o Add a section on swap encryption

o Remove the swap encryption stuff from the disk encryption section

Reviewed by:	Ken Tom, remko
This commit is contained in:
Christian Brueffer 2006-03-12 18:56:04 +00:00
parent 54861aac29
commit 972e6ca0bd
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=27315

View file

@ -4093,17 +4093,6 @@ Filesystem Size Used Avail Capacity Mounted on
<para>More information about the use of &man.geli.8; can be
found in the manual page.</para>
<sect3>
<title>Encrypting a Swap Partition</title>
<para>The following example demonstrates how to create a
<command>geli</command> encrypted swap partition.</para>
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput>
&prompt.root; <userinput>geli onetime -d -a 3des ad0s1b</userinput>
&prompt.root; <userinput>swapon /dev/ad0s1b.eli</userinput></screen>
</sect3>
<sect3>
<title>Using the <filename>geli</filename> <filename>rc.d</filename> Script</title>
@ -4130,6 +4119,137 @@ geli_da2_flags="-p -k /root/da2.key"</screen>
</sect3>
</sect2>
</sect1>
<sect1 id="swap-encrypting">
<sect1info>
<authorgroup>
<author>
<firstname>Christian</firstname>
<surname>Br&uuml;ffer</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect1info>
<title>Encrypting Swap Space</title>
<indexterm>
<primary>swap</primary>
<secondary>encrypting</secondary>
</indexterm>
<para>Swap encryption in &os; is easy to configure and has been
available since &os; 5.3-RELEASE. Depending on which version
of &os; is being used, different options are available
and configuration can vary slightly. From &os; 6.0-RELEASE onwards,
the &man.gbde.8; or &man.geli.8; encryption systems can be used
for swap encryption. With earlier versions, only &man.gbde.8; is
available. Both systems use the <filename>encswap</filename>
<link linkend="configtuning-rcd">rc.d</link> script.</para>
<para>The previous section, <link linkend="disks-encrypting">Encrypting
Disk Partitions</link>, includes a short discussion on the different
encryption systems.</para>
<sect2>
<title>Why should Swap be Encrypted?</title>
<para>Like the encryption of disk partitions, encryption of swap space
is done to protect sensitive information. Imagine an application
that e.g. deals with passwords. As long as these passwords stay in
physical memory, all is well. However, if the operating system starts
swapping out memory pages to free space for other applications, the
passwords may be written to the disk platters unencrypted and easy to
retrieve for an adversary. Encrypting swap space can be a solution for
this scenario.</para>
</sect2>
<sect2>
<title>Preparation</title>
<note>
<para>For the remainder of this section, <devicename>ad0s1b</devicename>
will be the swap partition.</para>
</note>
<para>Up to this point the swap has been unencrypted. It is possible that
there are already passwords or other sensitive data on the disk platters
in cleartext. To rectify this, the data on the swap partition should be
overwritten with random garbage:</para>
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput></screen>
</sect2>
<sect2>
<title>Swap Encryption with &man.gbde.8;</title>
<para>If &os; 6.0-RELEASE or newer is being used, the
<literal>.bde</literal> suffix should be added to the device in the
respective <filename>/etc/fstab</filename> swap line:</para>
<screen>
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.bde none swap sw 0 0
</screen>
<para>For systems prior to &os; 6.0-RELEASE, the following line
in <filename>/etc/rc.conf</filename> is also needed:
<programlisting>gbde_swap_enable="YES"</programlisting>
</sect2>
<sect2>
<title>Swap Encryption with &man.geli.8;</title>
<para>Alternatively, the procedure for using &man.geli.8; for swap
encryption is similar to that of using &man.gbde.8;. The
<literal>.eli</literal> suffix should be added to the device in the
respective <filename>/etc/fstab</filename> swap line:</para>
<screen>
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.eli none swap sw 0 0
</screen>
<para>&man.geli.8; uses the <acronym>AES</acronym> algorithm with
a key length of 256 bit by default.</para>
<para>Optionally, these defaults can be altered using the
<literal>geli_swap_flags</literal> option in
<filename>/etc/rc.conf</filename>. The following line tells the
<filename>encswap</filename> rc.d script to create &man.geli.8; swap
partitions using the Blowfish algorithm with a key length of 128 bit,
a sectorsize of 4096 kilobyte and the <quote>detach on last close</quote>
option set:</para>
<programlisting>geli_swap_flags="-a blowfish -l 128 -s 4096 -d"</programlisting>
<para>Please refer to the description of the <command>onetime</command> command
in the &man.geli.8; manual page for a list of possible options.</para>
</sect2>
<sect2>
<title>Verifying that it Works</title>
<para>Once the system has been rebooted, proper operation of the
encrypted swap can be verified using the
<command>swapinfo</command> command.</para>
<para>If &man.gbde.8; is being used:</para>
<screen>&prompt.user; <userinput>swapinfo</userinput>
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.bde 542720 0 542720 0%
</screen>
<para>If &man.geli.8; is being used:</para>
<screen>&prompt.user; <userinput>swapinfo</userinput>
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 542720 0 542720 0%
</screen>
</sect2>
</sect1>
</chapter>
<!--