diff --git a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
index 0ee4475317..88feeefee0 100644
--- a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
@@ -3594,16 +3594,18 @@ Filesystem 1K-blocks Used Avail Capacity Mounted on
the sensitive data.
Regardless of how an attacker may have come into possession of
- a hard drive or powered-down computer, GEOM Based Disk
- Encryption (gbde) can protect the data on the
- computer's file systems against even highly-motivated attackers
- with significant resources. Unlike cumbersome encryption methods
- that encrypt only individual files, gbde
- transparently encrypts entire file systems. No cleartext ever
- touches the hard drive's platter.
+ a hard drive or powered-down computer, both GEOM
+ Based Disk Encryption (gbde) and
+ geli cryptographic subsystems in &os; are able
+ to protect the data on the computer's file systems against even
+ highly-motivated attackers with significant resources. Unlike
+ cumbersome encryption methods that encrypt only individual files,
+ gbde and geli transparently
+ encrypt entire file systems. No cleartext ever touches the hard
+ drive's platter.
- Enabling gbde in the Kernel
+ Disk Encryption with <application>gbde</application>
@@ -3628,22 +3630,19 @@ Password:
Add &man.gbde.4; Support to the Kernel Configuration File
- Using your favorite text editor, add the following
- line to your kernel configuration file:
+ Add the following line to the kernel configuration
+ file:options GEOM_BDE
- Configure, recompile, and install the FreeBSD kernel.
- This process is described in Rebuild the kernel as described in .Reboot into the new kernel.
-
-
-
+ Preparing the Encrypted Hard DriveThe following example assumes that you are adding a new hard
@@ -3810,9 +3809,9 @@ Filesystem Size Used Avail Capacity Mounted on
/dev/ad4s1c.bde 150G 4.1K 138G 0% /private
-
+
-
+ Mounting Existing Encrypted File SystemsAfter each boot, any encrypted file systems must be
@@ -3827,8 +3826,8 @@ Filesystem Size Used Avail Capacity Mounted on
&prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1cYou will be asked to provide the passphrase that you
- selected during initialization of the encrypted gbde
- partition.
+ selected during initialization of the encrypted
+ gbde partition.
@@ -3851,7 +3850,7 @@ Filesystem Size Used Avail Capacity Mounted on
-
+ Automatically Mounting Encrypted PartitionsIt is possible to create a script to automatically attach,
@@ -3859,10 +3858,24 @@ Filesystem Size Used Avail Capacity Mounted on
the script should not contain the &man.gbde.8; password. Instead,
it is recommended that such scripts be run manually while
providing the password via the console or &man.ssh.1;.
-
-
-
+ As of &os; 5.2-RELEASE, there is a new rcNG script
+ provided. Arguments for this script can be passed via
+ &man.rc.conf.5;, for example:
+
+ gbde_autoattach_all="YES"
+gbde_devices="ad4s1c"
+
+ This will require that the gbde
+ passphrase be entered at boot time. After typing the correct
+ passphrase, the gbde encrypted
+ partition will be mounted automatically. This can be very
+ useful when using gbde on
+ notebooks.
+
+
+
+ Cryptographic Protections Employed by gbde&man.gbde.8; encrypts the sector payload using 128-bit AES in
@@ -3870,9 +3883,9 @@ Filesystem Size Used Avail Capacity Mounted on
AES key. For more information on gbde's
cryptographic design, including how the sector keys are derived
from the user-supplied passphrase, see &man.gbde.4;.
-
+
-
+ Compatibility Issues&man.sysinstall.8; is incompatible with
@@ -3887,8 +3900,230 @@ Filesystem Size Used Avail Capacity Mounted on
&man.geom.4; subsystem, you cannot use
gbde with
vinum volumes.
-
+
+
+
+
+
+
+
+ Daniel
+ Gerzo
+ Contributed by
+
+
+
+
+
+ Disk Encryption with <command>geli</command>
+
+ A new cryptographic GEOM class is available as of &os; 6.0 -
+ geli. It is currently being developed by
+ &a.pjd;. Geli is different to
+ gbde; it offers different features and uses
+ a different scheme for doing cryptographic work.
+
+ The most important features of &man.geli.8; are:
+
+
+
+ Utilizes the &man.crypto.9; framework — when
+ cryptographic hardware is available, geli
+ will use it automatically.
+
+
+ Supports multiple cryptographic algorithms (currently
+ AES, Blowfish, and 3DES).
+
+
+ Allows the root partition to be encrypted. The
+ passphrase used to access the encrypted root partition will
+ be requested during the system boot.
+
+
+ Allows the use of two independent keys (e.g. a
+ key and a company key).
+
+
+ geli is fast - performs simple
+ sector-to-sector encryption.
+
+
+ Allows backup and restore of Master Keys. When a user
+ has to destroy his keys, it will be possible to get access
+ to the data again by restoring keys from the backup.
+
+
+ Allows to attach a disk with a random, one-time key
+ — useful for swap partitions and temporary file
+ systems.
+
+
+
+ More geli features can be found in the
+ &man.geli.8; manual page.
+
+ The next steps will describe how to enable support for
+ geli in the &os; kernel and will explain how
+ to create a new geli encryption provider. At
+ the end it will be demonstrated how to create an encrypted swap
+ partition using features provided by geli.
+
+ In order to use geli, you must be running
+ &os; 6.0-RELEASE or later. Super-user privileges will be
+ required since modifications to the kernel are necessary.
+
+
+
+ Adding <command>geli</command> Support to the Kernel
+ Configuration File
+
+ Add the following lines to the kernel configuration
+ file:
+
+ options GEOM_ELI
+device crypto
+
+ Rebuild the kernel as described in .
+
+ Alternatively, the geli module can
+ be loaded at boot time. Add the following line to the
+ /boot/loader.conf:
+
+ geom_eli_load="YES"
+
+ &man.geli.8; should now be supported by the kernel.
+
+
+
+ Generating the Master Key
+
+ The following example will describe how to generate a
+ key file, which will be used as part of the Master Key for
+ the encrypted provider mounted under
+ /private. The key
+ file will provide some random data used to encrypt the
+ Master Key. The Master Key will be protected by a
+ passphrase as well. Provider's sector size will be 4kB big.
+ Furthermore, the discussion will describe how to attach the
+ geli provider, create a file system on
+ it, how to mount it, how to work with it, and finally how to
+ detach it.
+
+ It is recommended to use a bigger sector size (like 4kB) for
+ better performance.
+
+ The Master Key will be protected with a passphrase and
+ the data source for key file will be
+ /dev/random. The sector size of
+ /dev/da2.eli, which we call provider,
+ will be 4kB.
+
+ &prompt.root; dd if=/dev/random of=/root/da2.key bs=64 count=1
+&prompt.root; geli init -s 4096 -K /root/da2.key /dev/da2
+Enter new passphrase:
+Reenter new passphrase:
+
+ It is not mandatory that both a passphrase and a key
+ file are used; either method of securing the Master Key can
+ be used in isolation.
+
+ If key file is given as -, standard
+ input will be used. This example shows how more than one
+ key file can be used.
+
+ &prompt.root; cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2
+
+
+
+ Attaching the Provider with the generated Key
+
+ &prompt.root; geli attach -k /root/da2.key /dev/da2
+Enter passphrase:
+
+ The new plaintext device will be named
+ /dev/da2.eli.
+
+ &prompt.root; ls /dev/da2*
+/dev/da2 /dev/da2.eli
+
+
+
+ Creating the new File System
+
+ &prompt.root; dd if=/dev/random of=/dev/da2.eli bs=1m
+&prompt.root; newfs /dev/da2.eli
+&prompt.root; mount /dev/da2.eli /private
+
+ The encrypted file system should be visible to &man.df.1;
+ and be available for use now.
+
+ &prompt.root; df -H
+Filesystem Size Used Avail Capacity Mounted on
+/dev/ad0s1a 248M 89M 139M 38% /
+/devfs 1.0K 1.0K 0B 100% /dev
+/dev/ad0s1f 7.7G 2.3G 4.9G 32% /usr
+/dev/ad0s1d 989M 1.5M 909M 0% /tmp
+/dev/ad0s1e 3.9G 1.3G 2.3G 35% /var
+/dev/da2.eli 150G 4.1K 138G 0% /private
+
+
+
+
+ Unmounting and Detaching the Provider
+
+ Once the work on the encrypted partition is done, and
+ the /private partition
+ is no longer needed, it is prudent to consider unmounting
+ and detaching the geli encrypted
+ partition from the kernel.
+
+ &prompt.root; umount /private
+&prompt.root; geli detach da2.eli
+
+
+
+ More information about the use of &man.geli.8; can be
+ found in the manual page.
+
+
+ Encrypting a Swap Partition
+
+ The following example demonstrates how to create a
+ geli encrypted swap partition.
+
+ &prompt.root; dd if=/dev/random of=/dev/ad0s1b bs=1m
+&prompt.root; geli onetime -d -a 3des ad0s1b
+&prompt.root; swapon /dev/ad0s1b.eli
+
+
+
+ Using the <filename>geli</filename> rcNG Script
+
+ geli comes with a rcNG script which
+ can be used to simplify the usage of geli.
+ An example of configuring geli through
+ &man.rc.conf.5; follows:
+
+ geli_devices="da2"
+geli_da2_flags="-p -k /root/da2.key"
+
+ This will configure /dev/da2 as a
+ geli provider of which the Master Key file
+ is located in /root/da2.key, and
+ geli will not use a passphrase when
+ attaching the provider (note that this can only be used if -P
+ was given during the geli init phase). The
+ system will detach the geli provider from
+ the kernel before the system shuts down.
+
+ More information about configuring rcNG is provided in the
+ rcNG section of the
+ Handbook.
+
+