Lines Matching +full:suspend +full:- +full:to +full:- +full:disk

1 .\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 To compile GEOM_ELI into your kernel, add the following lines to your kernel
34 .Bd -ragged -offset indent
39 Alternatively, to load the GEOM_ELI module at boot time, add the following line
40 to your
42 .Bd -literal -offset indent
63 .Cm label - an alias for
77 .Cm stop - an alias for
121 .Cm suspend
157 utility is used to configure encryption on GEOM providers.
161 .Bl -bullet -offset indent -compact
170 .Nm AES-XTS ,
171 .Nm AES-CBC ,
173 .Nm Camellia-CBC ) .
184 Can create a User Key from up to two, piecewise components: a passphrase
194 .%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
204 It is fast -
206 performs simple sector-to-sector encryption.
208 Allows the encrypted Master Key to be backed up and restored,
209 so that if a user has to quickly destroy key material,
210 it is possible to get the data back by restoring keys from
213 Providers can be configured to automatically detach on last close,
214 so users do not have to remember to detach providers after unmounting
217 Allows attaching a provider with a random, one-time Master Key,
225 The first argument to
227 indicates an action to be performed:
228 .Bl -tag -width ".Cm configure"
230 Initialize providers which need to be encrypted.
233 A unique salt will be randomly generated for each provider to ensure the
235 Here you can set up the cryptographic algorithm to use, Data Key length,
237 The last sector of the providers is used to store metadata.
240 subcommand also automatically writes metadata backups to
248 .Bl -tag -width ".Fl J Ar newpassfile"
266 Try to decrypt this partition during boot, before the root partition is mounted.
267 This makes it possible to use an encrypted root partition.
270 directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
273 File name to use for metadata backup instead of the default
275 To inhibit backups, you can use
281 (all upper-case) in the file name, and it will be replaced with the provider
287 .Pa -<prov>
288 will be appended to the end of the file name specified.
290 When entering the passphrase to boot from this encrypted root filesystem, echo
295 Encryption algorithm to use.
297 .Nm AES-XTS ,
298 .Nm AES-CBC ,
299 .Nm Camellia-CBC ,
303 .Nm AES-XTS .
312 Number of iterations to use with PKCS#5v2 when processing User Key
316 will find the number of iterations which is equal to 2 seconds of crypto work.
325 is given as -, standard input will be used.
326 Only the first line (excluding new-line character) is taken from the given file.
337 is given as -, standard input will be used.
341 Data Key length to use with the given cryptographic algorithm.
345 .Bl -ohang -offset indent
346 .It Nm AES-XTS
349 .It Nm AES-CBC , Nm Camellia-CBC
368 The metadata will be moved to the new location.
385 sectors when TRIM is enabled, so it should not be considered to add any
388 Metadata version to use.
394 section to find which metadata version is supported by which
407 suffix is added to the user specified provider names.
413 .Bl -tag -width ".Fl j Ar passfile"
415 Do a dry-run decryption.
416 This is useful to verify passphrase and keyfile without decrypting the device.
419 so the user does not have to remember to detach
422 the filesystems on the providers were mounted read-only.
429 Specifies the index number of the Master Key copy to use (could be 0 or 1).
455 Attach read-only providers.
463 .Bl -tag -width ".Fl f"
465 Force detach - detach even if the provider is open.
467 Mark provider to detach on last close, after the last filesystem has been
474 Attach the given providers with a random, one-time (ephemeral) Master Key.
475 The command can be used to encrypt swap partitions or temporary filesystems.
478 .Bl -tag -width ".Fl a Ar sectorsize"
485 Encryption algorithm to use.
498 Data Key length to use with the given cryptographic algorithm.
522 .Bl -tag -width ".Fl b"
531 When entering the passphrase to boot from this encrypted root filesystem, echo
536 Disable echoing of any characters when a passphrase is entered to boot from this
572 When a provider is attached, the user does not have to provide
576 .Bl -tag -width ".Fl J Ar newpassfile"
578 Number of iterations to use with PKCS#5v2.
580 To be able to use this option with the
582 subcommand, only one key has to be defined and this key must be changed.
596 Specifies the index number of the Master Key copy to change (could be 0 or 1).
600 and no key number is given, the first Master Key copy to be successfully
622 .Bl -tag -width ".Fl a Ar keyno"
629 This option is needed to destroy the last copy of the Master Key.
635 has to be given.
641 This is absolutely a one-way command - if you do not have a metadata
648 .Bl -tag -width ".Fl a"
653 Backup metadata from the given provider to the given file.
655 Restore metadata from the given file to the given provider.
658 .Bl -tag -width ".Fl f"
660 Metadata contains the size of the provider to ensure that the correct
662 If an attempt is made to restore metadata to a provider that has a different
665 will refuse to restore the data unless the
670 subcommand should be used rather than attempting to relocate the metadata
676 .It Cm suspend
677 Suspend device by waiting for all inflight requests to finish, clearing all
685 .Cm suspend
689 Any access to the encrypted device will be blocked until the Master Key is
693 Thus there is no need to close nor unmount anything.
695 .Cm suspend
703 .Bl -tag -width ".Fl a"
705 Suspend all
712 suspended device, leading to a deadlock.
718 .Bl -tag -width ".Fl j Ar passfile"
745 The old metadata block is relocated to the correct position at the end of the
749 .Bl -tag -width ".Fl s Ar oldsize"
787 .Bl -tag -width ".Fl v"
799 Each copy of the provider metadata, active or backed up to a file, can store
800 up to two, independently-encrypted copies of the Master Key.
811 If no passphrase parts are specified, the system prompts the user to enter
819 derived, depend on the GELI version and whether the provider is configured to
824 variables can be used to control the behavior of the
827 The default value is shown next to each variable.
830 .Bl -tag -width indent
839 This can be set to a number between 0 and 3 inclusive.
840 If set to 0, minimal debug information is printed.
841 If set to 3, the
847 If set to 0, attaching providers on boot will be disabled.
861 as opposed to
864 If set to 1, the passphrase entered on boot will be visible.
873 Its purpose is to increase performance on SMP systems.
874 If set to 0, a CPU-pinned thread will be started for every active CPU.
875 Note that this variable must be set prior to attaching
877 to a disk.
879 When set to 1, can speed-up crypto operations by using batching.
880 Batching reduces the number of interrupts by responding to a group of
882 The crypto card and the driver have to support this feature.
884 Specifies how many Data Keys to cache.
900 Enable support for unmapped I/O buffers, currently implemented only on 64-bit
910 However, it may need to be lowered on systems with many disks,
911 so as to avoid creating too much thread-switching overhead.
912 On systems with more disks than CPUs, it's best to set this variable
913 to 1.
918 to allocate memory for operations larger than
922 So it's best to avoid writing more than
937 Initialize a provider which is going to be encrypted with a
943 .Bd -literal -offset indent
945 # geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
948 # geli attach -k /mnt/pendrive/da2.key /dev/da2
963 .Bd -literal -offset indent
967 # geli setkey -n 1 /dev/da2
976 .Bd -literal -offset indent
978 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
980 (use key number 0, so the encrypted Master Key will be re-encrypted by this)
981 # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
982 (allow the user to enter his passphrase)
988 .Bd -literal -offset indent
990 # geli onetime -d ada0s1b
994 The example below shows how to configure two providers which will be attached
998 .Bd -literal -offset indent
1003 # geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
1008 # geli init -b -P -K /boot/keys/da1s3a.key da1s3a
1011 The providers are initialized, now we have to add these lines to
1013 .Bd -literal -offset indent
1030 .Bd -literal -offset indent
1049 .No < Va prefix No > Va _type No -like
1055 The paths to keyfiles are then extracted from
1067 .Bd -literal -offset indent
1068 # geli init -a hmac/sha256 -s 4096 /dev/da0
1079 writes the metadata backup by default to the
1084 .Bd -literal -offset indent
1102 If an encrypted filesystem is extended, it is necessary to relocate and
1104 .Bd -literal -offset indent
1105 # gpart create -s GPT ada0
1106 # gpart add -s 1g -t freebsd-ufs -i 1 ada0
1107 # geli init -K keyfile -P ada0p1
1108 # gpart resize -s 2g -i 1 ada0
1109 # geli resize -s 1g ada0p1
1110 # geli attach -k keyfile -p ada0p1
1119 .Bd -literal -offset indent
1122 # geli init -J da0.pass0 -J da0.pass1 da0
1123 # geli attach -j da0.pass0 -j da0.pass1 da0
1129 Suspend all
1131 devices on a laptop, suspend the laptop, then resume devices one by one after
1133 .Bd -literal -offset indent
1134 # geli suspend -a
1137 # geli resume -p -k keyfile gpt/secret
1142 To create a
1147 and attached as a memory disk like
1150 .Bd -literal -offset indent
1153 # mdconfig -t vnode -f /usr/private0
1156 It is recommended to place the following line in
1158 to have the memory disk automatically created during boot.
1159 .Bd -literal -offset indent
1160 mdconfig_md0="-t vnode -f /usr/private0"
1165 is created a random key has to be generated and stored in a secure location,
1171 .Bd -literal -offset indent
1173 # geli init -K /root/private0.key -s 4096 /dev/md0
1176 # geli attach -k /root/private0.key /dev/md0
1185 .Bd -literal -offset indent
1194 It is recommended to do this procedure after the boot, because otherwise
1196 .Bd -literal -offset indent
1197 # geli attach -k /root/private0.key /dev/md0
1214 is very similar to the mode
1224 It is important to know against which attacks
1227 If data is modified in-place or copied from one place on the disk
1228 to another even without modification,
1230 should be able to detect such a change.
1237 It is recommended to write to the whole provider before first use,
1238 in order to make sure that all sectors and their corresponding
1264 .Bl -column -offset indent ".Sy FreeBSD" ".Sy version"