os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

More work on the new GBDE section:

Browse source 
* Remove a comment encouraging someone to convert an xref to a ulink.
* Simplify run-on sentence in introduction.
* Use more descriptive DocBook tags.
* Refer to our two versions of UFS as UFS1 and UFS2 rather than UFS
  and UFS2. (1)
* Move an ephemeral URL from the main text to a footnote.
* Note that newfs -O2 is the default for FreeBSD 5.1 and later (1).
* Wordsmith (1, partially)

PR:		docs/51598
(1) Submitted by:	bmah
This commit is contained in:
Murray Stokely 2003-05-04 09:58:52 +00:00
parent d0033cfa5d
commit 90ff2cb926
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=16776
1 changed files with 27 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
en_US.ISO8859-1/books/handbook/disks/chapter.sgml
View file

@ -2778,18 +2778,15 @@ Filesystem 1K-blocks Used Avail Capacity Mounted on
<primary>disks</primary> <primary>disks</primary>
<secondary>encrypting</secondary></indexterm> <secondary>encrypting</secondary></indexterm>
<!-- I wonder if there is an SGML tag that would make Mandatory <para>FreeBSD offers excellent online protections against
Access Control the hyperlink? --> unautharized data access. File permissions and Mandatory
<para>FreeBSD offers excellent protections against users of a server Access Control (MAC) (see <xref linkend="mac">) help prevent
gaining unauthorized access to data. File permissions and Mandatory
Access Control (MAC) (see <xref linkend="mac">) prevent
unauthorized third-parties from accessing data while the operating unauthorized third-parties from accessing data while the operating
system is active and the computer is powered up. However, system is active and the computer is powered up. However,
permissions enforced by the operating system cannot prevent an the permissions enforced by the operating system are moot if an
attacker who obtained physical access to a lost, stolen, or seized attacker has physical access to a computer and can simply move
computer from simply removing the computer's hard drive, mounting the computer's hard drive to another system to copy and analyze
the drive on another server, and copying all of the data stored on the sensitive data.</para>
the drive for further analysis.</para>
<para>Regardless of how an attacker may have come into possession of <para>Regardless of how an attacker may have come into possession of
a hard drive or powered-down computer, <application>GEOM Based Disk a hard drive or powered-down computer, <application>GEOM Based Disk
@ -2824,7 +2821,7 @@ Password:</screen>
</step> </step>
<step> <step>
<title>Add &man.gbde.4; support to the configuration file</title> <title>Add &man.gbde.4; support to the kernel configuration file</title>
<para>Using your favorite text editor, add the following <para>Using your favorite text editor, add the following
line to your kernel configuration file:</para> line to your kernel configuration file:</para>
@ -2856,14 +2853,13 @@ Password:</screen>
<step> <step>
<title>Add the new hard drive</title> <title>Add the new hard drive</title>
<para> <para>Install the new drive to the system as explained in <xref
Install the new drive to the system as explained in <xref
linkend="disks-adding">. For the purposes of this example, linkend="disks-adding">. For the purposes of this example,
a new hard drive partition has been added as a new hard drive partition has been added as
<filename>/dev/ad4s1c</filename>. A drive, <devicename>/dev/ad4s1c</devicename>. The
<filename>/dev/ad0s1</filename>, which holds the normal <devicename>/dev/ad0s1<replaceable>*</replaceable></devicename>
FreeBSD partitions, previously already existed on the example devices represent existing standard FreeBSD partitions on
system.</para> the example system.</para>
<screen>&prompt.root; <userinput>ls /dev/ad*</userinput> <screen>&prompt.root; <userinput>ls /dev/ad*</userinput>
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1 /dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
@ -2896,7 +2892,7 @@ Password:</screen>
<screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c</userinput></screen> <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c</userinput></screen>
<para>&man.gbde.8; will open your editor, permitting you to set <para>&man.gbde.8; will open your editor, permitting you to set
various configuration options in a template. For use with UFS various configuration options in a template. For use with UFS1
or UFS2, set the sector_size to 2048.</para> or UFS2, set the sector_size to 2048.</para>
<programlisting>$<!-- This is not the space you are looking <programlisting>$<!-- This is not the space you are looking
@ -2915,16 +2911,16 @@ sector_size = 2048
should be used to secure the data. The passphrase must be the should be used to secure the data. The passphrase must be the
same both times. <application>gbde's</application> ability to same both times. <application>gbde's</application> ability to
protect your data depends entirely on the quality of the protect your data depends entirely on the quality of the
passphrase that you choose.</para> passphrase that you choose.
<footnote>
<para>For tips on how to select a secure passphrase that is easy <para>For tips on how to select a secure passphrase that is easy
to remember, see the <ulink to remember, see the <ulink
url="http://world.std.com/~reinhold/diceware.html">Diceware url="http://world.std.com/~reinhold/diceware.html">Diceware
Passphrase</ulink> website.</para> Passphrase</ulink> website.</para></footnote></para>
<para>The <command>gbde init</command> command creates a lock <para>The <command>gbde init</command> command creates a lock
file for your <application>gbde</application> partition that in file for your <application>gbde</application> partition that in
this example has been stored as this example is stored as
<filename>/etc/gbde/ad4s1c</filename>.</para> <filename>/etc/gbde/ad4s1c</filename>.</para>
<caution> <caution>
@ -2964,9 +2960,12 @@ sector_size = 2048
you can create a file system on the device. To create a file you can create a file system on the device. To create a file
system on the encrypted device, use &man.newfs.8;. Since it is system on the encrypted device, use &man.newfs.8;. Since it is
much faster to initialize a new UFS2 file system than it is to much faster to initialize a new UFS2 file system than it is to
initialize the old UFS file system, using &man.newfs.8; with initialize the old UFS1 file system, using &man.newfs.8; with
the <option>-O2</option> option is recommended.</para> the <option>-O2</option> option is recommended.</para>
<note><para>The <option>-O2</option> option is the default
with &os;&nbsp;5.1-RELEASE and later.</para></note>
<screen>&prompt.root; <userinput>newfs -U -O2 /dev/ad4s1c.bde</userinput></screen> <screen>&prompt.root; <userinput>newfs -U -O2 /dev/ad4s1c.bde</userinput></screen>
<note> <note>
@ -3030,11 +3029,10 @@ Filesystem Size Used Avail Capacity Mounted on
<step> <step>
<title>Check the file system for errors</title> <title>Check the file system for errors</title>
<para>Since the encrypted file system cannot yet automatically <para>Since encrypted file systems cannot yet be listed in
be mounted from <filename>/etc/fstab</filename> and therefore <filename>/etc/fstab</filename> for automatic mounting, the
should not be listed in <filename>/etc/fstab</filename>, the file systems must be checked for errors by running &man.fsck.8;
file system must be checked for errors by running &man.fsck.8; manually before mounting.</para>
manually before the file system is mounted.</para>
<screen>&prompt.root; <userinput>fsck -p -t ffs /dev/ad4s1c.bde</userinput></screen> <screen>&prompt.root; <userinput>fsck -p -t ffs /dev/ad4s1c.bde</userinput></screen>
</step> </step>