os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-29 16:58:41 +00:00
parent 0311e9ceba
commit d399c98a36
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44697
1 changed files with 71 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

146
en_US.ISO8859-1/books/handbook/disks/chapter.xml
View file

@ -2413,19 +2413,20 @@ Quotas for user test:
analyze the data.</para>
<para>Regardless of how an attacker may have come into possession
of a hard drive or powered-down computer, the <acronym>GEOM</acronym>-based
cryptographic subsystems built into &os; are
able to protect the data on the computer's file systems against
even highly-motivated attackers with significant resources.
Unlike encryption methods that encrypt individual files, the built-in
<command>gbde</command> and <command>geli</command> utilities can be used to
transparently encrypt entire file systems. No cleartext ever
touches the hard drive's platter.</para>
of a hard drive or powered-down computer, the
<acronym>GEOM</acronym>-based cryptographic subsystems built
into &os; are able to protect the data on the computer's file
systems against even highly-motivated attackers with significant
resources. Unlike encryption methods that encrypt individual
files, the built-in <command>gbde</command> and
<command>geli</command> utilities can be used to transparently
encrypt entire file systems. No cleartext ever touches the hard
drive's platter.</para>
<para>This chapter demonstrates how to create an encrypted file
system on &os;. It first demonstrates the process using
<command>gbde</command> and then demonstrates the same example
using <command>geli</command>.</para>
<para>This chapter demonstrates how to create an encrypted file
system on &os;. It first demonstrates the process using
<command>gbde</command> and then demonstrates the same example
using <command>geli</command>.</para>
<sect2>
<title>Disk Encryption with
@ -2622,10 +2623,10 @@ gbde_devices="<replaceable>ad4s1c</replaceable>"
gbde_lockdir="/etc/gbde"</programlisting>
<para>This requires that the passphrase be entered at the
console at boot time. After typing the correct passphrase, the
encrypted partition will be mounted automatically. Additional
<application>gbde</application> boot options are available and
listed in &man.rc.conf.5;.</para>
console at boot time. After typing the correct passphrase,
the encrypted partition will be mounted automatically.
Additional <application>gbde</application> boot options are
available and listed in &man.rc.conf.5;.</para>
<!--
What about bsdinstall?
@ -2658,21 +2659,23 @@ What about bsdinstall?
</authorgroup>
</info>
<para>An alternative cryptographic <acronym>GEOM</acronym> class is available
using <command>geli</command>. This control utility adds
some features and uses
a different scheme for doing cryptographic work. It provides
the following features:</para>
<para>An alternative cryptographic <acronym>GEOM</acronym> class
is available using <command>geli</command>. This control
utility adds some features and uses a different scheme for
doing cryptographic work. It provides the following
features:</para>
<itemizedlist>
<listitem>
<para>Utilizes the &man.crypto.9; framework and automatically uses
cryptographic hardware when it is available.</para>
<para>Utilizes the &man.crypto.9; framework and
automatically uses cryptographic hardware when it is
available.</para>
</listitem>
<listitem>
<para>Supports multiple cryptographic algorithms such as
<acronym>AES</acronym>, Blowfish, and <acronym>3DES</acronym>.</para>
<acronym>AES</acronym>, Blowfish, and
<acronym>3DES</acronym>.</para>
</listitem>
<listitem>
@ -2686,14 +2689,14 @@ What about bsdinstall?
</listitem>
<listitem>
<para>It is fast as it performs simple
sector-to-sector encryption.</para>
<para>It is fast as it performs simple sector-to-sector
encryption.</para>
</listitem>
<listitem>
<para>Allows backup and restore of master keys. If a user
destroys their keys, it is still possible to get access
to the data by restoring keys from the backup.</para>
destroys their keys, it is still possible to get access to
the data by restoring keys from the backup.</para>
</listitem>
<listitem>
@ -2706,17 +2709,15 @@ What about bsdinstall?
<para>More features and usage examples can be found in
&man.geli.8;.</para>
<para>The following example describes how to generate a
key file which will be used as part of the master key for
the encrypted provider mounted under
<filename>/private</filename>. The key
file will provide some random data used to encrypt the
master key. The master key will also be protected by a
passphrase. The provider's sector size will be 4kB.
The example describes how to attach to the
<command>geli</command> provider, create a file system on
it, mount it, work with it, and finally, how to detach
it.</para>
<para>The following example describes how to generate a key file
which will be used as part of the master key for the encrypted
provider mounted under <filename>/private</filename>. The key
file will provide some random data used to encrypt the master
key. The master key will also be protected by a passphrase.
The provider's sector size will be 4kB. The example describes
how to attach to the <command>geli</command> provider, create
a file system on it, mount it, work with it, and finally, how
to detach it.</para>
<procedure>
<title>Encrypting a Partition with
@ -2748,12 +2749,11 @@ device crypto</programlisting>
<title>Generate the Master Key</title>
<para>The following commands generate a master key
(<filename>/root/da2.key</filename>) that is protected with a passphrase.
The data source for the key file is
(<filename>/root/da2.key</filename>) that is protected
with a passphrase. The data source for the key file is
<filename>/dev/random</filename> and the sector size of
the provider (<filename>/dev/da2.eli</filename>) is
4kB as a bigger sector size provides
better performance:</para>
the provider (<filename>/dev/da2.eli</filename>) is 4kB as
a bigger sector size provides better performance:</para>
<screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput>
&prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput>
@ -2765,8 +2765,8 @@ Reenter new passphrase:</screen>
used in isolation.</para>
<para>If the key file is given as <quote>-</quote>, standard
input will be used. For example, this command generates three
key files:</para>
input will be used. For example, this command generates
three key files:</para>
<screen>&prompt.root; <userinput>cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2</userinput></screen>
</step>
@ -2812,41 +2812,37 @@ Filesystem Size Used Avail Capacity Mounted on
</step>
</procedure>
<para>Once the work on the encrypted partition is done, and
the <filename>/private</filename>
partition is no longer needed, it is prudent to put the
device into cold storage by
unmounting and detaching the <command>geli</command>
encrypted partition from the kernel:</para>
<para>Once the work on the encrypted partition is done, and the
<filename>/private</filename> partition is no longer needed,
it is prudent to put the device into cold storage by
unmounting and detaching the <command>geli</command> encrypted
partition from the kernel:</para>
<screen>&prompt.root; <userinput>umount /private</userinput>
<screen>&prompt.root; <userinput>umount /private</userinput>
&prompt.root; <userinput>geli detach da2.eli</userinput></screen>
<para>An
<filename>rc.d</filename> script is provided to
simplify the mounting of <command>geli</command>-encrypted
devices at boot time. For this example, add these lines to
<filename>/etc/rc.conf</filename>:</para>
<para>An <filename>rc.d</filename> script is provided to
simplify the mounting of <command>geli</command>-encrypted
devices at boot time. For this example, add these lines to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>geli_devices="<replaceable>da2</replaceable>"
<programlisting>geli_devices="<replaceable>da2</replaceable>"
geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
<para>This configures <filename>/dev/da2</filename> as a
<command>geli</command> provider with a master key
of <filename>/root/da2.key</filename>.
The system will automatically detach
the provider from the kernel before
the system shuts down. During the startup process, the script will prompt for the
passphrase before attaching the
provider. Other kernel messages might be shown before and
after the password prompt. If the boot process seems to
stall, look carefully for the password prompt among the
other messages. Once the correct passphrase is entered, the provider is
attached. The file system is then mounted,
typically by an entry in
<filename>/etc/fstab</filename>. Refer to <xref
linkend="mount-unmount"/> for instructions on how to
configure a file system to mount at boot time.</para>
<para>This configures <filename>/dev/da2</filename> as a
<command>geli</command> provider with a master key of
<filename>/root/da2.key</filename>. The system will
automatically detach the provider from the kernel before the
system shuts down. During the startup process, the script
will prompt for the passphrase before attaching the provider.
Other kernel messages might be shown before and after the
password prompt. If the boot process seems to stall, look
carefully for the password prompt among the other messages.
Once the correct passphrase is entered, the provider is
attached. The file system is then mounted, typically by an
entry in <filename>/etc/fstab</filename>. Refer to <xref
linkend="mount-unmount"/> for instructions on how to
configure a file system to mount at boot time.</para>
</sect2>
</sect1>