xref: /freebsd/lib/geom/eli/geli.8 (revision 1dfcff294e44d4b45813288ef4095c36abb22f0e)
1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd April 18, 2022
28.Dt GELI 8
29.Os
30.Sh NAME
31.Nm geli
32.Nd "control utility for the cryptographic GEOM class"
33.Sh SYNOPSIS
34To compile GEOM_ELI into your kernel, add the following lines to your kernel
35configuration file:
36.Bd -ragged -offset indent
37.Cd "device crypto"
38.Cd "options GEOM_ELI"
39.Ed
40.Pp
41Alternatively, to load the GEOM_ELI module at boot time, add the following line
42to your
43.Xr loader.conf 5 :
44.Bd -literal -offset indent
45geom_eli_load="YES"
46.Ed
47.Pp
48.No Usage of the Nm
49utility:
50.Pp
51.Nm
52.Cm init
53.Op Fl bdgPRTv
54.Op Fl a Ar aalgo
55.Op Fl B Ar backupfile
56.Op Fl e Ar ealgo
57.Op Fl i Ar iterations
58.Op Fl J Ar newpassfile
59.Op Fl K Ar newkeyfile
60.Op Fl l Ar keylen
61.Op Fl s Ar sectorsize
62.Op Fl V Ar version
63.Ar prov ...
64.Nm
65.Cm label - an alias for
66.Cm init
67.Nm
68.Cm attach
69.Op Fl Cdprv
70.Op Fl n Ar keyno
71.Op Fl j Ar passfile
72.Op Fl k Ar keyfile
73.Ar prov ...
74.Nm
75.Cm detach
76.Op Fl fl
77.Ar prov ...
78.Nm
79.Cm stop - an alias for
80.Cm detach
81.Nm
82.Cm onetime
83.Op Fl dRT
84.Op Fl a Ar aalgo
85.Op Fl e Ar ealgo
86.Op Fl l Ar keylen
87.Op Fl s Ar sectorsize
88.Ar prov
89.Nm
90.Cm configure
91.Op Fl bBdDgGrRtT
92.Ar prov ...
93.Nm
94.Cm setkey
95.Op Fl pPv
96.Op Fl i Ar iterations
97.Op Fl j Ar passfile
98.Op Fl J Ar newpassfile
99.Op Fl k Ar keyfile
100.Op Fl K Ar newkeyfile
101.Op Fl n Ar keyno
102.Ar prov
103.Nm
104.Cm delkey
105.Op Fl afv
106.Op Fl n Ar keyno
107.Ar prov
108.Nm
109.Cm kill
110.Op Fl av
111.Op Ar prov ...
112.Nm
113.Cm backup
114.Op Fl v
115.Ar prov
116.Ar file
117.Nm
118.Cm restore
119.Op Fl fv
120.Ar file
121.Ar prov
122.Nm
123.Cm suspend
124.Op Fl v
125.Fl a | Ar prov ...
126.Nm
127.Cm resume
128.Op Fl pv
129.Op Fl j Ar passfile
130.Op Fl k Ar keyfile
131.Ar prov
132.Nm
133.Cm resize
134.Op Fl v
135.Fl s Ar oldsize
136.Ar prov
137.Nm
138.Cm version
139.Op Ar prov ...
140.Nm
141.Cm clear
142.Op Fl v
143.Ar prov ...
144.Nm
145.Cm dump
146.Op Fl v
147.Ar prov ...
148.Nm
149.Cm list
150.Nm
151.Cm status
152.Nm
153.Cm load
154.Nm
155.Cm unload
156.Sh DESCRIPTION
157The
158.Nm
159utility is used to configure encryption on GEOM providers.
160.Pp
161The following is a list of the most important features:
162.Pp
163.Bl -bullet -offset indent -compact
164.It
165Utilizes the
166.Xr crypto 9
167framework, so when there is crypto hardware available,
168.Nm
169will make use of it automatically.
170.It
171Supports many cryptographic algorithms (currently
172.Nm AES-XTS ,
173.Nm AES-CBC ,
174and
175.Nm Camellia-CBC ) .
176.It
177Can optionally perform data authentication (integrity verification) utilizing
178one of the following algorithms:
179.Nm HMAC/SHA1 ,
180.Nm HMAC/RIPEMD160 ,
181.Nm HMAC/SHA256 ,
182.Nm HMAC/SHA384
183or
184.Nm HMAC/SHA512 .
185.It
186Can create a User Key from up to two, piecewise components: a passphrase
187entered via prompt or read from one or more passfiles; a keyfile read from
188one or more files.
189.It
190Allows encryption of the root partition.
191The user is asked for the passphrase before the root filesystem is mounted.
192.It
193Strengthens the passphrase component of the User Key with:
194.Rs
195.%A B. Kaliski
196.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
197.%R RFC
198.%N 2898
199.Re
200.It
201Allows the use of two independent User Keys (e.g., a
202.Qq "user key"
203and a
204.Qq "company key" ) .
205.It
206It is fast -
207.Nm
208performs simple sector-to-sector encryption.
209.It
210Allows the encrypted Master Key to be backed up and restored,
211so that if a user has to quickly destroy key material,
212it is possible to get the data back by restoring keys from
213backup.
214.It
215Providers can be configured to automatically detach on last close,
216so users do not have to remember to detach providers after unmounting
217the filesystems.
218.It
219Allows attaching a provider with a random, one-time Master Key,
220which is useful for swap partitions and temporary filesystems.
221.It
222Allows verification of data integrity (data authentication).
223.It
224Allows suspending and resuming encrypted devices.
225.El
226.Pp
227The first argument to
228.Nm
229indicates an action to be performed:
230.Bl -tag -width ".Cm configure"
231.It Cm init
232Initialize providers which need to be encrypted.
233If multiple providers are listed as arguments, they will all be initialized
234with the same passphrase and/or User Key.
235A unique salt will be randomly generated for each provider to ensure the
236Master Key for each is unique.
237Here you can set up the cryptographic algorithm to use, Data Key length,
238etc.
239The last sector of the providers is used to store metadata.
240The
241.Cm init
242subcommand also automatically writes metadata backups to
243.Pa /var/backups/<prov>.eli
244file.
245The metadata can be recovered with the
246.Cm restore
247subcommand described below.
248.Pp
249Additional options include:
250.Bl -tag -width ".Fl J Ar newpassfile"
251.It Fl a Ar aalgo
252Enable data integrity verification (authentication) using the given algorithm.
253This will reduce the size of storage available and also reduce speed.
254For example, when using 4096 bytes sector and
255.Nm HMAC/SHA256
256algorithm, 89% of the original provider storage will be available for use.
257Currently supported algorithms are:
258.Nm HMAC/SHA1 ,
259.Nm HMAC/RIPEMD160 ,
260.Nm HMAC/SHA256 ,
261.Nm HMAC/SHA384
262and
263.Nm HMAC/SHA512 .
264If the option is not given, there will be no authentication, only encryption.
265The recommended algorithm is
266.Nm HMAC/SHA256 .
267.It Fl b
268Try to decrypt this partition during boot, before the root partition is mounted.
269This makes it possible to use an encrypted root partition.
270One will still need bootable unencrypted storage with a
271.Pa /boot/
272directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
273after boot.
274.It Fl B Ar backupfile
275File name to use for metadata backup instead of the default
276.Pa /var/backups/<prov>.eli .
277To inhibit backups, you can use
278.Pa none
279as the
280.Ar backupfile .
281If multiple providers were initialized in the one command, you can use
282.Pa PROV
283(all upper-case) in the file name, and it will be replaced with the provider
284name.
285If
286.Pa PROV
287is not found in the file name and multiple providers were initialized in the
288one command,
289.Pa -<prov>
290will be appended to the end of the file name specified.
291.It Fl d
292When entering the passphrase to boot from this encrypted root filesystem, echo
293.Ql *
294characters.
295This makes the length of the passphrase visible.
296.It Fl e Ar ealgo
297Encryption algorithm to use.
298Currently supported algorithms are:
299.Nm AES-XTS ,
300.Nm AES-CBC ,
301.Nm Camellia-CBC ,
302and
303.Nm NULL .
304The default and recommended algorithm is
305.Nm AES-XTS .
306.Nm NULL
307is unencrypted.
308.It Fl g
309Enable booting from this encrypted root filesystem.
310The boot loader prompts for the passphrase and loads
311.Xr loader 8
312from the encrypted partition.
313.It Fl i Ar iterations
314Number of iterations to use with PKCS#5v2 when processing User Key
315passphrase component.
316If this option is not specified,
317.Nm
318will find the number of iterations which is equal to 2 seconds of crypto work.
319If 0 is given, PKCS#5v2 will not be used.
320PKCS#5v2 processing is performed once, after all parts of the passphrase
321component have been read.
322.It Fl J Ar newpassfile
323Specifies a file which contains the passphrase component of the User Key
324(or part of it).
325If
326.Ar newpassfile
327is given as -, standard input will be used.
328Only the first line (excluding new-line character) is taken from the given file.
329This argument can be specified multiple times, which has the effect of
330reassembling a single passphrase split across multiple files.
331Cannot be combined with the
332.Fl P
333option.
334.It Fl K Ar newkeyfile
335Specifies a file which contains the keyfile component of the User Key
336(or part of it).
337If
338.Ar newkeyfile
339is given as -, standard input will be used.
340This argument can be specified multiple times, which has the effect of
341reassembling a single keyfile split across multiple keyfile parts.
342.It Fl l Ar keylen
343Data Key length to use with the given cryptographic algorithm.
344If the length is not specified, the selected algorithm uses its
345.Em default
346key length.
347.Bl -ohang -offset indent
348.It Nm AES-XTS
349.Em 128 ,
350256
351.It Nm AES-CBC , Nm Camellia-CBC
352.Em 128 ,
353192,
354256
355.El
356.It Fl P
357Do not use a passphrase as a component of the User Key.
358Cannot be combined with the
359.Fl J
360option.
361.It Fl s Ar sectorsize
362Change decrypted provider's sector size.
363Increasing the sector size allows increased performance,
364because encryption/decryption which requires an initialization vector
365is done per sector; fewer sectors means less computational work.
366.It Fl R
367Turn off automatic expansion.
368By default, if the underlying provider grows, the encrypted provider will
369grow automatically too.
370The metadata will be moved to the new location.
371If automatic expansion if turned off and the underlying provider changes
372size, attaching encrypted provider will no longer be possible as the metadata
373will no longer be located in the last sector.
374In this case
375.Nm GELI
376will only log the previous size of the underlying provider, so metadata can
377be found easier, if resize was done by mistake.
378.It Fl T
379Don't pass through
380.Dv BIO_DELETE
381calls (i.e., TRIM/UNMAP).
382This can prevent an attacker from knowing how much space you're actually
383using and which sectors contain live data, but will also prevent the
384backing store (SSD, etc) from reclaiming space you're not using, which
385may degrade its performance and lifespan.
386The underlying provider may or may not actually obliterate the deleted
387sectors when TRIM is enabled, so it should not be considered to add any
388security.
389.It Fl V Ar version
390Metadata version to use.
391This option is helpful when creating a provider that may be used by older
392.Nm FreeBSD/GELI
393versions.
394Consult the
395.Sx HISTORY
396section to find which metadata version is supported by which
397.Fx
398version.
399Note that using an older version of metadata may limit the number of
400features available.
401.El
402.It Cm attach
403Attach the given providers.
404The encrypted Master Keys are loaded from the metadata and decrypted
405using the given passphrase/keyfile and new GEOM providers are created
406using the specified provider names.
407A
408.Qq .eli
409suffix is added to the user specified provider names.
410Multiple providers can only be attached with a single
411.Cm attach
412command if they all have the same passphrase and keyfiles.
413.Pp
414Additional options include:
415.Bl -tag -width ".Fl j Ar passfile"
416.It Fl C
417Do a dry-run decryption.
418This is useful to verify passphrase and keyfile without decrypting the device.
419.It Fl d
420If specified, the decrypted providers are detached automatically on last close,
421so the user does not have to remember to detach
422providers after unmounting the filesystems.
423This only works when providers were opened for writing, and will not work if
424the filesystems on the providers were mounted read-only.
425Probably a better choice is the
426.Fl l
427option for the
428.Cm detach
429subcommand.
430.It Fl n Ar keyno
431Specifies the index number of the Master Key copy to use (could be 0 or 1).
432If the index number is not provided all keys will be tested.
433.It Fl j Ar passfile
434Specifies a file which contains the passphrase component of the User Key
435(or part of it).
436For more information see the description of the
437.Fl J
438option for the
439.Cm init
440subcommand.
441The same passfiles are used for all listed providers.
442.It Fl k Ar keyfile
443Specifies a file which contains the keyfile component of the User Key
444(or part of it).
445For more information see the description of the
446.Fl K
447option for the
448.Cm init
449subcommand.
450The same keyfiles are used for all listed providers.
451.It Fl p
452Do not use a passphrase as a component of the User Keys.
453Cannot be combined with the
454.Fl j
455option.
456.It Fl r
457Attach read-only providers.
458They are not opened for writing.
459.El
460.It Cm detach
461Detach the given providers, which means remove the devfs entry
462and clear the Master Key and Data Keys from memory.
463.Pp
464Additional options include:
465.Bl -tag -width ".Fl f"
466.It Fl f
467Force detach - detach even if the provider is open.
468.It Fl l
469Mark provider to detach on last close, after the last filesystem has been
470unmounted.
471If this option is specified, the provider will not be detached
472while it is open, but will be automatically detached when it is closed for the
473last time even if it was only opened for reading.
474.El
475.It Cm onetime
476Attach the given providers with a random, one-time (ephemeral) Master Key.
477The command can be used to encrypt swap partitions or temporary filesystems.
478.Pp
479Additional options include:
480.Bl -tag -width ".Fl a Ar sectorsize"
481.It Fl a Ar aalgo
482Enable data integrity verification (authentication).
483For more information, see the description of the
484.Cm init
485subcommand.
486.It Fl e Ar ealgo
487Encryption algorithm to use.
488For more information, see the description of the
489.Cm init
490subcommand.
491.It Fl d
492Detach on last close, after the last filesystem has been unmounted.
493Note: this option is not usable for temporary filesystems as the provider is
494detached after the filesystem has been created.
495It still can, and should, be used for swap partitions.
496For more information, see the description of the
497.Cm attach
498subcommand.
499.It Fl l Ar keylen
500Data Key length to use with the given cryptographic algorithm.
501For more information, see the description of the
502.Cm init
503subcommand.
504.It Fl s Ar sectorsize
505Change decrypted provider's sector size.
506For more information, see the description of the
507.Cm init
508subcommand.
509.It Fl R
510Turn off automatic expansion.
511For more information, see the description of the
512.Cm init
513subcommand.
514.It Fl T
515Disable TRIM/UNMAP passthru.
516For more information, see the description of the
517.Cm init
518subcommand.
519.El
520.It Cm configure
521Change configuration of the given providers.
522.Pp
523Additional options include:
524.Bl -tag -width ".Fl b"
525.It Fl b
526Set the BOOT flag on the given providers.
527For more information, see the description of the
528.Cm init
529subcommand.
530.It Fl B
531Remove the BOOT flag from the given providers.
532.It Fl d
533When entering the passphrase to boot from this encrypted root filesystem, echo
534.Ql *
535characters.
536This makes the length of the passphrase visible.
537.It Fl D
538Disable echoing of any characters when a passphrase is entered to boot from this
539encrypted root filesystem.
540This hides the passphrase length.
541.It Fl g
542Enable booting from this encrypted root filesystem.
543The boot loader prompts for the passphrase and loads
544.Xr loader 8
545from the encrypted partition.
546.It Fl G
547Deactivate booting from this encrypted root partition.
548.It Fl r
549Turn on automatic expansion.
550For more information, see the description of the
551.Cm init
552subcommand.
553.It Fl R
554Turn off automatic expansion.
555.It Fl t
556Enable TRIM/UNMAP passthru.
557For more information, see the description of the
558.Cm init
559subcommand.
560.It Fl T
561Disable TRIM/UNMAP passthru.
562.El
563.It Cm setkey
564Install a copy of the Master Key into the selected slot, encrypted with
565a new User Key.
566If the selected slot is populated, replace the existing copy.
567A provider has one Master Key, which can be stored in one or both slots,
568each encrypted with an independent User Key.
569With the
570.Cm init
571subcommand, only key number 0 is initialized.
572The User Key can be changed at any time: for an attached provider,
573for a detached provider, or on the backup file.
574When a provider is attached, the user does not have to provide
575an existing passphrase/keyfile.
576.Pp
577Additional options include:
578.Bl -tag -width ".Fl J Ar newpassfile"
579.It Fl i Ar iterations
580Number of iterations to use with PKCS#5v2.
581If 0 is given, PKCS#5v2 will not be used.
582To be able to use this option with the
583.Cm setkey
584subcommand, only one key has to be defined and this key must be changed.
585.It Fl j Ar passfile
586Specifies a file which contains the passphrase component of a current User Key
587(or part of it).
588.It Fl J Ar newpassfile
589Specifies a file which contains the passphrase component of the new User Key
590(or part of it).
591.It Fl k Ar keyfile
592Specifies a file which contains the keyfile component of a current User Key
593(or part of it).
594.It Fl K Ar newkeyfile
595Specifies a file which contains the keyfile component of the new User Key
596(or part of it).
597.It Fl n Ar keyno
598Specifies the index number of the Master Key copy to change (could be 0 or 1).
599If the provider is attached and no key number is given, the key
600used for attaching the provider will be changed.
601If the provider is detached (or we are operating on a backup file)
602and no key number is given, the first Master Key copy to be successfully
603decrypted with the provided User Key passphrase/keyfile will be changed.
604.It Fl p
605Do not use a passphrase as a component of the current User Key.
606Cannot be combined with the
607.Fl j
608option.
609.It Fl P
610Do not use a passphrase as a component of the new User Key.
611Cannot be combined with the
612.Fl J
613option.
614.El
615.It Cm delkey
616Destroy (overwrite with random data) the selected Master Key copy.
617If one is destroying keys for an attached provider, the provider
618will not be detached even if all copies of the Master Key are destroyed.
619It can even be rescued with the
620.Cm setkey
621subcommand because the Master Key is still in memory.
622.Pp
623Additional options include:
624.Bl -tag -width ".Fl a Ar keyno"
625.It Fl a
626Destroy all copies of the Master Key (does not need
627.Fl f
628option).
629.It Fl f
630Force key destruction.
631This option is needed to destroy the last copy of the Master Key.
632.It Fl n Ar keyno
633Specifies the index number of the Master Key copy.
634If the provider is attached and no key number is given, the key
635used for attaching the provider will be destroyed.
636If provider is detached (or we are operating on a backup file) the key number
637has to be given.
638.El
639.It Cm kill
640This command should be used only in emergency situations.
641It will destroy all copies of the Master Key on a given provider and will
642detach it forcibly (if it is attached).
643This is absolutely a one-way command - if you do not have a metadata
644backup, your data is gone for good.
645In case the provider was attached with the
646.Fl r
647flag, the keys will not be destroyed, only the provider will be detached.
648.Pp
649Additional options include:
650.Bl -tag -width ".Fl a"
651.It Fl a
652If specified, all currently attached providers will be killed.
653.El
654.It Cm backup
655Backup metadata from the given provider to the given file.
656.It Cm restore
657Restore metadata from the given file to the given provider.
658.Pp
659Additional options include:
660.Bl -tag -width ".Fl f"
661.It Fl f
662Metadata contains the size of the provider to ensure that the correct
663partition or slice is attached.
664If an attempt is made to restore metadata to a provider that has a different
665size,
666.Nm
667will refuse to restore the data unless the
668.Fl f
669switch is used.
670If the partition or slice has been grown, the
671.Cm resize
672subcommand should be used rather than attempting to relocate the metadata
673through
674.Cm backup
675and
676.Cm restore .
677.El
678.It Cm suspend
679Suspend device by waiting for all inflight requests to finish, clearing all
680sensitive information such as the Master Key and Data Keys from kernel memory,
681and blocking all further I/O requests until the
682.Cm resume
683subcommand is executed.
684This functionality is useful for laptops.
685Suspending a laptop should not leave an encrypted device attached.
686The
687.Cm suspend
688subcommand can be used rather than closing all files and directories from
689filesystems on the encrypted device, unmounting the filesystem, and
690detaching the device.
691Any access to the encrypted device will be blocked until the Master Key is
692reloaded through the
693.Cm resume
694subcommand.
695Thus there is no need to close nor unmount anything.
696The
697.Cm suspend
698subcommand does not work with devices created with the
699.Cm onetime
700subcommand.
701Please note that sensitive data might still be present in memory locations
702such as the filesystem cache after suspending an encrypted device.
703.Pp
704Additional options include:
705.Bl -tag -width ".Fl a"
706.It Fl a
707Suspend all
708.Nm
709devices.
710.El
711.It Cm resume
712Resume previously suspended device.
713The caller must ensure that executing this subcommand does not access the
714suspended device, leading to a deadlock.
715For example, suspending a device which contains the filesystem where the
716.Nm
717utility is stored is a bad idea.
718.Pp
719Additional options include:
720.Bl -tag -width ".Fl j Ar passfile"
721.It Fl j Ar passfile
722Specifies a file which contains the passphrase component of the User Key,
723or part of it.
724For more information see the description of the
725.Fl J
726option for the
727.Cm init
728subcommand.
729.It Fl k Ar keyfile
730Specifies a file which contains the keyfile component of the User Key,
731or part of it.
732For more information see the description of the
733.Fl K
734option for the
735.Cm init
736subcommand.
737.It Fl p
738Do not use a passphrase as a component of the User Key.
739Cannot be combined with the
740.Fl j
741option.
742.El
743.It Cm resize
744Inform
745.Nm
746that the provider has been resized.
747The old metadata block is relocated to the correct position at the end of the
748provider and the provider size is updated.
749.Pp
750Additional options include:
751.Bl -tag -width ".Fl s Ar oldsize"
752.It Fl s Ar oldsize
753The size of the provider before it was resized.
754.El
755.It Cm version
756If no arguments are given, the
757.Cm version
758subcommand will print the version of
759.Nm
760userland utility as well as the version of the
761.Nm ELI
762GEOM class.
763.Pp
764If GEOM providers are specified, the
765.Cm version
766subcommand will print metadata version used by each of them.
767.It Cm clear
768Clear metadata from the given providers.
769.Em WARNING :
770This will erase with zeros the encrypted Master Key copies stored in the
771metadata.
772.It Cm dump
773Dump metadata stored on the given providers.
774.It Cm list
775See
776.Xr geom 8 .
777.It Cm status
778See
779.Xr geom 8 .
780.It Cm load
781See
782.Xr geom 8 .
783.It Cm unload
784See
785.Xr geom 8 .
786.El
787.Pp
788Additional options include:
789.Bl -tag -width ".Fl v"
790.It Fl v
791Be more verbose.
792.El
793.Sh KEY SUMMARY
794.Ss Master Key
795Upon
796.Cm init ,
797the
798.Nm
799utility generates a random Master Key for the provider.
800The Master Key never changes during the lifetime of the provider.
801Each copy of the provider metadata, active or backed up to a file, can store
802up to two, independently-encrypted copies of the Master Key.
803.Ss User Key
804Each stored copy of the Master Key is encrypted with a User Key, which
805is generated by the
806.Nm
807utility from a passphrase and/or a keyfile.
808The
809.Nm
810utility first reads all parts of the keyfile in the order specified on the
811command line, then reads all parts of the stored passphrase in the order
812specified on the command line.
813If no passphrase parts are specified, the system prompts the user to enter
814the passphrase.
815The passphrase is optionally strengthened by PKCS#5v2.
816The User Key is a digest computed over the concatenated keyfile and passphrase.
817.Ss Data Key
818During operation, one or more Data Keys are deterministically derived by
819the kernel from the Master Key and cached in memory.
820The number of Data Keys used by a given provider, and the way they are
821derived, depend on the GELI version and whether the provider is configured to
822use data authentication.
823.Sh SYSCTL VARIABLES
824The following
825.Xr sysctl 8
826variables can be used to control the behavior of the
827.Nm ELI
828GEOM class.
829The default value is shown next to each variable.
830Some variables can also be set in
831.Pa /boot/loader.conf .
832.Bl -tag -width indent
833.It Va kern.geom.eli.version
834Version number of the
835.Nm ELI
836GEOM class.
837.It Va kern.geom.eli.debug : No 0
838Debug level of the
839.Nm ELI
840GEOM class.
841This can be set to a number between 0 and 3 inclusive.
842If set to 0, minimal debug information is printed.
843If set to 3, the
844maximum amount of debug information is printed.
845.It Va kern.geom.eli.tries : No 3
846Number of times a user is asked for the passphrase.
847This is only used for providers which are attached on boot,
848before the root filesystem is mounted.
849If set to 0, attaching providers on boot will be disabled.
850This variable should be set in
851.Pa /boot/loader.conf .
852.It Va kern.geom.eli.overwrites : No 5
853Specifies how many times the Master Key is overwritten
854with random values when it is destroyed.
855After this operation it is filled with zeros.
856.It Va kern.geom.eli.visible_passphrase : No 0
857If set to 1, the passphrase entered on boot will be visible.
858This alternative should be used with caution as the entered
859passphrase can be logged and exposed via
860.Xr dmesg 8 .
861This variable should be set in
862.Pa /boot/loader.conf .
863.It Va kern.geom.eli.threads : No 0
864Specifies how many kernel threads should be used for doing software
865cryptography.
866Its purpose is to increase performance on SMP systems.
867If set to 0, a CPU-pinned thread will be started for every active CPU.
868.It Va kern.geom.eli.batch : No 0
869When set to 1, can speed-up crypto operations by using batching.
870Batching reduces the number of interrupts by responding to a group of
871crypto requests with one interrupt.
872The crypto card and the driver has to support this feature.
873.It Va kern.geom.eli.key_cache_limit : No 8192
874Specifies how many Data Keys to cache.
875The default limit
876(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
877sectors and will take around 1MB of memory.
878.It Va kern.geom.eli.key_cache_hits
879Reports how many times we were looking up a Data Key and it was already in
880cache.
881This sysctl is not updated for providers that need fewer Data Keys than
882the limit specified in
883.Va kern.geom.eli.key_cache_limit .
884.It Va kern.geom.eli.key_cache_misses
885Reports how many times we were looking up a Data Key and it was not in cache.
886This sysctl is not updated for providers that need fewer Data Keys than the limit
887specified in
888.Va kern.geom.eli.key_cache_limit .
889.Va kern.geom.eli.unmapped_io
890Enable support for unmapped I/O buffers, currently implemented only on 64-bit
891platforms.
892This is an optimization which reduces the overhead of I/O processing.
893This variable is intended for debugging purposes and must be set in
894.Pa /boot/loader.conf .
895.El
896.Sh EXIT STATUS
897Exit status is 0 on success, and 1 if the command fails.
898.Sh EXAMPLES
899Initialize a provider which is going to be encrypted with a
900passphrase and random data from a file on the user's pen drive.
901Use 4kB sector size.
902Attach the provider, create a filesystem, and mount it.
903Do the work.
904Unmount the provider and detach it:
905.Bd -literal -offset indent
906# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
907# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
908Enter new passphrase:
909Reenter new passphrase:
910# geli attach -k /mnt/pendrive/da2.key /dev/da2
911Enter passphrase:
912# dd if=/dev/random of=/dev/da2.eli bs=1m
913# newfs /dev/da2.eli
914# mount /dev/da2.eli /mnt/secret
915\&...
916# umount /mnt/secret
917# geli detach da2.eli
918.Ed
919.Pp
920Create an encrypted provider, but use two User Keys:
921one for your employee and one for you as the company's security officer
922(so it is not a tragedy if the employee
923.Qq accidentally
924forgets his passphrase):
925.Bd -literal -offset indent
926# geli init /dev/da2
927Enter new passphrase:	(enter security officer's passphrase)
928Reenter new passphrase:
929# geli setkey -n 1 /dev/da2
930Enter passphrase:	(enter security officer's passphrase)
931Enter new passphrase:	(let your employee enter his passphrase ...)
932Reenter new passphrase:	(... twice)
933.Ed
934.Pp
935You are the security officer in your company.
936Create an encrypted provider for use by the user, but remember that users
937forget their passphrases, so backup the Master Key with your own random key:
938.Bd -literal -offset indent
939# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
940# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
941# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
942(use key number 0, so the encrypted Master Key will be re-encrypted by this)
943# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
944(allow the user to enter his passphrase)
945Enter new passphrase:
946Reenter new passphrase:
947.Ed
948.Pp
949Encrypted swap partition setup:
950.Bd -literal -offset indent
951# dd if=/dev/random of=/dev/ada0s1b bs=1m
952# geli onetime -d ada0s1b
953# swapon /dev/ada0s1b.eli
954.Ed
955.Pp
956The example below shows how to configure two providers which will be attached
957on boot, before the root filesystem is mounted.
958One of them is using passphrase and three keyfile parts and the other is
959using only a keyfile in one part:
960.Bd -literal -offset indent
961# dd if=/dev/random of=/dev/da0 bs=1m
962# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
963# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
964# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
965# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
966Enter new passphrase:
967Reenter new passphrase:
968# dd if=/dev/random of=/dev/da1s3a bs=1m
969# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
970# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
971.Ed
972.Pp
973The providers are initialized, now we have to add these lines to
974.Pa /boot/loader.conf :
975.Bd -literal -offset indent
976geli_da0_keyfile0_load="YES"
977geli_da0_keyfile0_type="da0:geli_keyfile0"
978geli_da0_keyfile0_name="/boot/keys/da0.key0"
979geli_da0_keyfile1_load="YES"
980geli_da0_keyfile1_type="da0:geli_keyfile1"
981geli_da0_keyfile1_name="/boot/keys/da0.key1"
982geli_da0_keyfile2_load="YES"
983geli_da0_keyfile2_type="da0:geli_keyfile2"
984geli_da0_keyfile2_name="/boot/keys/da0.key2"
985
986geli_da1s3a_keyfile0_load="YES"
987geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
988geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
989.Ed
990.Pp
991If there is only one keyfile, the index might be omitted:
992.Bd -literal -offset indent
993geli_da1s3a_keyfile_load="YES"
994geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
995geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
996.Ed
997.Pp
998By convention, these loader variables are called
999.Sm off
1000.Va geli_ No < Ar device No > Va _load .
1001.Sm on
1002However, the actual name prefix before
1003.Va _load , _type ,
1004or
1005.Va _name
1006does not matter.
1007At boot time, the
1008.Nm
1009module searches through all
1010.Sm off
1011.No < Va prefix No > Va _type No -like
1012.Sm on
1013variables that have a value of
1014.Sm off
1015.Dq < Ar device No > :geli_keyfile .
1016.Sm on
1017The paths to keyfiles are then extracted from
1018.Sm off
1019.No < Ar prefix No > Va _name
1020.Sm on
1021variables.
1022In the example above,
1023.Ar prefix
1024is
1025.Dq Li geli_da1s3a_keyfile .
1026.Pp
1027Not only configure encryption, but also data integrity verification using
1028.Nm HMAC/SHA256 .
1029.Bd -literal -offset indent
1030# geli init -a hmac/sha256 -s 4096 /dev/da0
1031Enter new passphrase:
1032Reenter new passphrase:
1033# geli attach /dev/da0
1034Enter passphrase:
1035# dd if=/dev/random of=/dev/da0.eli bs=1m
1036# newfs /dev/da0.eli
1037# mount /dev/da0.eli /mnt/secret
1038.Ed
1039.Pp
1040.Cm geli
1041writes the metadata backup by default to the
1042.Pa /var/backups/<prov>.eli
1043file.
1044If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1045Consider the following situation:
1046.Bd -literal -offset indent
1047# geli init /dev/da0
1048Enter new passphrase:
1049Reenter new passphrase:
1050
1051Metadata backup can be found in /var/backups/da0.eli and
1052can be restored with the following command:
1053
1054	# geli restore /var/backups/da0.eli /dev/da0
1055
1056# geli clear /dev/da0
1057# geli attach /dev/da0
1058geli: Cannot read metadata from /dev/da0: Invalid argument.
1059# geli restore /var/backups/da0.eli /dev/da0
1060# geli attach /dev/da0
1061Enter passphrase:
1062.Ed
1063.Pp
1064If an encrypted filesystem is extended, it is necessary to relocate and
1065update the metadata:
1066.Bd -literal -offset indent
1067# gpart create -s GPT ada0
1068# gpart add -s 1g -t freebsd-ufs -i 1 ada0
1069# geli init -K keyfile -P ada0p1
1070# gpart resize -s 2g -i 1 ada0
1071# geli resize -s 1g ada0p1
1072# geli attach -k keyfile -p ada0p1
1073.Ed
1074.Pp
1075Initialize provider with the passphrase split into two files.
1076The provider can be attached using those two files or by entering
1077.Dq foobar
1078as the passphrase at the
1079.Nm
1080prompt:
1081.Bd -literal -offset indent
1082# echo foo > da0.pass0
1083# echo bar > da0.pass1
1084# geli init -J da0.pass0 -J da0.pass1 da0
1085# geli attach -j da0.pass0 -j da0.pass1 da0
1086# geli detach da0
1087# geli attach da0
1088Enter passphrase: foobar
1089.Ed
1090.Pp
1091Suspend all
1092.Nm
1093devices on a laptop, suspend the laptop, then resume devices one by one after
1094resuming the laptop:
1095.Bd -literal -offset indent
1096# geli suspend -a
1097# zzz
1098<resume your laptop>
1099# geli resume -p -k keyfile gpt/secret
1100# geli resume gpt/private
1101Enter passphrase:
1102.Ed
1103.Pp
1104To create a
1105.Nm
1106encrypted filesystem with a file as storage device follow this example.
1107First a file named private0 is created in
1108.Pa /usr
1109and attached as a memory disk like
1110.Pa /dev/md0
1111for example.
1112.Bd -literal -offset indent
1113# dd if=/dev/zero of=/usr/private0 bs=1m count=256
1114# chmod 0600 /usr/private0
1115# mdconfig -t vnode -f /usr/private0
1116.Ed
1117.Pp
1118It is recommended to place the following line in
1119.Xr rc.conf 5
1120to have the memory disk automatically created during boot.
1121.Bd -literal -offset indent
1122mdconfig_md0="-t vnode -f /usr/private0"
1123.Ed
1124.Pp
1125After
1126.Pa /dev/md0
1127is created a random key has to be generated and stored in a secure location,
1128like
1129.Pa /root
1130for example.
1131This key should be protected by a passphrase, which
1132is requested when geli init is called.
1133.Bd -literal -offset indent
1134# dd if=/dev/random of=/root/private0.key bs=64 count=1
1135# geli init -K /root/private0.key -s 4096 /dev/md0
1136Enter new passphrase:
1137Reenter new passphrase:
1138# geli attach -k /root/private0.key /dev/md0
1139Enter passphrase:
1140# dd if=/dev/random of=/dev/md0.eli bs=1m
1141.Ed
1142.Pp
1143Once the initialization of the
1144.Pa /dev/md0.eli
1145device is ready create a UFS filesystem and mount it for example in
1146.Pa /private .
1147.Bd -literal -offset indent
1148# newfs /dev/md0.eli
1149# mount /dev/md0.eli /private
1150.Ed
1151.Pp
1152After a system reboot the
1153.Nm
1154device can be mounted again with the following commands.
1155The call of geli attach will ask for the passphrase.
1156It is recommended to do this procedure after the boot, because otherwise
1157the boot process would be waiting for the passphrase input.
1158.Bd -literal -offset indent
1159# geli attach -k /root/private0.key /dev/md0
1160Enter passphrase:
1161# mount /dev/md0.eli /private
1162.Ed
1163.Sh ENCRYPTION MODES
1164.Nm
1165supports two encryption modes:
1166.Nm XTS ,
1167which was standardized as
1168.Nm IEEE P1619
1169and
1170.Nm CBC
1171with unpredictable IV.
1172The
1173.Nm CBC
1174mode used by
1175.Nm
1176is very similar to the mode
1177.Nm ESSIV .
1178.Sh DATA AUTHENTICATION
1179.Nm
1180can verify data integrity when an authentication algorithm is specified.
1181When data corruption/modification is detected,
1182.Nm
1183will not return any data, but instead will return an error
1184.Pq Er EINVAL .
1185The offset and size of the corrupted data will be printed on the console.
1186It is important to know against which attacks
1187.Nm
1188provides protection for your data.
1189If data is modified in-place or copied from one place on the disk
1190to another even without modification,
1191.Nm
1192should be able to detect such a change.
1193If an attacker can remember the encrypted data, he can overwrite any future
1194changes with the data he owns without it being noticed.
1195In other words
1196.Nm
1197will not protect your data against replay attacks.
1198.Pp
1199It is recommended to write to the whole provider before first use,
1200in order to make sure that all sectors and their corresponding
1201checksums are properly initialized into a consistent state.
1202One can safely ignore data authentication errors that occur immediately
1203after the first time a provider is attached and before it is
1204initialized in this way.
1205.Sh SEE ALSO
1206.Xr crypto 4 ,
1207.Xr gbde 4 ,
1208.Xr geom 4 ,
1209.Xr loader.conf 5 ,
1210.Xr gbde 8 ,
1211.Xr geom 8 ,
1212.Xr crypto 9
1213.Sh HISTORY
1214The
1215.Nm
1216utility appeared in
1217.Fx 6.0 .
1218Support for the
1219.Nm Camellia
1220block cipher was implemented by Yoshisato Yanagisawa in
1221.Fx 7.0 .
1222.Pp
1223Highest
1224.Nm GELI
1225metadata version supported by the given
1226.Fx
1227version:
1228.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1229.It Sy FreeBSD Ta Sy GELI
1230.It Sy version Ta Sy version
1231.Pp
1232.It Li 6.0 Ta 0
1233.It Li 6.1 Ta 0
1234.It Li 6.2 Ta 3
1235.It Li 6.3 Ta 3
1236.It Li 6.4 Ta 3
1237.Pp
1238.It Li 7.0 Ta 3
1239.It Li 7.1 Ta 3
1240.It Li 7.2 Ta 3
1241.It Li 7.3 Ta 3
1242.It Li 7.4 Ta 3
1243.Pp
1244.It Li 8.0 Ta 3
1245.It Li 8.1 Ta 3
1246.It Li 8.2 Ta 5
1247.Pp
1248.It Li 9.0 Ta 6
1249.Pp
1250.It Li 10.0 Ta 7
1251.El
1252.Sh AUTHORS
1253.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org
1254