Lines Matching +full:master +full:- +full:kernel

1 .\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
32 To compile GEOM_ELI into your kernel, add the following lines to your kernel
34 .Bd -ragged -offset indent
42 .Bd -literal -offset indent
63 .Cm label - an alias for
77 .Cm stop - an alias for
161 .Bl -bullet -offset indent -compact
170 .Nm AES-XTS ,
171 .Nm AES-CBC ,
173 .Nm Camellia-CBC ) .
194 .%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
204 It is fast -
206 performs simple sector-to-sector encryption.
208 Allows the encrypted Master Key to be backed up and restored,
217 Allows attaching a provider with a random, one-time Master Key,
228 .Bl -tag -width ".Cm configure"
234 Master Key for each is unique.
248 .Bl -tag -width ".Fl J Ar newpassfile"
270 directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
281 (all upper-case) in the file name, and it will be replaced with the provider
287 .Pa -<prov>
297 .Nm AES-XTS ,
298 .Nm AES-CBC ,
299 .Nm Camellia-CBC ,
303 .Nm AES-XTS .
325 is given as -, standard input will be used.
326 Only the first line (excluding new-line character) is taken from the given file.
337 is given as -, standard input will be used.
345 .Bl -ohang -offset indent
346 .It Nm AES-XTS
349 .It Nm AES-CBC , Nm Camellia-CBC
402 The encrypted Master Keys are loaded from the metadata and decrypted
413 .Bl -tag -width ".Fl j Ar passfile"
415 Do a dry-run decryption.
422 the filesystems on the providers were mounted read-only.
429 Specifies the index number of the Master Key copy to use (could be 0 or 1).
455 Attach read-only providers.
460 and clear the Master Key and Data Keys from memory.
463 .Bl -tag -width ".Fl f"
465 Force detach - detach even if the provider is open.
474 Attach the given providers with a random, one-time (ephemeral) Master Key.
478 .Bl -tag -width ".Fl a Ar sectorsize"
522 .Bl -tag -width ".Fl b"
562 Install a copy of the Master Key into the selected slot, encrypted with
565 A provider has one Master Key, which can be stored in one or both slots,
576 .Bl -tag -width ".Fl J Ar newpassfile"
596 Specifies the index number of the Master Key copy to change (could be 0 or 1).
600 and no key number is given, the first Master Key copy to be successfully
614 Destroy (overwrite with random data) the selected Master Key copy.
616 will not be detached even if all copies of the Master Key are destroyed.
619 subcommand because the Master Key is still in memory.
622 .Bl -tag -width ".Fl a Ar keyno"
624 Destroy all copies of the Master Key (does not need
629 This option is needed to destroy the last copy of the Master Key.
631 Specifies the index number of the Master Key copy.
639 It will destroy all copies of the Master Key on a given provider and will
641 This is absolutely a one-way command - if you do not have a metadata
648 .Bl -tag -width ".Fl a"
658 .Bl -tag -width ".Fl f"
678 sensitive information such as the Master Key and Data Keys from kernel memory,
689 Any access to the encrypted device will be blocked until the Master Key is
703 .Bl -tag -width ".Fl a"
718 .Bl -tag -width ".Fl j Ar passfile"
749 .Bl -tag -width ".Fl s Ar oldsize"
768 This will erase with zeros the encrypted Master Key copies stored in the
787 .Bl -tag -width ".Fl v"
792 .Ss Master Key
797 utility generates a random Master Key for the provider.
798 The Master Key never changes during the lifetime of the provider.
800 up to two, independently-encrypted copies of the Master Key.
802 Each stored copy of the Master Key is encrypted with a User Key, which
817 the kernel from the Master Key and cached in memory.
830 .Bl -tag -width indent
851 Specifies how many times the Master Key is overwritten
871 Specifies how many kernel threads should be used for doing software
874 If set to 0, a CPU-pinned thread will be started for every active CPU.
879 When set to 1, can speed-up crypto operations by using batching.
900 Enable support for unmapped I/O buffers, currently implemented only on 64-bit
911 so as to avoid creating too much thread-switching overhead.
943 .Bd -literal -offset indent
945 # geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
948 # geli attach -k /mnt/pendrive/da2.key /dev/da2
963 .Bd -literal -offset indent
967 # geli setkey -n 1 /dev/da2
975 forget their passphrases, so backup the Master Key with your own random key:
976 .Bd -literal -offset indent
978 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
980 (use key number 0, so the encrypted Master Key will be re-encrypted by this)
981 # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
988 .Bd -literal -offset indent
990 # geli onetime -d ada0s1b
998 .Bd -literal -offset indent
1003 # geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
1008 # geli init -b -P -K /boot/keys/da1s3a.key da1s3a
1013 .Bd -literal -offset indent
1030 .Bd -literal -offset indent
1049 .No < Va prefix No > Va _type No -like
1067 .Bd -literal -offset indent
1068 # geli init -a hmac/sha256 -s 4096 /dev/da0
1084 .Bd -literal -offset indent
1104 .Bd -literal -offset indent
1105 # gpart create -s GPT ada0
1106 # gpart add -s 1g -t freebsd-ufs -i 1 ada0
1107 # geli init -K keyfile -P ada0p1
1108 # gpart resize -s 2g -i 1 ada0
1109 # geli resize -s 1g ada0p1
1110 # geli attach -k keyfile -p ada0p1
1119 .Bd -literal -offset indent
1122 # geli init -J da0.pass0 -J da0.pass1 da0
1123 # geli attach -j da0.pass0 -j da0.pass1 da0
1133 .Bd -literal -offset indent
1134 # geli suspend -a
1137 # geli resume -p -k keyfile gpt/secret
1150 .Bd -literal -offset indent
1153 # mdconfig -t vnode -f /usr/private0
1159 .Bd -literal -offset indent
1160 mdconfig_md0="-t vnode -f /usr/private0"
1171 .Bd -literal -offset indent
1173 # geli init -K /root/private0.key -s 4096 /dev/md0
1176 # geli attach -k /root/private0.key /dev/md0
1185 .Bd -literal -offset indent
1196 .Bd -literal -offset indent
1197 # geli attach -k /root/private0.key /dev/md0
1227 If data is modified in-place or copied from one place on the disk
1264 .Bl -column -offset indent ".Sy FreeBSD" ".Sy version"