xref: /freebsd/lib/geom/eli/geli.8 (revision 190cef3d52236565eb22e18b33e9e865ec634aa3)
1.\" Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd July 24, 2018
28.Dt GELI 8
29.Os
30.Sh NAME
31.Nm geli
32.Nd "control utility for the cryptographic GEOM class"
33.Sh SYNOPSIS
34To compile GEOM_ELI into your kernel, add the following lines to your kernel
35configuration file:
36.Bd -ragged -offset indent
37.Cd "device crypto"
38.Cd "options GEOM_ELI"
39.Ed
40.Pp
41Alternatively, to load the GEOM_ELI module at boot time, add the following line
42to your
43.Xr loader.conf 5 :
44.Bd -literal -offset indent
45geom_eli_load="YES"
46.Ed
47.Pp
48Usage of the
49.Nm
50utility:
51.Pp
52.Nm
53.Cm init
54.Op Fl bdgPTv
55.Op Fl a Ar aalgo
56.Op Fl B Ar backupfile
57.Op Fl e Ar ealgo
58.Op Fl i Ar iterations
59.Op Fl J Ar newpassfile
60.Op Fl K Ar newkeyfile
61.Op Fl l Ar keylen
62.Op Fl s Ar sectorsize
63.Op Fl V Ar version
64.Ar prov ...
65.Nm
66.Cm label - an alias for
67.Cm init
68.Nm
69.Cm attach
70.Op Fl Cdprv
71.Op Fl n Ar keyno
72.Op Fl j Ar passfile
73.Op Fl k Ar keyfile
74.Ar prov ...
75.Nm
76.Cm detach
77.Op Fl fl
78.Ar prov ...
79.Nm
80.Cm stop - an alias for
81.Cm detach
82.Nm
83.Cm onetime
84.Op Fl dT
85.Op Fl a Ar aalgo
86.Op Fl e Ar ealgo
87.Op Fl l Ar keylen
88.Op Fl s Ar sectorsize
89.Ar prov
90.Nm
91.Cm configure
92.Op Fl bBdDgGtT
93.Ar prov ...
94.Nm
95.Cm setkey
96.Op Fl pPv
97.Op Fl i Ar iterations
98.Op Fl j Ar passfile
99.Op Fl J Ar newpassfile
100.Op Fl k Ar keyfile
101.Op Fl K Ar newkeyfile
102.Op Fl n Ar keyno
103.Ar prov
104.Nm
105.Cm delkey
106.Op Fl afv
107.Op Fl n Ar keyno
108.Ar prov
109.Nm
110.Cm kill
111.Op Fl av
112.Op Ar prov ...
113.Nm
114.Cm backup
115.Op Fl v
116.Ar prov
117.Ar file
118.Nm
119.Cm restore
120.Op Fl fv
121.Ar file
122.Ar prov
123.Nm
124.Cm suspend
125.Op Fl v
126.Fl a | Ar prov ...
127.Nm
128.Cm resume
129.Op Fl pv
130.Op Fl j Ar passfile
131.Op Fl k Ar keyfile
132.Ar prov
133.Nm
134.Cm resize
135.Op Fl v
136.Fl s Ar oldsize
137.Ar prov
138.Nm
139.Cm version
140.Op Ar prov ...
141.Nm
142.Cm clear
143.Op Fl v
144.Ar prov ...
145.Nm
146.Cm dump
147.Op Fl v
148.Ar prov ...
149.Nm
150.Cm list
151.Nm
152.Cm status
153.Nm
154.Cm load
155.Nm
156.Cm unload
157.Sh DESCRIPTION
158The
159.Nm
160utility is used to configure encryption on GEOM providers.
161.Pp
162The following is a list of the most important features:
163.Pp
164.Bl -bullet -offset indent -compact
165.It
166Utilizes the
167.Xr crypto 9
168framework, so when there is crypto hardware available,
169.Nm
170will make use of it automatically.
171.It
172Supports many cryptographic algorithms (currently
173.Nm AES-XTS ,
174.Nm AES-CBC ,
175.Nm Blowfish-CBC ,
176.Nm Camellia-CBC
177and
178.Nm 3DES-CBC ) .
179.It
180Can optionally perform data authentication (integrity verification) utilizing
181one of the following algorithms:
182.Nm HMAC/MD5 ,
183.Nm HMAC/SHA1 ,
184.Nm HMAC/RIPEMD160 ,
185.Nm HMAC/SHA256 ,
186.Nm HMAC/SHA384
187or
188.Nm HMAC/SHA512 .
189.It
190Can create a User Key from up to two, piecewise components: a passphrase
191entered via prompt or read from one or more passfiles; a keyfile read from
192one or more files.
193.It
194Allows encryption of the root partition.
195The user is asked for the passphrase before the root filesystem is mounted.
196.It
197Strengthens the passphrase component of the User Key with:
198.Rs
199.%A B. Kaliski
200.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
201.%R RFC
202.%N 2898
203.Re
204.It
205Allows the use of two independent User Keys (e.g., a
206.Qq "user key"
207and a
208.Qq "company key" ) .
209.It
210It is fast -
211.Nm
212performs simple sector-to-sector encryption.
213.It
214Allows the encrypted Master Key to be backed up and restored,
215so that if a user has to quickly destroy key material,
216it is possible to get the data back by restoring keys from
217backup.
218.It
219Providers can be configured to automatically detach on last close,
220so users do not have to remember to detach providers after unmounting
221the filesystems.
222.It
223Allows attaching a provider with a random, one-time Master Key,
224which is useful for swap partitions and temporary filesystems.
225.It
226Allows verification of data integrity (data authentication).
227.It
228Allows suspending and resuming encrypted devices.
229.El
230.Pp
231The first argument to
232.Nm
233indicates an action to be performed:
234.Bl -tag -width ".Cm configure"
235.It Cm init
236Initialize providers which need to be encrypted.
237If multiple providers are listed as arguments, they will all be initialized
238with the same passphrase and/or User Key.
239A unique salt will be randomly generated for each provider to ensure the
240Master Key for each is unique.
241Here you can set up the cryptographic algorithm to use, Data Key length,
242etc.
243The last sector of the providers is used to store metadata.
244The
245.Cm init
246subcommand also automatically writes metadata backups to
247.Pa /var/backups/<prov>.eli
248file.
249The metadata can be recovered with the
250.Cm restore
251subcommand described below.
252.Pp
253Additional options include:
254.Bl -tag -width ".Fl J Ar newpassfile"
255.It Fl a Ar aalgo
256Enable data integrity verification (authentication) using the given algorithm.
257This will reduce the size of storage available and also reduce speed.
258For example, when using 4096 bytes sector and
259.Nm HMAC/SHA256
260algorithm, 89% of the original provider storage will be available for use.
261Currently supported algorithms are:
262.Nm HMAC/MD5 ,
263.Nm HMAC/SHA1 ,
264.Nm HMAC/RIPEMD160 ,
265.Nm HMAC/SHA256 ,
266.Nm HMAC/SHA384
267and
268.Nm HMAC/SHA512 .
269If the option is not given, there will be no authentication, only encryption.
270The recommended algorithm is
271.Nm HMAC/SHA256 .
272.It Fl b
273Try to decrypt this partition during boot, before the root partition is mounted.
274This makes it possible to use an encrypted root partition.
275One will still need bootable unencrypted storage with a
276.Pa /boot/
277directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
278after boot.
279.It Fl B Ar backupfile
280File name to use for metadata backup instead of the default
281.Pa /var/backups/<prov>.eli .
282To inhibit backups, you can use
283.Pa none
284as the
285.Ar backupfile .
286If multiple providers were initialized in the one command, you can use
287.Pa PROV
288(all upper-case) in the file name, and it will be replaced with the provider
289name.
290If
291.Pa PROV
292is not found in the file name and multiple providers were initialized in the
293one command,
294.Pa -<prov>
295will be appended to the end of the file name specified.
296.It Fl d
297When entering the passphrase to boot from this encrypted root filesystem, echo
298.Ql *
299characters.
300This makes the length of the passphrase visible.
301.It Fl e Ar ealgo
302Encryption algorithm to use.
303Currently supported algorithms are:
304.Nm AES-XTS ,
305.Nm AES-CBC ,
306.Nm Blowfish-CBC ,
307.Nm Camellia-CBC ,
308.Nm 3DES-CBC ,
309and
310.Nm NULL .
311The default and recommended algorithm is
312.Nm AES-XTS .
313.Nm NULL
314is unencrypted.
315.It Fl g
316Enable booting from this encrypted root filesystem.
317The boot loader prompts for the passphrase and loads
318.Xr loader 8
319from the encrypted partition.
320.It Fl i Ar iterations
321Number of iterations to use with PKCS#5v2 when processing User Key
322passphrase component.
323If this option is not specified,
324.Nm
325will find the number of iterations which is equal to 2 seconds of crypto work.
326If 0 is given, PKCS#5v2 will not be used.
327PKCS#5v2 processing is performed once, after all parts of the passphrase
328component have been read.
329.It Fl J Ar newpassfile
330Specifies a file which contains the passphrase component of the User Key
331(or part of it).
332If
333.Ar newpassfile
334is given as -, standard input will be used.
335Only the first line (excluding new-line character) is taken from the given file.
336This argument can be specified multiple times, which has the effect of
337reassembling a single passphrase split across multiple files.
338Cannot be combined with the
339.Fl P
340option.
341.It Fl K Ar newkeyfile
342Specifies a file which contains the keyfile component of the User Key
343(or part of it).
344If
345.Ar newkeyfile
346is given as -, standard input will be used.
347This argument can be specified multiple times, which has the effect of
348reassembling a single keyfile split across multiple keyfile parts.
349.It Fl l Ar keylen
350Data Key length to use with the given cryptographic algorithm.
351If the length is not specified, the selected algorithm uses its
352.Em default
353key length.
354.Bl -ohang -offset indent
355.It Nm AES-XTS
356.Em 128 ,
357256
358.It Nm AES-CBC , Nm Camellia-CBC
359.Em 128 ,
360192,
361256
362.It Nm Blowfish-CBC
363.Em 128
364+ n * 32, for n=[0..10]
365.It Nm 3DES-CBC
366.Em 192
367.El
368.It Fl P
369Do not use a passphrase as a component of the User Key.
370Cannot be combined with the
371.Fl J
372option.
373.It Fl s Ar sectorsize
374Change decrypted provider's sector size.
375Increasing the sector size allows increased performance,
376because encryption/decryption which requires an initialization vector
377is done per sector; fewer sectors means less computational work.
378.It Fl T
379Don't pass through
380.Dv BIO_DELETE
381calls (i.e., TRIM/UNMAP).
382This can prevent an attacker from knowing how much space you're actually
383using and which sectors contain live data, but will also prevent the
384backing store (SSD, etc) from reclaiming space you're not using, which
385may degrade its performance and lifespan.
386The underlying provider may or may not actually obliterate the deleted
387sectors when TRIM is enabled, so it should not be considered to add any
388security.
389.It Fl V Ar version
390Metadata version to use.
391This option is helpful when creating a provider that may be used by older
392.Nm FreeBSD/GELI
393versions.
394Consult the
395.Sx HISTORY
396section to find which metadata version is supported by which
397.Fx
398version.
399Note that using an older version of metadata may limit the number of
400features available.
401.El
402.It Cm attach
403Attach the given providers.
404The encrypted Master Keys are loaded from the metadata and decrypted
405using the given passphrase/keyfile and new GEOM providers are created
406using the specified provider names.
407A
408.Qq .eli
409suffix is added to the user specified provider names.
410Multiple providers can only be attached with a single
411.Cm attach
412command if they all have the same passphrase and keyfiles.
413.Pp
414Additional options include:
415.Bl -tag -width ".Fl j Ar passfile"
416.It Fl C
417Do a dry-run decryption.
418This is useful to verify passphrase and keyfile without decrypting the device.
419.It Fl d
420If specified, the decrypted providers are detached automatically on last close,
421so the user does not have to remember to detach
422providers after unmounting the filesystems.
423This only works when providers were opened for writing, and will not work if
424the filesystems on the providers were mounted read-only.
425Probably a better choice is the
426.Fl l
427option for the
428.Cm detach
429subcommand.
430.It Fl n Ar keyno
431Specifies the index number of the Master Key copy to use (could be 0 or 1).
432If the index number is not provided all keys will be tested.
433.It Fl j Ar passfile
434Specifies a file which contains the passphrase component of the User Key
435(or part of it).
436For more information see the description of the
437.Fl J
438option for the
439.Cm init
440subcommand.
441The same passfiles are used for all listed providers.
442.It Fl k Ar keyfile
443Specifies a file which contains the keyfile component of the User Key
444(or part of it).
445For more information see the description of the
446.Fl K
447option for the
448.Cm init
449subcommand.
450The same keyfiles are used for all listed providers.
451.It Fl p
452Do not use a passphrase as a component of the User Keys.
453Cannot be combined with the
454.Fl j
455option.
456.It Fl r
457Attach read-only providers.
458They are not opened for writing.
459.El
460.It Cm detach
461Detach the given providers, which means remove the devfs entry
462and clear the Master Key and Data Keys from memory.
463.Pp
464Additional options include:
465.Bl -tag -width ".Fl f"
466.It Fl f
467Force detach - detach even if the provider is open.
468.It Fl l
469Mark provider to detach on last close, after the last filesystem has been
470unmounted.
471If this option is specified, the provider will not be detached
472while it is open, but will be automatically detached when it is closed for the
473last time even if it was only opened for reading.
474.El
475.It Cm onetime
476Attach the given providers with a random, one-time (ephemeral) Master Key.
477The command can be used to encrypt swap partitions or temporary filesystems.
478.Pp
479Additional options include:
480.Bl -tag -width ".Fl a Ar sectorsize"
481.It Fl a Ar aalgo
482Enable data integrity verification (authentication).
483For more information, see the description of the
484.Cm init
485subcommand.
486.It Fl e Ar ealgo
487Encryption algorithm to use.
488For more information, see the description of the
489.Cm init
490subcommand.
491.It Fl d
492Detach on last close, after the last filesystem has been unmounted.
493Note: this option is not usable for temporary filesystems as the provider is
494detached after the filesystem has been created.
495It still can, and should, be used for swap partitions.
496For more information, see the description of the
497.Cm attach
498subcommand.
499.It Fl l Ar keylen
500Data Key length to use with the given cryptographic algorithm.
501For more information, see the description of the
502.Cm init
503subcommand.
504.It Fl s Ar sectorsize
505Change decrypted provider's sector size.
506For more information, see the description of the
507.Cm init
508subcommand.
509.It Fl T
510Disable TRIM/UNMAP passthru.
511For more information, see the description of the
512.Cm init
513subcommand.
514.El
515.It Cm configure
516Change configuration of the given providers.
517.Pp
518Additional options include:
519.Bl -tag -width ".Fl b"
520.It Fl b
521Set the BOOT flag on the given providers.
522For more information, see the description of the
523.Cm init
524subcommand.
525.It Fl B
526Remove the BOOT flag from the given providers.
527.It Fl d
528When entering the passphrase to boot from this encrypted root filesystem, echo
529.Ql *
530characters.
531This makes the length of the passphrase visible.
532.It Fl D
533Disable echoing of any characters when a passphrase is entered to boot from this
534encrypted root filesystem.
535This hides the passphrase length.
536.It Fl g
537Enable booting from this encrypted root filesystem.
538The boot loader prompts for the passphrase and loads
539.Xr loader 8
540from the encrypted partition.
541.It Fl G
542Deactivate booting from this encrypted root partition.
543.It Fl t
544Enable TRIM/UNMAP passthru.
545For more information, see the description of the
546.Cm init
547subcommand.
548.It Fl T
549Disable TRIM/UNMAP passthru.
550.El
551.It Cm setkey
552Install a copy of the Master Key into the selected slot, encrypted with
553a new User Key.
554If the selected slot is populated, replace the existing copy.
555A provider has one Master Key, which can be stored in one or both slots,
556each encrypted with an independent User Key.
557With the
558.Cm init
559subcommand, only key number 0 is initialized.
560The User Key can be changed at any time: for an attached provider,
561for a detached provider, or on the backup file.
562When a provider is attached, the user does not have to provide
563an existing passphrase/keyfile.
564.Pp
565Additional options include:
566.Bl -tag -width ".Fl J Ar newpassfile"
567.It Fl i Ar iterations
568Number of iterations to use with PKCS#5v2.
569If 0 is given, PKCS#5v2 will not be used.
570To be able to use this option with the
571.Cm setkey
572subcommand, only one key has to be defined and this key must be changed.
573.It Fl j Ar passfile
574Specifies a file which contains the passphrase component of a current User Key
575(or part of it).
576.It Fl J Ar newpassfile
577Specifies a file which contains the passphrase component of the new User Key
578(or part of it).
579.It Fl k Ar keyfile
580Specifies a file which contains the keyfile component of a current User Key
581(or part of it).
582.It Fl K Ar newkeyfile
583Specifies a file which contains the keyfile component of the new User Key
584(or part of it).
585.It Fl n Ar keyno
586Specifies the index number of the Master Key copy to change (could be 0 or 1).
587If the provider is attached and no key number is given, the key
588used for attaching the provider will be changed.
589If the provider is detached (or we are operating on a backup file)
590and no key number is given, the first Master Key copy to be successfully
591decrypted with the provided User Key passphrase/keyfile will be changed.
592.It Fl p
593Do not use a passphrase as a component of the current User Key.
594Cannot be combined with the
595.Fl j
596option.
597.It Fl P
598Do not use a passphrase as a component of the new User Key.
599Cannot be combined with the
600.Fl J
601option.
602.El
603.It Cm delkey
604Destroy (overwrite with random data) the selected Master Key copy.
605If one is destroying keys for an attached provider, the provider
606will not be detached even if all copies of the Master Key are destroyed.
607It can even be rescued with the
608.Cm setkey
609subcommand because the Master Key is still in memory.
610.Pp
611Additional options include:
612.Bl -tag -width ".Fl a Ar keyno"
613.It Fl a
614Destroy all copies of the Master Key (does not need
615.Fl f
616option).
617.It Fl f
618Force key destruction.
619This option is needed to destroy the last copy of the Master Key.
620.It Fl n Ar keyno
621Specifies the index number of the Master Key copy.
622If the provider is attached and no key number is given, the key
623used for attaching the provider will be destroyed.
624If provider is detached (or we are operating on a backup file) the key number
625has to be given.
626.El
627.It Cm kill
628This command should be used only in emergency situations.
629It will destroy all copies of the Master Key on a given provider and will
630detach it forcibly (if it is attached).
631This is absolutely a one-way command - if you do not have a metadata
632backup, your data is gone for good.
633In case the provider was attached with the
634.Fl r
635flag, the keys will not be destroyed, only the provider will be detached.
636.Pp
637Additional options include:
638.Bl -tag -width ".Fl a"
639.It Fl a
640If specified, all currently attached providers will be killed.
641.El
642.It Cm backup
643Backup metadata from the given provider to the given file.
644.It Cm restore
645Restore metadata from the given file to the given provider.
646.Pp
647Additional options include:
648.Bl -tag -width ".Fl f"
649.It Fl f
650Metadata contains the size of the provider to ensure that the correct
651partition or slice is attached.
652If an attempt is made to restore metadata to a provider that has a different
653size,
654.Nm
655will refuse to restore the data unless the
656.Fl f
657switch is used.
658If the partition or slice has been grown, the
659.Cm resize
660subcommand should be used rather than attempting to relocate the metadata
661through
662.Cm backup
663and
664.Cm restore .
665.El
666.It Cm suspend
667Suspend device by waiting for all inflight requests to finish, clearing all
668sensitive information such as the Master Key and Data Keys from kernel memory,
669and blocking all further I/O requests until the
670.Cm resume
671subcommand is executed.
672This functionality is useful for laptops.
673Suspending a laptop should not leave an encrypted device attached.
674The
675.Cm suspend
676subcommand can be used rather than closing all files and directories from
677filesystems on the encrypted device, unmounting the filesystem, and
678detaching the device.
679Any access to the encrypted device will be blocked until the Master Key is
680reloaded through the
681.Cm resume
682subcommand.
683Thus there is no need to close nor unmount anything.
684The
685.Cm suspend
686subcommand does not work with devices created with the
687.Cm onetime
688subcommand.
689Please note that sensitive data might still be present in memory locations
690such as the filesystem cache after suspending an encrypted device.
691.Pp
692Additional options include:
693.Bl -tag -width ".Fl a"
694.It Fl a
695Suspend all
696.Nm
697devices.
698.El
699.It Cm resume
700Resume previously suspended device.
701The caller must ensure that executing this subcommand does not access the
702suspended device, leading to a deadlock.
703For example, suspending a device which contains the filesystem where the
704.Nm
705utility is stored is a bad idea.
706.Pp
707Additional options include:
708.Bl -tag -width ".Fl j Ar passfile"
709.It Fl j Ar passfile
710Specifies a file which contains the passphrase component of the User Key,
711or part of it.
712For more information see the description of the
713.Fl J
714option for the
715.Cm init
716subcommand.
717.It Fl k Ar keyfile
718Specifies a file which contains the keyfile component of the User Key,
719or part of it.
720For more information see the description of the
721.Fl K
722option for the
723.Cm init
724subcommand.
725.It Fl p
726Do not use a passphrase as a component of the User Key.
727Cannot be combined with the
728.Fl j
729option.
730.El
731.It Cm resize
732Inform
733.Nm
734that the provider has been resized.
735The old metadata block is relocated to the correct position at the end of the
736provider and the provider size is updated.
737.Pp
738Additional options include:
739.Bl -tag -width ".Fl s Ar oldsize"
740.It Fl s Ar oldsize
741The size of the provider before it was resized.
742.El
743.It Cm version
744If no arguments are given, the
745.Cm version
746subcommand will print the version of
747.Nm
748userland utility as well as the version of the
749.Nm ELI
750GEOM class.
751.Pp
752If GEOM providers are specified, the
753.Cm version
754subcommand will print metadata version used by each of them.
755.It Cm clear
756Clear metadata from the given providers.
757.Em WARNING :
758This will erase with zeros the encrypted Master Key copies stored in the
759metadata.
760.It Cm dump
761Dump metadata stored on the given providers.
762.It Cm list
763See
764.Xr geom 8 .
765.It Cm status
766See
767.Xr geom 8 .
768.It Cm load
769See
770.Xr geom 8 .
771.It Cm unload
772See
773.Xr geom 8 .
774.El
775.Pp
776Additional options include:
777.Bl -tag -width ".Fl v"
778.It Fl v
779Be more verbose.
780.El
781.Sh KEY SUMMARY
782.Ss Master Key
783Upon
784.Cm init ,
785the
786.Nm
787utility generates a random Master Key for the provider.
788The Master Key never changes during the lifetime of the provider.
789Each copy of the provider metadata, active or backed up to a file, can store
790up to two, independently-encrypted copies of the Master Key.
791.Ss User Key
792Each stored copy of the Master Key is encrypted with a User Key, which
793is generated by the
794.Nm
795utility from a passphrase and/or a keyfile.
796The
797.Nm
798utility first reads all parts of the keyfile in the order specified on the
799command line, then reads all parts of the stored passphrase in the order
800specified on the command line.
801If no passphrase parts are specified, the system prompts the user to enter
802the passphrase.
803The passphrase is optionally strengthened by PKCS#5v2.
804The User Key is a digest computed over the concatenated keyfile and passphrase.
805.Ss Data Key
806During operation, one or more Data Keys are deterministically derived by
807the kernel from the Master Key and cached in memory.
808The number of Data Keys used by a given provider, and the way they are
809derived, depend on the GELI version and whether the provider is configured to
810use data authentication.
811.Sh SYSCTL VARIABLES
812The following
813.Xr sysctl 8
814variables can be used to control the behavior of the
815.Nm ELI
816GEOM class.
817The default value is shown next to each variable.
818Some variables can also be set in
819.Pa /boot/loader.conf .
820.Bl -tag -width indent
821.It Va kern.geom.eli.version
822Version number of the
823.Nm ELI
824GEOM class.
825.It Va kern.geom.eli.debug : No 0
826Debug level of the
827.Nm ELI
828GEOM class.
829This can be set to a number between 0 and 3 inclusive.
830If set to 0, minimal debug information is printed.
831If set to 3, the
832maximum amount of debug information is printed.
833.It Va kern.geom.eli.tries : No 3
834Number of times a user is asked for the passphrase.
835This is only used for providers which are attached on boot,
836before the root filesystem is mounted.
837If set to 0, attaching providers on boot will be disabled.
838This variable should be set in
839.Pa /boot/loader.conf .
840.It Va kern.geom.eli.overwrites : No 5
841Specifies how many times the Master Key is overwritten
842with random values when it is destroyed.
843After this operation it is filled with zeros.
844.It Va kern.geom.eli.visible_passphrase : No 0
845If set to 1, the passphrase entered on boot will be visible.
846This alternative should be used with caution as the entered
847passphrase can be logged and exposed via
848.Xr dmesg 8 .
849This variable should be set in
850.Pa /boot/loader.conf .
851.It Va kern.geom.eli.threads : No 0
852Specifies how many kernel threads should be used for doing software
853cryptography.
854Its purpose is to increase performance on SMP systems.
855If set to 0, a CPU-pinned thread will be started for every active CPU.
856.It Va kern.geom.eli.batch : No 0
857When set to 1, can speed-up crypto operations by using batching.
858Batching reduces the number of interrupts by responding to a group of
859crypto requests with one interrupt.
860The crypto card and the driver has to support this feature.
861.It Va kern.geom.eli.key_cache_limit : No 8192
862Specifies how many Data Keys to cache.
863The default limit
864(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
865sectors and will take around 1MB of memory.
866.It Va kern.geom.eli.key_cache_hits
867Reports how many times we were looking up a Data Key and it was already in
868cache.
869This sysctl is not updated for providers that need fewer Data Keys than
870the limit specified in
871.Va kern.geom.eli.key_cache_limit .
872.It Va kern.geom.eli.key_cache_misses
873Reports how many times we were looking up a Data Key and it was not in cache.
874This sysctl is not updated for providers that need fewer Data Keys than the limit
875specified in
876.Va kern.geom.eli.key_cache_limit .
877.El
878.Sh EXIT STATUS
879Exit status is 0 on success, and 1 if the command fails.
880.Sh EXAMPLES
881Initialize a provider which is going to be encrypted with a
882passphrase and random data from a file on the user's pen drive.
883Use 4kB sector size.
884Attach the provider, create a filesystem, and mount it.
885Do the work.
886Unmount the provider and detach it:
887.Bd -literal -offset indent
888# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
889# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
890Enter new passphrase:
891Reenter new passphrase:
892# geli attach -k /mnt/pendrive/da2.key /dev/da2
893Enter passphrase:
894# dd if=/dev/random of=/dev/da2.eli bs=1m
895# newfs /dev/da2.eli
896# mount /dev/da2.eli /mnt/secret
897\&...
898# umount /mnt/secret
899# geli detach da2.eli
900.Ed
901.Pp
902Create an encrypted provider, but use two User Keys:
903one for your employee and one for you as the company's security officer
904(so it is not a tragedy if the employee
905.Qq accidentally
906forgets his passphrase):
907.Bd -literal -offset indent
908# geli init /dev/da2
909Enter new passphrase:	(enter security officer's passphrase)
910Reenter new passphrase:
911# geli setkey -n 1 /dev/da2
912Enter passphrase:	(enter security officer's passphrase)
913Enter new passphrase:	(let your employee enter his passphrase ...)
914Reenter new passphrase:	(... twice)
915.Ed
916.Pp
917You are the security officer in your company.
918Create an encrypted provider for use by the user, but remember that users
919forget their passphrases, so backup the Master Key with your own random key:
920.Bd -literal -offset indent
921# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
922# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
923# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
924(use key number 0, so the encrypted Master Key will be re-encrypted by this)
925# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
926(allow the user to enter his passphrase)
927Enter new passphrase:
928Reenter new passphrase:
929.Ed
930.Pp
931Encrypted swap partition setup:
932.Bd -literal -offset indent
933# dd if=/dev/random of=/dev/ada0s1b bs=1m
934# geli onetime -d -e 3des ada0s1b
935# swapon /dev/ada0s1b.eli
936.Ed
937.Pp
938The example below shows how to configure two providers which will be attached
939on boot, before the root filesystem is mounted.
940One of them is using passphrase and three keyfile parts and the other is
941using only a keyfile in one part:
942.Bd -literal -offset indent
943# dd if=/dev/random of=/dev/da0 bs=1m
944# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
945# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
946# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
947# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
948Enter new passphrase:
949Reenter new passphrase:
950# dd if=/dev/random of=/dev/da1s3a bs=1m
951# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
952# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
953.Ed
954.Pp
955The providers are initialized, now we have to add these lines to
956.Pa /boot/loader.conf :
957.Bd -literal -offset indent
958geli_da0_keyfile0_load="YES"
959geli_da0_keyfile0_type="da0:geli_keyfile0"
960geli_da0_keyfile0_name="/boot/keys/da0.key0"
961geli_da0_keyfile1_load="YES"
962geli_da0_keyfile1_type="da0:geli_keyfile1"
963geli_da0_keyfile1_name="/boot/keys/da0.key1"
964geli_da0_keyfile2_load="YES"
965geli_da0_keyfile2_type="da0:geli_keyfile2"
966geli_da0_keyfile2_name="/boot/keys/da0.key2"
967
968geli_da1s3a_keyfile0_load="YES"
969geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
970geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
971.Ed
972.Pp
973If there is only one keyfile, the index might be omitted:
974.Bd -literal -offset indent
975geli_da1s3a_keyfile_load="YES"
976geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
977geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
978.Ed
979.Pp
980Not only configure encryption, but also data integrity verification using
981.Nm HMAC/SHA256 .
982.Bd -literal -offset indent
983# geli init -a hmac/sha256 -s 4096 /dev/da0
984Enter new passphrase:
985Reenter new passphrase:
986# geli attach /dev/da0
987Enter passphrase:
988# dd if=/dev/random of=/dev/da0.eli bs=1m
989# newfs /dev/da0.eli
990# mount /dev/da0.eli /mnt/secret
991.Ed
992.Pp
993.Cm geli
994writes the metadata backup by default to the
995.Pa /var/backups/<prov>.eli
996file.
997If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
998Consider the following situation:
999.Bd -literal -offset indent
1000# geli init /dev/da0
1001Enter new passphrase:
1002Reenter new passphrase:
1003
1004Metadata backup can be found in /var/backups/da0.eli and
1005can be restored with the following command:
1006
1007	# geli restore /var/backups/da0.eli /dev/da0
1008
1009# geli clear /dev/da0
1010# geli attach /dev/da0
1011geli: Cannot read metadata from /dev/da0: Invalid argument.
1012# geli restore /var/backups/da0.eli /dev/da0
1013# geli attach /dev/da0
1014Enter passphrase:
1015.Ed
1016.Pp
1017If an encrypted filesystem is extended, it is necessary to relocate and
1018update the metadata:
1019.Bd -literal -offset indent
1020# gpart create -s GPT ada0
1021# gpart add -s 1g -t freebsd-ufs -i 1 ada0
1022# geli init -K keyfile -P ada0p1
1023# gpart resize -s 2g -i 1 ada0
1024# geli resize -s 1g ada0p1
1025# geli attach -k keyfile -p ada0p1
1026.Ed
1027.Pp
1028Initialize provider with the passphrase split into two files.
1029The provider can be attached using those two files or by entering
1030.Dq foobar
1031as the passphrase at the
1032.Nm
1033prompt:
1034.Bd -literal -offset indent
1035# echo foo > da0.pass0
1036# echo bar > da0.pass1
1037# geli init -J da0.pass0 -J da0.pass1 da0
1038# geli attach -j da0.pass0 -j da0.pass1 da0
1039# geli detach da0
1040# geli attach da0
1041Enter passphrase: foobar
1042.Ed
1043.Pp
1044Suspend all
1045.Nm
1046devices on a laptop, suspend the laptop, then resume devices one by one after
1047resuming the laptop:
1048.Bd -literal -offset indent
1049# geli suspend -a
1050# zzz
1051<resume your laptop>
1052# geli resume -p -k keyfile gpt/secret
1053# geli resume gpt/private
1054Enter passphrase:
1055.Ed
1056.Sh ENCRYPTION MODES
1057.Nm
1058supports two encryption modes:
1059.Nm XTS ,
1060which was standardized as
1061.Nm IEEE P1619
1062and
1063.Nm CBC
1064with unpredictable IV.
1065The
1066.Nm CBC
1067mode used by
1068.Nm
1069is very similar to the mode
1070.Nm ESSIV .
1071.Sh DATA AUTHENTICATION
1072.Nm
1073can verify data integrity when an authentication algorithm is specified.
1074When data corruption/modification is detected,
1075.Nm
1076will not return any data, but instead will return an error
1077.Pq Er EINVAL .
1078The offset and size of the corrupted data will be printed on the console.
1079It is important to know against which attacks
1080.Nm
1081provides protection for your data.
1082If data is modified in-place or copied from one place on the disk
1083to another even without modification,
1084.Nm
1085should be able to detect such a change.
1086If an attacker can remember the encrypted data, he can overwrite any future
1087changes with the data he owns without it being noticed.
1088In other words
1089.Nm
1090will not protect your data against replay attacks.
1091.Pp
1092It is recommended to write to the whole provider before first use,
1093in order to make sure that all sectors and their corresponding
1094checksums are properly initialized into a consistent state.
1095One can safely ignore data authentication errors that occur immediately
1096after the first time a provider is attached and before it is
1097initialized in this way.
1098.Sh SEE ALSO
1099.Xr crypto 4 ,
1100.Xr gbde 4 ,
1101.Xr geom 4 ,
1102.Xr loader.conf 5 ,
1103.Xr gbde 8 ,
1104.Xr geom 8 ,
1105.Xr crypto 9
1106.Sh HISTORY
1107The
1108.Nm
1109utility appeared in
1110.Fx 6.0 .
1111Support for the
1112.Nm Camellia
1113block cipher is implemented by Yoshisato Yanagisawa in
1114.Fx 7.0 .
1115.Pp
1116Highest
1117.Nm GELI
1118metadata version supported by the given FreeBSD version:
1119.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1120.It Sy FreeBSD Ta Sy GELI
1121.It Sy version Ta Sy version
1122.Pp
1123.It Li 6.0 Ta 0
1124.It Li 6.1 Ta 0
1125.It Li 6.2 Ta 3
1126.It Li 6.3 Ta 3
1127.It Li 6.4 Ta 3
1128.Pp
1129.It Li 7.0 Ta 3
1130.It Li 7.1 Ta 3
1131.It Li 7.2 Ta 3
1132.It Li 7.3 Ta 3
1133.It Li 7.4 Ta 3
1134.Pp
1135.It Li 8.0 Ta 3
1136.It Li 8.1 Ta 3
1137.It Li 8.2 Ta 5
1138.Pp
1139.It Li 9.0 Ta 6
1140.Pp
1141.It Li 10.0 Ta 7
1142.El
1143.Sh AUTHORS
1144.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org
1145