os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial review of gbde section.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-28 20:30:14 +00:00
parent 1d909124a3
commit df8d34133f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44686
1 changed files with 70 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

191
en_US.ISO8859-1/books/handbook/disks/chapter.xml
View file

@ -2524,7 +2524,7 @@ Quotas for user test:
<command>geli</command> cryptographic subsystems in &os; are
able to protect the data on the computer's file systems against
even highly-motivated attackers with significant resources.
Unlike cumbersome encryption methods that encrypt only
Unlike encryption methods that encrypt
individual files, <command>gbde</command> and
<command>geli</command> transparently encrypt entire file
systems. No cleartext ever touches the hard drive's
@ -2534,25 +2534,26 @@ Quotas for user test:
<title>Disk Encryption with
<application>gbde</application></title>
<para><application>gbde</application> encrypts the sector
payload using 128-bit AES in CBC mode. Each sector on the
disk is encrypted with a different AES key. For more
<para>The objective of the &man.gbde.4; facility is to provide a
formidable challenge for an attacker to gain access to the
contents of a <emphasis>cold</emphasis> storage device.
However, if the computer is compromised while up and running
and the storage device is actively attached, or the attacker
has access to a valid passphrase, it offers no protection to
the contents of the storage device. Thus, it is important to
provide physical security while the system is running and to
protect the passphrase used by the encryption
mechanism.</para>
<para>This facility provides several barriers to protect the data
stored in each disk sector. It encrypts the contents of a
disk sector using 128-bit <acronym>AES</acronym> in
<acronym>CBC</acronym> mode. Each sector on the
disk is encrypted with a different <acronym>AES</acronym> key. For more
information on the cryptographic design, including how the
sector keys are derived from the user-supplied passphrase,
refer to &man.gbde.4;.</para>
<note>
<para>&man.sysinstall.8; is incompatible with
<application>gbde</application>-encrypted devices. All
<filename>*.bde</filename>
devices must be detached from the kernel before starting
&man.sysinstall.8; or it will crash during its initial
probing for devices. To detach the encrypted device used in
the example, use the following command:</para>
<screen>&prompt.root; <userinput>gbde detach /dev/ad4s1c</userinput></screen>
</note>
<para>&os; provides a kernel module for
<application>gbde</application> which can be loaded with this
command:</para>
@ -2565,15 +2566,13 @@ Quotas for user test:
<para><literal>options GEOM_BDE</literal></para>
<para>The following example demonstrates adding a new hard
drive to a system that will hold a single encrypted partition.
This partition will be mounted as
<filename>/private</filename>.
<application>gbde</application> can also be used to encrypt
<filename>/home</filename> and <filename>/var/mail</filename>,
but this requires more complex instructions which exceed the
scope of this introduction.</para>
drive to a system that will hold a single encrypted partition
that will be mounted as
<filename>/private</filename>.</para>
<procedure>
<title>Encrypting a Partition with <application>gbde</application></title>
<step>
<title>Add the New Hard Drive</title>
@ -2612,15 +2611,12 @@ Quotas for user test:
<para>A <application>gbde</application> partition must be
initialized before it can be used. This initialization
needs to be performed only once:</para>
<screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput></screen>
<para>&man.gbde.8; will open the default editor, in order to
needs to be performed only once. This command will open the default editor, in order to
set various configuration options in a template. For use
with UFS1 or UFS2, set the sector_size to 2048:</para>
with the <acronym>UFS</acronym> file system, set the
sector_size to 2048:</para>
<programlisting># &dollar;FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $
<screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput># &dollar;FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
@ -2628,38 +2624,32 @@ Quotas for user test:
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[...]</programlisting>
[...]</screen>
<para>&man.gbde.8; will ask the user twice to type the
<para>Once the edit is saved, the user will be asked twice to type the
passphrase used to secure the data. The passphrase must
be the same both times. The ability of
<application>gbde</application> to protect data depends
entirely on the quality of the passphrase. For tips on
how to select a secure passphrase that is easy to
remember, see the <link
xlink:href="http://world.std.com/~reinhold/diceware.html">Diceware
Passphrase</link> website.</para>
remember, see <link
xlink:href="http://world.std.com/~reinhold/diceware.html">http://world.std.com/~reinhold/diceware.htm</link>.</para>
<para><command>gbde init</command>creates a lock file for
<para>This initialization creates a lock file for
the <application>gbde</application> partition. In this
example, it is stored as
<filename>/etc/gbde/ad4s1c.lock</filename>.
<application>gbde</application> lock files must end in
Lock files must end in
<quote>.lock</quote> in order to be correctly detected by
the <filename>/etc/rc.d/gbde</filename> start up
script.</para>
<caution>
<para><application>gbde</application> lock files
<para>Lock files
<emphasis>must</emphasis> be backed up together with
the contents of any encrypted partitions. While
deleting a lock file alone cannot prevent a determined
attacker from decrypting a
<application>gbde</application> partition, without the
the contents of any encrypted partitions. Without the
lock file, the legitimate owner will be unable to
access the data on the encrypted partition without a
significant amount of work that is totally unsupported
by &man.gbde.8;.</para>
access the data on the encrypted partition.</para>
</caution>
</step>
@ -2686,40 +2676,32 @@ sector_size = 2048
Device</title>
<para>Once the encrypted device has been attached to the
kernel, a file system can be created on the device using
&man.newfs.8;. This example creates a UFS2 file
system with soft updates enabled.</para>
kernel, a file system can be created on the device.
This example creates a <acronym>UFS</acronym> file
system with soft updates enabled. Be sure to specify the
partition which has a
<filename><replaceable>*</replaceable>.bde</filename>
extension:</para>
<screen>&prompt.root; <userinput>newfs -U /dev/ad4s1c.bde</userinput></screen>
<note>
<para>&man.newfs.8; must be performed on an attached
<application>gbde</application> partition which is
identified by a
<filename><replaceable>*</replaceable>.bde</filename>
extension to the device name.</para>
</note>
</step>
<step>
<title>Mount the Encrypted Partition</title>
<para>Create a mount point for the encrypted file
<para>Create a mount point and mount the encrypted file
system:</para>
<screen>&prompt.root; <userinput>mkdir /private</userinput></screen>
<para>Mount the encrypted file system:</para>
<screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
<screen>&prompt.root; <userinput>mkdir /private</userinput>
&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
</step>
<step>
<title>Verify That the Encrypted File System is
Available</title>
<para>The encrypted file system should now be visible to
&man.df.1; and be available for use.</para>
<para>The encrypted file system should now be visible
and available for use:</para>
<screen>&prompt.user; <userinput>df -H</userinput>
Filesystem Size Used Avail Capacity Mounted on
@ -2732,70 +2714,37 @@ Filesystem Size Used Avail Capacity Mounted on
</step>
</procedure>
<sect3>
<title>Mounting Existing Encrypted File Systems</title>
<para>After each boot, any encrypted file systems must be
re-attached to the kernel, checked for errors, and mounted,
before the file systems can be used. The required commands
must be executed as
<systemitem class="username">root</systemitem>.</para>
<procedure>
<step>
<title>Attach the <command>gbde</command> Partition to the
Kernel</title>
<screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock</userinput></screen>
<para>This command will prompt for the passphrase that was
selected during initialization of the encrypted
<application>gbde</application> partition.</para>
</step>
<step>
<title>Check the File System for Errors</title>
<para>Since encrypted file systems cannot yet be listed in
<filename>/etc/fstab</filename> for automatic mounting,
the file systems must be checked for errors by running
&man.fsck.8; manually before mounting:</para>
<screen>&prompt.root; <userinput>fsck -p -t ffs /dev/ad4s1c.bde</userinput></screen>
</step>
<step>
<title>Mount the Encrypted File System</title>
<screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
<para>The encrypted file system is now available for
use.</para>
</step>
</procedure>
<para>It is possible to create a script to automatically
attach, check, and mount an encrypted partition, but for
security reasons the script should not contain the
&man.gbde.8; password. Instead, it is recommended that
such scripts be run manually while providing the password
via the console or &man.ssh.1;.</para>
<para>As an alternative, an <filename>rc.d</filename> script
is provided. Arguments for this script can be passed via
&man.rc.conf.5;:</para>
manually re-attached to the kernel, checked for errors, and mounted,
before the file systems can be used. To configure these
steps, add the following lines to <filename>/etc/rc.conf</filename>:</para>
<programlisting>gbde_autoattach_all="YES"
gbde_devices="ad4s1c"
gbde_devices="<replaceable>ad4s1c</replaceable>"
gbde_lockdir="/etc/gbde"</programlisting>
<para>This requires that the
<application>gbde</application> passphrase be entered at
passphrase be entered at the console
boot time. After typing the correct passphrase, the
<application>gbde</application> encrypted partition will be
mounted automatically. This can be useful when using
<application>gbde</application> on laptops.</para>
</sect3>
encrypted partition will be
mounted automatically. Additional
<application>gbde</application> boot options are available
and listed in &man.rc.conf.5;.</para>
<!--
What about bsdinstall?
-->
<note>
<para><application>sysinstall</application> is incompatible with
<application>gbde</application>-encrypted devices. All
<filename>*.bde</filename>
devices must be detached from the kernel before starting
<application>sysinstall</application> or it will crash during its initial
probing for devices. To detach the encrypted device used in
the example, use the following command:</para>
<screen>&prompt.root; <userinput>gbde detach /dev/<replaceable>ad4s1c</replaceable></userinput></screen>
</note>
</sect2>
<sect2 xml:id="disks-encrypting-geli">