
|
||||
device in the respective <filename>/etc/fstab</filename> swap
|
||||
line:</para>
|
||||
<para>To encrypt the swap partition using &man.gbde.8;, add the
|
||||
<literal>.bde</literal> suffix to the swap line in
|
||||
<filename>/etc/fstab</filename>:</para>
|
||||
|
||||
<programlisting># Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.bde none swap sw 0 0</programlisting>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Swap Encryption with &man.geli.8;</title>
|
||||
|
||||
<para>The procedure for instead using &man.geli.8; for swap
|
||||
encryption is similar to that of using &man.gbde.8;. The
|
||||
<literal>.eli</literal> suffix should be added to the device
|
||||
in the respective <filename>/etc/fstab</filename> swap
|
||||
line:</para>
|
||||
<para>To instead encrypt the swap partition using &man.geli.8;,
|
||||
use the
|
||||
<literal>.eli</literal> suffix:</para>
|
||||
|
||||
<programlisting># Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.eli none swap sw 0 0</programlisting>
|
||||
|
||||
<para>&man.geli.8; uses the <acronym>AES</acronym> algorithm
|
||||
with a key length of 128 bit by default. These defaults can
|
||||
<para>By default, &man.geli.8; uses the <acronym>AES</acronym> algorithm
|
||||
with a key length of 128 bit. These defaults can
|
||||
be altered by using <literal>geli_swap_flags</literal> in
|
||||
<filename>/etc/rc.conf</filename>. The following line tells
|
||||
the <filename>encswap</filename> rc.d script to create
|
||||
&man.geli.8; swap partitions using the Blowfish algorithm with
|
||||
<filename>/etc/rc.conf</filename>. The following flags configure
|
||||
encryption using the Blowfish algorithm with
|
||||
a key length of 128 bits and a sectorsize of 4 kilobytes, and
|
||||
sets <quote>detach on last close</quote>:</para>
|
||||
|
||||
<programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting>
|
||||
|
||||
<para>Refer to the description of
|
||||
<command>onetime</command> in &man.geli.8; for a list of
|
||||
<literal>onetime</literal> in &man.geli.8; for a list of
|
||||
possible options.</para>
|
||||
</sect2>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue