Update handbook to remove references to obsolete rc.conf variable: geli_swap_flags
PR: 197755 Differential Revision: https://reviews.freebsd.org/D2094 Submitted by: Christian Kujau (request) Reviewed by: wblock Approved by: bcr (mentor) Sponsored by: ScaleEngine Inc.
This commit is contained in:
Allan Jude
parent
4fd8b0eb54
commit
70ced9a8a4
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46363
1 changed files with 54 additions and 15 deletions
|
|
@ -2878,7 +2878,7 @@ geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
|
|||
<para>This section demonstrates how to configure an encrypted
|
||||
swap partition using &man.gbde.8; or &man.geli.8; encryption.
|
||||
It assumes a <acronym>UFS</acronym> file system where
|
||||
<filename>/dev/ad0s1b</filename> is the swap partition.</para>
|
||||
<filename>/dev/ada0s1b</filename> is the swap partition.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Configuring Encrypted Swap</title>
|
||||
|
|
@ -2888,34 +2888,73 @@ geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
|
|||
the current swap partition with random garbage, execute the
|
||||
following command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ada0s1b</replaceable> bs=1m</userinput></screen>
|
||||
|
||||
<para>To encrypt the swap partition using &man.gbde.8;, add the
|
||||
<literal>.bde</literal> suffix to the swap line in
|
||||
<filename>/etc/fstab</filename>:</para>
|
||||
|
||||
<programlisting># Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.bde none swap sw 0 0</programlisting>
|
||||
/dev/ada0s1b.bde none swap sw 0 0</programlisting>
|
||||
|
||||
<para>To instead encrypt the swap partition using &man.geli.8;,
|
||||
use the
|
||||
<literal>.eli</literal> suffix:</para>
|
||||
|
||||
<programlisting># Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.eli none swap sw 0 0</programlisting>
|
||||
/dev/ada0s1b.eli none swap sw 0 0</programlisting>
|
||||
|
||||
<para>By default, &man.geli.8; uses the <acronym>AES</acronym>
|
||||
algorithm with a key length of 128 bit. These defaults can be
|
||||
altered by using <literal>geli_swap_flags</literal> in
|
||||
<filename>/etc/rc.conf</filename>. The following flags
|
||||
configure encryption using the Blowfish algorithm with a key
|
||||
length of 128 bits and a sectorsize of 4 kilobytes, and sets
|
||||
<quote>detach on last close</quote>:</para>
|
||||
algorithm with a key length of 256 bits. These defaults can
|
||||
be altered in the options field in
|
||||
<filename>/etc/fstab</filename>. The possible flags
|
||||
are:</para>
|
||||
|
||||
<programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>aalgo</term>
|
||||
<listitem>
|
||||
<para>Data integrity verification algorithm used to ensure
|
||||
that the encrypted data has not been tampered with. See
|
||||
&man.geli.8; for a list of supported algorithms.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>ealgo</term>
|
||||
<listitem>
|
||||
<para>Encryption algorithm used to protect the data. See
|
||||
&man.geli.8; for a list of supported algorithms.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>keylen</term>
|
||||
<listitem>
|
||||
<para>The length of the key used for the encryption
|
||||
algorithm. See &man.geli.8; for the key lengths that
|
||||
are supported by each encryption algorithm.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>sectorsize</term>
|
||||
<listitem>
|
||||
<para>The size of the blocks data is broken into before
|
||||
it is encrypted. Larger sector sizes increase
|
||||
performance at the cost of higher storage
|
||||
overhead. The recommended size is 4096 bytes.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This example configures an encryped swap partition using
|
||||
the Blowfish algorithm with a key length of 128 bits and a
|
||||
sectorsize of 4 kilobytes:</para>
|
||||
|
||||
<programlisting># Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0</programlisting>
|
||||
|
||||
<para>Refer to the description of <literal>onetime</literal> in
|
||||
&man.geli.8; for a list of possible options.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
|
|
@ -2929,13 +2968,13 @@ geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
|
|||
|
||||
<screen>&prompt.user; <userinput>swapinfo</userinput>
|
||||
Device 1K-blocks Used Avail Capacity
|
||||
/dev/ad0s1b.bde 542720 0 542720 0%</screen>
|
||||
/dev/ada0s1b.bde 542720 0 542720 0%</screen>
|
||||
|
||||
<para>If &man.geli.8; is being used:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>swapinfo</userinput>
|
||||
Device 1K-blocks Used Avail Capacity
|
||||
/dev/ad0s1b.eli 542720 0 542720 0%</screen>
|
||||
/dev/ada0s1b.eli 542720 0 542720 0%</screen>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue