Add details on how to use GELI.

Submitted by:	Daniel Gerzo <danger at rulez dot sk>
Reviewed by:	ceri, remko, pjd

en_US.ISO8859-1/books/handbook/disks/chapter.sgml

@@ -3594,16 +3594,18 @@ Filesystem 1K-blocks Used Avail Capacity  Mounted on
       the sensitive data.</para>
 
     <para>Regardless of how an attacker may have come into possession of
-      a hard drive or powered-down computer, <application>GEOM Based Disk
-      Encryption (gbde)</application> can protect the data on the
-      computer's file systems against even highly-motivated attackers
-      with significant resources. Unlike cumbersome encryption methods
-      that encrypt only individual files, <application>gbde</application>
-      transparently encrypts entire file systems. No cleartext ever
-      touches the hard drive's platter.</para>
+      a hard drive or powered-down computer, both <application>GEOM
+      Based Disk Encryption (gbde)</application> and
+      <command>geli</command> cryptographic subsystems in &os; are able
+      to protect the data on the computer's file systems against even
+      highly-motivated attackers with significant resources. Unlike
+      cumbersome encryption methods that encrypt only individual files,
+      <command>gbde</command> and <command>geli</command> transparently
+      encrypt entire file systems. No cleartext ever touches the hard
+      drive's platter.</para>
 
     <sect2>
-      <title>Enabling gbde in the Kernel</title>
+      <title>Disk Encryption with <application>gbde</application></title>
 
       <procedure>
 	<step>
@@ -3628,22 +3630,19 @@ Password:</screen>
 	<step>
 	  <title>Add &man.gbde.4; Support to the Kernel Configuration File</title>
 
-	  <para>Using your favorite text editor, add the following
-	    line to your kernel configuration file:</para>
+	  <para>Add the following line to the kernel configuration
+	    file:</para>
 
 	  <para><literal>options GEOM_BDE</literal></para>
 
-	  <para>Configure, recompile, and install the FreeBSD kernel.
-	    This process is described in <xref
+	  <para>Rebuild the kernel as described in <xref
 	    linkend="kernelconfig">.</para>
 
 	  <para>Reboot into the new kernel.</para>
 	</step>
       </procedure>
-    </sect2>
 
-
-    <sect2>
+    <sect3>
       <title>Preparing the Encrypted Hard Drive</title>
 
       <para>The following example assumes that you are adding a new hard
@@ -3810,9 +3809,9 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 /dev/ad4s1c.bde   150G   4.1K   138G     0%    /private</screen>
 	</step>
       </procedure>
-    </sect2>
+    </sect3>
 
-    <sect2>
+    <sect3>
       <title>Mounting Existing Encrypted File Systems</title>
 
       <para>After each boot, any encrypted file systems must be
@@ -3827,8 +3826,8 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 	  <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</userinput></screen>
 
 	  <para>You will be asked to provide the passphrase that you
-	    selected during initialization of the encrypted gbde
-	    partition.</para>
+	    selected during initialization of the encrypted
+	    <application>gbde</application> partition.</para>
 	</step>
 
 	<step>
@@ -3851,7 +3850,7 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 	</step>
       </procedure>
 
-      <sect3>
+      <sect4>
 	<title>Automatically Mounting Encrypted Partitions</title>
 
 	<para>It is possible to create a script to automatically attach,
@@ -3859,10 +3858,24 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 	  the script should not contain the &man.gbde.8; password. Instead,
 	  it is recommended that such scripts be run manually while
 	  providing the password via the console or &man.ssh.1;.</para>
-      </sect3>
-    </sect2>
 
-      <sect2>
+	<para>As of &os; 5.2-RELEASE, there is a new rcNG script
+	  provided.  Arguments for this script can be passed via
+	  &man.rc.conf.5;, for example:</para>
+
+	<screen>gbde_autoattach_all="YES"
+gbde_devices="ad4s1c"</screen>
+
+	<para>This will require that the <application>gbde</application>
+	  passphrase be entered at boot time.  After typing the correct
+	  passphrase, the <application>gbde</application> encrypted
+	  partition will be mounted automatically.  This can be very
+	  useful when using <application>gbde</application> on
+	  notebooks.</para>
+      </sect4>
+    </sect3>
+
+      <sect3>
 	<title>Cryptographic Protections Employed by gbde</title>
 
 	<para>&man.gbde.8; encrypts the sector payload using 128-bit AES in
@@ -3870,9 +3883,9 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 	  AES key. For more information on <application>gbde</application>'s
 	  cryptographic design, including how the sector keys are derived
 	  from the user-supplied passphrase, see &man.gbde.4;.</para>
-      </sect2>
+      </sect3>
 
-      <sect2>
+      <sect3>
 	<title>Compatibility Issues</title>
 
 	<para>&man.sysinstall.8; is incompatible with
@@ -3887,8 +3900,230 @@ Filesystem        Size   Used  Avail Capacity  Mounted on
 	&man.geom.4; subsystem, you cannot use
 	<application>gbde</application> with
 	<application>vinum</application> volumes.</para>
-      </sect2>
+      </sect3>
 
+    </sect2>
+
+    <sect2>
+      <sect2info>
+	<authorgroup>
+	  <author>
+	    <firstname>Daniel</firstname>
+	    <surname>Gerzo</surname>
+	    <contrib>Contributed by </contrib>
+	  </author>
+	</authorgroup>
+	<!-- Date of writing: 28 November 2005 -->
+      </sect2info>
+
+      <title>Disk Encryption with <command>geli</command></title>
+
+      <para>A new cryptographic GEOM class is available as of &os; 6.0 -
+	<command>geli</command>.  It is currently being developed by
+	&a.pjd;.  <command>Geli</command> is different to
+	<command>gbde</command>; it offers different features and uses
+	a different scheme for doing cryptographic work.</para>
+
+      <para>The most important features of &man.geli.8; are:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>Utilizes the &man.crypto.9; framework &mdash; when
+	    cryptographic hardware is available, <command>geli</command>
+	    will use it automatically.</para>
+	</listitem>
+	<listitem>
+	  <para>Supports multiple cryptographic algorithms (currently
+	     AES, Blowfish, and 3DES).</para>
+	</listitem>
+	<listitem>
+	  <para>Allows the root partition to be encrypted.  The
+	    passphrase used to access the encrypted root partition will
+	    be requested during the system boot.</para>
+	</listitem>
+	<listitem>
+	  <para>Allows the use of two independent keys (e.g. a
+	    <quote>key</quote> and a <quote>company key</quote>).</para>
+	</listitem>
+	<listitem>
+	  <para><command>geli</command> is fast - performs simple
+	    sector-to-sector encryption.</para>
+	</listitem>
+	<listitem>
+	  <para>Allows backup and restore of Master Keys.  When a user
+	    has to destroy his keys, it will be possible to get access
+	    to the data again by restoring keys from the backup.</para>
+	</listitem>
+	<listitem>
+	  <para>Allows to attach a disk with a random, one-time key
+	    &mdash; useful for swap partitions and temporary file
+	    systems.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>More <command>geli</command> features can be found in the
+	&man.geli.8; manual page.</para>
+
+      <para>The next steps will describe how to enable support for
+	<command>geli</command> in the &os; kernel and will explain how
+	to create a new <command>geli</command> encryption provider.  At
+	the end it will be demonstrated how to create an encrypted swap
+	partition using features provided by <command>geli</command>.</para>
+
+      <para>In order to use <command>geli</command>, you must be running
+	&os; 6.0-RELEASE or later.  Super-user privileges will be
+	required since modifications to the kernel are necessary.</para>
+
+      <procedure>
+	<step>
+	  <title>Adding <command>geli</command> Support to the Kernel
+	    Configuration File</title>
+
+	  <para>Add the following lines to the kernel configuration
+	    file:</para>
+
+	  <screen>options GEOM_ELI
+device crypto</screen>
+
+	  <para>Rebuild the kernel as described in <xref
+	    linkend="kernelconfig">.</para>
+
+	  <para>Alternatively, the <command>geli</command> module can
+	    be loaded at boot time.  Add the following line to the
+	    <filename>/boot/loader.conf</filename>:</para>
+
+	  <para><literal>geom_eli_load="YES"</literal></para>
+
+	  <para>&man.geli.8; should now be supported by the kernel.</para>
+	</step>
+
+	<step>
+	  <title>Generating the Master Key</title>
+
+	  <para>The following example will describe how to generate a
+	    key file, which will be used as part of the Master Key for
+	    the encrypted provider mounted under
+	    <filename role="directory">/private</filename>.  The key
+	    file will provide some random data used to encrypt the
+	    Master Key.  The Master Key will be protected by a
+	    passphrase as well.  Provider's sector size will be 4kB big.
+	    Furthermore, the discussion will describe how to attach the
+	    <command>geli</command> provider, create a file system on
+	    it, how to mount it, how to work with it, and finally how to
+	    detach it.</para>
+
+	  <para>It is recommended to use a bigger sector size (like 4kB) for
+	    better performance.</para>
+
+	  <para>The Master Key will be protected with a passphrase and
+	    the data source for key file will be
+	    <filename>/dev/random</filename>.  The sector size of
+	    <filename>/dev/da2.eli</filename>, which we call provider,
+	    will be 4kB.</para> 
+
+	  <screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput>
+&prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput>
+Enter new passphrase:
+Reenter new passphrase:</screen>
+
+	  <para>It is not mandatory that both a passphrase and a key
+	    file are used; either method of securing the Master Key can
+	    be used in isolation.</para>
+
+	  <para>If key file is given as <quote>-</quote>, standard
+	    input will be used.  This example shows how more than one
+	    key file can be used.</para>
+
+	  <screen>&prompt.root; <userinput>cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2</userinput></screen>
+	</step>
+
+	<step>
+	  <title>Attaching the Provider with the generated Key</title>
+
+	  <screen>&prompt.root; <userinput>geli attach -k /root/da2.key /dev/da2</userinput>
+Enter passphrase:</screen>
+
+	  <para>The new plaintext device will be named
+	    <filename>/dev/<replaceable>da2</replaceable>.eli</filename>.</para>
+
+	  <screen>&prompt.root; <userinput>ls /dev/da2*</userinput>
+/dev/da2  /dev/da2.eli</screen>
+	</step>
+
+	<step>
+	  <title>Creating the new File System</title>
+
+	  <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/da2.eli bs=1m</userinput>
+&prompt.root; <userinput>newfs /dev/da2.eli</userinput>
+&prompt.root; <userinput>mount /dev/da2.eli /private</userinput></screen>
+
+	<para>The encrypted file system should be visible to &man.df.1;
+	  and be available for use now.</para>
+
+	  <screen>&prompt.root; <userinput>df -H</userinput>
+Filesystem     Size   Used  Avail Capacity  Mounted on
+/dev/ad0s1a    248M    89M   139M    38%    /
+/devfs         1.0K   1.0K     0B   100%    /dev
+/dev/ad0s1f    7.7G   2.3G   4.9G    32%    /usr
+/dev/ad0s1d    989M   1.5M   909M     0%    /tmp
+/dev/ad0s1e    3.9G   1.3G   2.3G    35%    /var
+/dev/da2.eli   150G   4.1K   138G     0%    /private</screen>
+
+	</step>
+
+	<step>
+	  <title>Unmounting and Detaching the Provider</title>
+
+	  <para>Once the work on the encrypted partition is done, and
+	    the <filename role="directory">/private</filename> partition
+	    is no longer needed, it is prudent to consider unmounting
+	    and detaching the <command>geli</command> encrypted
+	    partition from the kernel.</para>
+
+	  <screen>&prompt.root; <userinput>umount /private</userinput>
+&prompt.root; <userinput>geli detach da2.eli</userinput></screen>
+	</step>
+      </procedure>
+
+      <para>More information about the use of &man.geli.8; can be
+        found in the manual page.</para>
+
+      <sect3>
+	<title>Encrypting a Swap Partition</title>
+
+	<para>The following example demonstrates how to create a
+	  <command>geli</command> encrypted swap partition.</para>
+
+	<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput>
+&prompt.root; <userinput>geli onetime -d -a 3des ad0s1b</userinput>
+&prompt.root; <userinput>swapon /dev/ad0s1b.eli</userinput></screen>
+      </sect3>
+
+      <sect3>
+	<title>Using the <filename>geli</filename> rcNG Script</title>
+
+	<para><command>geli</command> comes with a rcNG script which
+	  can be used to simplify the usage of <command>geli</command>.
+	  An example of configuring <command>geli</command> through
+	  &man.rc.conf.5; follows:</para>
+
+	<screen>geli_devices="da2"
+geli_da2_flags="-p -k /root/da2.key"</screen>
+
+	<para>This will configure <filename>/dev/da2</filename> as a
+	  <command>geli</command> provider of which the Master Key file
+	  is located in <filename>/root/da2.key</filename>, and
+	  <command>geli</command> will not use a passphrase when
+	  attaching the provider (note that this can only be used if -P
+	  was given during the <command>geli</command> init phase).  The
+	  system will detach the <command>geli</command> provider from
+	  the kernel before the system shuts down.</para>
+
+	<para>More information about configuring rcNG is provided in the
+	  <link linkend="configtuning-rcNG">rcNG</link> section of the
+	  Handbook.</para>
+      </sect3>
+    </sect2>	
   </sect1>
 </chapter>