1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd April 18, 2022 26.Dt GELI 8 27.Os 28.Sh NAME 29.Nm geli 30.Nd "control utility for the cryptographic GEOM class" 31.Sh SYNOPSIS 32To compile GEOM_ELI into your kernel, add the following lines to your kernel 33configuration file: 34.Bd -ragged -offset indent 35.Cd "device crypto" 36.Cd "options GEOM_ELI" 37.Ed 38.Pp 39Alternatively, to load the GEOM_ELI module at boot time, add the following line 40to your 41.Xr loader.conf 5 : 42.Bd -literal -offset indent 43geom_eli_load="YES" 44.Ed 45.Pp 46.No Usage of the Nm 47utility: 48.Pp 49.Nm 50.Cm init 51.Op Fl bdgPRTv 52.Op Fl a Ar aalgo 53.Op Fl B Ar backupfile 54.Op Fl e Ar ealgo 55.Op Fl i Ar iterations 56.Op Fl J Ar newpassfile 57.Op Fl K Ar newkeyfile 58.Op Fl l Ar keylen 59.Op Fl s Ar sectorsize 60.Op Fl V Ar version 61.Ar prov ... 62.Nm 63.Cm label - an alias for 64.Cm init 65.Nm 66.Cm attach 67.Op Fl Cdprv 68.Op Fl n Ar keyno 69.Op Fl j Ar passfile 70.Op Fl k Ar keyfile 71.Ar prov ... 72.Nm 73.Cm detach 74.Op Fl fl 75.Ar prov ... 76.Nm 77.Cm stop - an alias for 78.Cm detach 79.Nm 80.Cm onetime 81.Op Fl dRT 82.Op Fl a Ar aalgo 83.Op Fl e Ar ealgo 84.Op Fl l Ar keylen 85.Op Fl s Ar sectorsize 86.Ar prov 87.Nm 88.Cm configure 89.Op Fl bBdDgGrRtT 90.Ar prov ... 91.Nm 92.Cm setkey 93.Op Fl pPv 94.Op Fl i Ar iterations 95.Op Fl j Ar passfile 96.Op Fl J Ar newpassfile 97.Op Fl k Ar keyfile 98.Op Fl K Ar newkeyfile 99.Op Fl n Ar keyno 100.Ar prov 101.Nm 102.Cm delkey 103.Op Fl afv 104.Op Fl n Ar keyno 105.Ar prov 106.Nm 107.Cm kill 108.Op Fl av 109.Op Ar prov ... 110.Nm 111.Cm backup 112.Op Fl v 113.Ar prov 114.Ar file 115.Nm 116.Cm restore 117.Op Fl fv 118.Ar file 119.Ar prov 120.Nm 121.Cm suspend 122.Op Fl v 123.Fl a | Ar prov ... 124.Nm 125.Cm resume 126.Op Fl pv 127.Op Fl j Ar passfile 128.Op Fl k Ar keyfile 129.Ar prov 130.Nm 131.Cm resize 132.Op Fl v 133.Fl s Ar oldsize 134.Ar prov 135.Nm 136.Cm version 137.Op Ar prov ... 138.Nm 139.Cm clear 140.Op Fl v 141.Ar prov ... 142.Nm 143.Cm dump 144.Op Fl v 145.Ar prov ... 146.Nm 147.Cm list 148.Nm 149.Cm status 150.Nm 151.Cm load 152.Nm 153.Cm unload 154.Sh DESCRIPTION 155The 156.Nm 157utility is used to configure encryption on GEOM providers. 158.Pp 159The following is a list of the most important features: 160.Pp 161.Bl -bullet -offset indent -compact 162.It 163Utilizes the 164.Xr crypto 9 165framework, so when there is crypto hardware available, 166.Nm 167will make use of it automatically. 168.It 169Supports many cryptographic algorithms (currently 170.Nm AES-XTS , 171.Nm AES-CBC , 172and 173.Nm Camellia-CBC ) . 174.It 175Can optionally perform data authentication (integrity verification) utilizing 176one of the following algorithms: 177.Nm HMAC/SHA1 , 178.Nm HMAC/RIPEMD160 , 179.Nm HMAC/SHA256 , 180.Nm HMAC/SHA384 181or 182.Nm HMAC/SHA512 . 183.It 184Can create a User Key from up to two, piecewise components: a passphrase 185entered via prompt or read from one or more passfiles; a keyfile read from 186one or more files. 187.It 188Allows encryption of the root partition. 189The user is asked for the passphrase before the root filesystem is mounted. 190.It 191Strengthens the passphrase component of the User Key with: 192.Rs 193.%A B. Kaliski 194.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0." 195.%R RFC 196.%N 2898 197.Re 198.It 199Allows the use of two independent User Keys (e.g., a 200.Qq "user key" 201and a 202.Qq "company key" ) . 203.It 204It is fast - 205.Nm 206performs simple sector-to-sector encryption. 207.It 208Allows the encrypted Master Key to be backed up and restored, 209so that if a user has to quickly destroy key material, 210it is possible to get the data back by restoring keys from 211backup. 212.It 213Providers can be configured to automatically detach on last close, 214so users do not have to remember to detach providers after unmounting 215the filesystems. 216.It 217Allows attaching a provider with a random, one-time Master Key, 218which is useful for swap partitions and temporary filesystems. 219.It 220Allows verification of data integrity (data authentication). 221.It 222Allows suspending and resuming encrypted devices. 223.El 224.Pp 225The first argument to 226.Nm 227indicates an action to be performed: 228.Bl -tag -width ".Cm configure" 229.It Cm init 230Initialize providers which need to be encrypted. 231If multiple providers are listed as arguments, they will all be initialized 232with the same passphrase and/or User Key. 233A unique salt will be randomly generated for each provider to ensure the 234Master Key for each is unique. 235Here you can set up the cryptographic algorithm to use, Data Key length, 236etc. 237The last sector of the providers is used to store metadata. 238The 239.Cm init 240subcommand also automatically writes metadata backups to 241.Pa /var/backups/<prov>.eli 242file. 243The metadata can be recovered with the 244.Cm restore 245subcommand described below. 246.Pp 247Additional options include: 248.Bl -tag -width ".Fl J Ar newpassfile" 249.It Fl a Ar aalgo 250Enable data integrity verification (authentication) using the given algorithm. 251This will reduce the size of storage available and also reduce speed. 252For example, when using 4096 bytes sector and 253.Nm HMAC/SHA256 254algorithm, 89% of the original provider storage will be available for use. 255Currently supported algorithms are: 256.Nm HMAC/SHA1 , 257.Nm HMAC/RIPEMD160 , 258.Nm HMAC/SHA256 , 259.Nm HMAC/SHA384 260and 261.Nm HMAC/SHA512 . 262If the option is not given, there will be no authentication, only encryption. 263The recommended algorithm is 264.Nm HMAC/SHA256 . 265.It Fl b 266Try to decrypt this partition during boot, before the root partition is mounted. 267This makes it possible to use an encrypted root partition. 268One will still need bootable unencrypted storage with a 269.Pa /boot/ 270directory, which can be a CD-ROM disc or USB pen-drive, that can be removed 271after boot. 272.It Fl B Ar backupfile 273File name to use for metadata backup instead of the default 274.Pa /var/backups/<prov>.eli . 275To inhibit backups, you can use 276.Pa none 277as the 278.Ar backupfile . 279If multiple providers were initialized in the one command, you can use 280.Pa PROV 281(all upper-case) in the file name, and it will be replaced with the provider 282name. 283If 284.Pa PROV 285is not found in the file name and multiple providers were initialized in the 286one command, 287.Pa -<prov> 288will be appended to the end of the file name specified. 289.It Fl d 290When entering the passphrase to boot from this encrypted root filesystem, echo 291.Ql * 292characters. 293This makes the length of the passphrase visible. 294.It Fl e Ar ealgo 295Encryption algorithm to use. 296Currently supported algorithms are: 297.Nm AES-XTS , 298.Nm AES-CBC , 299.Nm Camellia-CBC , 300and 301.Nm NULL . 302The default and recommended algorithm is 303.Nm AES-XTS . 304.Nm NULL 305is unencrypted. 306.It Fl g 307Enable booting from this encrypted root filesystem. 308The boot loader prompts for the passphrase and loads 309.Xr loader 8 310from the encrypted partition. 311.It Fl i Ar iterations 312Number of iterations to use with PKCS#5v2 when processing User Key 313passphrase component. 314If this option is not specified, 315.Nm 316will find the number of iterations which is equal to 2 seconds of crypto work. 317If 0 is given, PKCS#5v2 will not be used. 318PKCS#5v2 processing is performed once, after all parts of the passphrase 319component have been read. 320.It Fl J Ar newpassfile 321Specifies a file which contains the passphrase component of the User Key 322(or part of it). 323If 324.Ar newpassfile 325is given as -, standard input will be used. 326Only the first line (excluding new-line character) is taken from the given file. 327This argument can be specified multiple times, which has the effect of 328reassembling a single passphrase split across multiple files. 329Cannot be combined with the 330.Fl P 331option. 332.It Fl K Ar newkeyfile 333Specifies a file which contains the keyfile component of the User Key 334(or part of it). 335If 336.Ar newkeyfile 337is given as -, standard input will be used. 338This argument can be specified multiple times, which has the effect of 339reassembling a single keyfile split across multiple keyfile parts. 340.It Fl l Ar keylen 341Data Key length to use with the given cryptographic algorithm. 342If the length is not specified, the selected algorithm uses its 343.Em default 344key length. 345.Bl -ohang -offset indent 346.It Nm AES-XTS 347.Em 128 , 348256 349.It Nm AES-CBC , Nm Camellia-CBC 350.Em 128 , 351192, 352256 353.El 354.It Fl P 355Do not use a passphrase as a component of the User Key. 356Cannot be combined with the 357.Fl J 358option. 359.It Fl s Ar sectorsize 360Change decrypted provider's sector size. 361Increasing the sector size allows increased performance, 362because encryption/decryption which requires an initialization vector 363is done per sector; fewer sectors means less computational work. 364.It Fl R 365Turn off automatic expansion. 366By default, if the underlying provider grows, the encrypted provider will 367grow automatically too. 368The metadata will be moved to the new location. 369If automatic expansion if turned off and the underlying provider changes 370size, attaching encrypted provider will no longer be possible as the metadata 371will no longer be located in the last sector. 372In this case 373.Nm GELI 374will only log the previous size of the underlying provider, so metadata can 375be found easier, if resize was done by mistake. 376.It Fl T 377Don't pass through 378.Dv BIO_DELETE 379calls (i.e., TRIM/UNMAP). 380This can prevent an attacker from knowing how much space you're actually 381using and which sectors contain live data, but will also prevent the 382backing store (SSD, etc) from reclaiming space you're not using, which 383may degrade its performance and lifespan. 384The underlying provider may or may not actually obliterate the deleted 385sectors when TRIM is enabled, so it should not be considered to add any 386security. 387.It Fl V Ar version 388Metadata version to use. 389This option is helpful when creating a provider that may be used by older 390.Nm FreeBSD/GELI 391versions. 392Consult the 393.Sx HISTORY 394section to find which metadata version is supported by which 395.Fx 396version. 397Note that using an older version of metadata may limit the number of 398features available. 399.El 400.It Cm attach 401Attach the given providers. 402The encrypted Master Keys are loaded from the metadata and decrypted 403using the given passphrase/keyfile and new GEOM providers are created 404using the specified provider names. 405A 406.Qq .eli 407suffix is added to the user specified provider names. 408Multiple providers can only be attached with a single 409.Cm attach 410command if they all have the same passphrase and keyfiles. 411.Pp 412Additional options include: 413.Bl -tag -width ".Fl j Ar passfile" 414.It Fl C 415Do a dry-run decryption. 416This is useful to verify passphrase and keyfile without decrypting the device. 417.It Fl d 418If specified, the decrypted providers are detached automatically on last close, 419so the user does not have to remember to detach 420providers after unmounting the filesystems. 421This only works when providers were opened for writing, and will not work if 422the filesystems on the providers were mounted read-only. 423Probably a better choice is the 424.Fl l 425option for the 426.Cm detach 427subcommand. 428.It Fl n Ar keyno 429Specifies the index number of the Master Key copy to use (could be 0 or 1). 430If the index number is not provided all keys will be tested. 431.It Fl j Ar passfile 432Specifies a file which contains the passphrase component of the User Key 433(or part of it). 434For more information see the description of the 435.Fl J 436option for the 437.Cm init 438subcommand. 439The same passfiles are used for all listed providers. 440.It Fl k Ar keyfile 441Specifies a file which contains the keyfile component of the User Key 442(or part of it). 443For more information see the description of the 444.Fl K 445option for the 446.Cm init 447subcommand. 448The same keyfiles are used for all listed providers. 449.It Fl p 450Do not use a passphrase as a component of the User Keys. 451Cannot be combined with the 452.Fl j 453option. 454.It Fl r 455Attach read-only providers. 456They are not opened for writing. 457.El 458.It Cm detach 459Detach the given providers, which means remove the devfs entry 460and clear the Master Key and Data Keys from memory. 461.Pp 462Additional options include: 463.Bl -tag -width ".Fl f" 464.It Fl f 465Force detach - detach even if the provider is open. 466.It Fl l 467Mark provider to detach on last close, after the last filesystem has been 468unmounted. 469If this option is specified, the provider will not be detached 470while it is open, but will be automatically detached when it is closed for the 471last time even if it was only opened for reading. 472.El 473.It Cm onetime 474Attach the given providers with a random, one-time (ephemeral) Master Key. 475The command can be used to encrypt swap partitions or temporary filesystems. 476.Pp 477Additional options include: 478.Bl -tag -width ".Fl a Ar sectorsize" 479.It Fl a Ar aalgo 480Enable data integrity verification (authentication). 481For more information, see the description of the 482.Cm init 483subcommand. 484.It Fl e Ar ealgo 485Encryption algorithm to use. 486For more information, see the description of the 487.Cm init 488subcommand. 489.It Fl d 490Detach on last close, after the last filesystem has been unmounted. 491Note: this option is not usable for temporary filesystems as the provider is 492detached after the filesystem has been created. 493It still can, and should, be used for swap partitions. 494For more information, see the description of the 495.Cm attach 496subcommand. 497.It Fl l Ar keylen 498Data Key length to use with the given cryptographic algorithm. 499For more information, see the description of the 500.Cm init 501subcommand. 502.It Fl s Ar sectorsize 503Change decrypted provider's sector size. 504For more information, see the description of the 505.Cm init 506subcommand. 507.It Fl R 508Turn off automatic expansion. 509For more information, see the description of the 510.Cm init 511subcommand. 512.It Fl T 513Disable TRIM/UNMAP passthru. 514For more information, see the description of the 515.Cm init 516subcommand. 517.El 518.It Cm configure 519Change configuration of the given providers. 520.Pp 521Additional options include: 522.Bl -tag -width ".Fl b" 523.It Fl b 524Set the BOOT flag on the given providers. 525For more information, see the description of the 526.Cm init 527subcommand. 528.It Fl B 529Remove the BOOT flag from the given providers. 530.It Fl d 531When entering the passphrase to boot from this encrypted root filesystem, echo 532.Ql * 533characters. 534This makes the length of the passphrase visible. 535.It Fl D 536Disable echoing of any characters when a passphrase is entered to boot from this 537encrypted root filesystem. 538This hides the passphrase length. 539.It Fl g 540Enable booting from this encrypted root filesystem. 541The boot loader prompts for the passphrase and loads 542.Xr loader 8 543from the encrypted partition. 544.It Fl G 545Deactivate booting from this encrypted root partition. 546.It Fl r 547Turn on automatic expansion. 548For more information, see the description of the 549.Cm init 550subcommand. 551.It Fl R 552Turn off automatic expansion. 553.It Fl t 554Enable TRIM/UNMAP passthru. 555For more information, see the description of the 556.Cm init 557subcommand. 558.It Fl T 559Disable TRIM/UNMAP passthru. 560.El 561.It Cm setkey 562Install a copy of the Master Key into the selected slot, encrypted with 563a new User Key. 564If the selected slot is populated, replace the existing copy. 565A provider has one Master Key, which can be stored in one or both slots, 566each encrypted with an independent User Key. 567With the 568.Cm init 569subcommand, only key number 0 is initialized. 570The User Key can be changed at any time: for an attached provider, 571for a detached provider, or on the backup file. 572When a provider is attached, the user does not have to provide 573an existing passphrase/keyfile. 574.Pp 575Additional options include: 576.Bl -tag -width ".Fl J Ar newpassfile" 577.It Fl i Ar iterations 578Number of iterations to use with PKCS#5v2. 579If 0 is given, PKCS#5v2 will not be used. 580To be able to use this option with the 581.Cm setkey 582subcommand, only one key has to be defined and this key must be changed. 583.It Fl j Ar passfile 584Specifies a file which contains the passphrase component of a current User Key 585(or part of it). 586.It Fl J Ar newpassfile 587Specifies a file which contains the passphrase component of the new User Key 588(or part of it). 589.It Fl k Ar keyfile 590Specifies a file which contains the keyfile component of a current User Key 591(or part of it). 592.It Fl K Ar newkeyfile 593Specifies a file which contains the keyfile component of the new User Key 594(or part of it). 595.It Fl n Ar keyno 596Specifies the index number of the Master Key copy to change (could be 0 or 1). 597If the provider is attached and no key number is given, the key 598used for attaching the provider will be changed. 599If the provider is detached (or we are operating on a backup file) 600and no key number is given, the first Master Key copy to be successfully 601decrypted with the provided User Key passphrase/keyfile will be changed. 602.It Fl p 603Do not use a passphrase as a component of the current User Key. 604Cannot be combined with the 605.Fl j 606option. 607.It Fl P 608Do not use a passphrase as a component of the new User Key. 609Cannot be combined with the 610.Fl J 611option. 612.El 613.It Cm delkey 614Destroy (overwrite with random data) the selected Master Key copy. 615If one is destroying keys for an attached provider, the provider 616will not be detached even if all copies of the Master Key are destroyed. 617It can even be rescued with the 618.Cm setkey 619subcommand because the Master Key is still in memory. 620.Pp 621Additional options include: 622.Bl -tag -width ".Fl a Ar keyno" 623.It Fl a 624Destroy all copies of the Master Key (does not need 625.Fl f 626option). 627.It Fl f 628Force key destruction. 629This option is needed to destroy the last copy of the Master Key. 630.It Fl n Ar keyno 631Specifies the index number of the Master Key copy. 632If the provider is attached and no key number is given, the key 633used for attaching the provider will be destroyed. 634If provider is detached (or we are operating on a backup file) the key number 635has to be given. 636.El 637.It Cm kill 638This command should be used only in emergency situations. 639It will destroy all copies of the Master Key on a given provider and will 640detach it forcibly (if it is attached). 641This is absolutely a one-way command - if you do not have a metadata 642backup, your data is gone for good. 643In case the provider was attached with the 644.Fl r 645flag, the keys will not be destroyed, only the provider will be detached. 646.Pp 647Additional options include: 648.Bl -tag -width ".Fl a" 649.It Fl a 650If specified, all currently attached providers will be killed. 651.El 652.It Cm backup 653Backup metadata from the given provider to the given file. 654.It Cm restore 655Restore metadata from the given file to the given provider. 656.Pp 657Additional options include: 658.Bl -tag -width ".Fl f" 659.It Fl f 660Metadata contains the size of the provider to ensure that the correct 661partition or slice is attached. 662If an attempt is made to restore metadata to a provider that has a different 663size, 664.Nm 665will refuse to restore the data unless the 666.Fl f 667switch is used. 668If the partition or slice has been grown, the 669.Cm resize 670subcommand should be used rather than attempting to relocate the metadata 671through 672.Cm backup 673and 674.Cm restore . 675.El 676.It Cm suspend 677Suspend device by waiting for all inflight requests to finish, clearing all 678sensitive information such as the Master Key and Data Keys from kernel memory, 679and blocking all further I/O requests until the 680.Cm resume 681subcommand is executed. 682This functionality is useful for laptops. 683Suspending a laptop should not leave an encrypted device attached. 684The 685.Cm suspend 686subcommand can be used rather than closing all files and directories from 687filesystems on the encrypted device, unmounting the filesystem, and 688detaching the device. 689Any access to the encrypted device will be blocked until the Master Key is 690reloaded through the 691.Cm resume 692subcommand. 693Thus there is no need to close nor unmount anything. 694The 695.Cm suspend 696subcommand does not work with devices created with the 697.Cm onetime 698subcommand. 699Please note that sensitive data might still be present in memory locations 700such as the filesystem cache after suspending an encrypted device. 701.Pp 702Additional options include: 703.Bl -tag -width ".Fl a" 704.It Fl a 705Suspend all 706.Nm 707devices. 708.El 709.It Cm resume 710Resume previously suspended device. 711The caller must ensure that executing this subcommand does not access the 712suspended device, leading to a deadlock. 713For example, suspending a device which contains the filesystem where the 714.Nm 715utility is stored is a bad idea. 716.Pp 717Additional options include: 718.Bl -tag -width ".Fl j Ar passfile" 719.It Fl j Ar passfile 720Specifies a file which contains the passphrase component of the User Key, 721or part of it. 722For more information see the description of the 723.Fl J 724option for the 725.Cm init 726subcommand. 727.It Fl k Ar keyfile 728Specifies a file which contains the keyfile component of the User Key, 729or part of it. 730For more information see the description of the 731.Fl K 732option for the 733.Cm init 734subcommand. 735.It Fl p 736Do not use a passphrase as a component of the User Key. 737Cannot be combined with the 738.Fl j 739option. 740.El 741.It Cm resize 742Inform 743.Nm 744that the provider has been resized. 745The old metadata block is relocated to the correct position at the end of the 746provider and the provider size is updated. 747.Pp 748Additional options include: 749.Bl -tag -width ".Fl s Ar oldsize" 750.It Fl s Ar oldsize 751The size of the provider before it was resized. 752.El 753.It Cm version 754If no arguments are given, the 755.Cm version 756subcommand will print the version of 757.Nm 758userland utility as well as the version of the 759.Nm ELI 760GEOM class. 761.Pp 762If GEOM providers are specified, the 763.Cm version 764subcommand will print metadata version used by each of them. 765.It Cm clear 766Clear metadata from the given providers. 767.Em WARNING : 768This will erase with zeros the encrypted Master Key copies stored in the 769metadata. 770.It Cm dump 771Dump metadata stored on the given providers. 772.It Cm list 773See 774.Xr geom 8 . 775.It Cm status 776See 777.Xr geom 8 . 778.It Cm load 779See 780.Xr geom 8 . 781.It Cm unload 782See 783.Xr geom 8 . 784.El 785.Pp 786Additional options include: 787.Bl -tag -width ".Fl v" 788.It Fl v 789Be more verbose. 790.El 791.Sh KEY SUMMARY 792.Ss Master Key 793Upon 794.Cm init , 795the 796.Nm 797utility generates a random Master Key for the provider. 798The Master Key never changes during the lifetime of the provider. 799Each copy of the provider metadata, active or backed up to a file, can store 800up to two, independently-encrypted copies of the Master Key. 801.Ss User Key 802Each stored copy of the Master Key is encrypted with a User Key, which 803is generated by the 804.Nm 805utility from a passphrase and/or a keyfile. 806The 807.Nm 808utility first reads all parts of the keyfile in the order specified on the 809command line, then reads all parts of the stored passphrase in the order 810specified on the command line. 811If no passphrase parts are specified, the system prompts the user to enter 812the passphrase. 813The passphrase is optionally strengthened by PKCS#5v2. 814The User Key is a digest computed over the concatenated keyfile and passphrase. 815.Ss Data Key 816During operation, one or more Data Keys are deterministically derived by 817the kernel from the Master Key and cached in memory. 818The number of Data Keys used by a given provider, and the way they are 819derived, depend on the GELI version and whether the provider is configured to 820use data authentication. 821.Sh SYSCTL VARIABLES 822The following 823.Xr sysctl 8 824variables can be used to control the behavior of the 825.Nm ELI 826GEOM class. 827The default value is shown next to each variable. 828Some variables can also be set in 829.Pa /boot/loader.conf . 830.Bl -tag -width indent 831.It Va kern.geom.eli.version 832Version number of the 833.Nm ELI 834GEOM class. 835.It Va kern.geom.eli.debug : No 0 836Debug level of the 837.Nm ELI 838GEOM class. 839This can be set to a number between 0 and 3 inclusive. 840If set to 0, minimal debug information is printed. 841If set to 3, the 842maximum amount of debug information is printed. 843.It Va kern.geom.eli.tries : No 3 844Number of times a user is asked for the passphrase. 845This is only used for providers which are attached on boot, 846before the root filesystem is mounted. 847If set to 0, attaching providers on boot will be disabled. 848This variable should be set in 849.Pa /boot/loader.conf . 850.It Va kern.geom.eli.overwrites : No 5 851Specifies how many times the Master Key is overwritten 852with random values when it is destroyed. 853After this operation it is filled with zeros. 854.It Va kern.geom.eli.visible_passphrase : No 0 855If set to 1, the passphrase entered on boot will be visible. 856This alternative should be used with caution as the entered 857passphrase can be logged and exposed via 858.Xr dmesg 8 . 859This variable should be set in 860.Pa /boot/loader.conf . 861.It Va kern.geom.eli.threads : No 0 862Specifies how many kernel threads should be used for doing software 863cryptography. 864Its purpose is to increase performance on SMP systems. 865If set to 0, a CPU-pinned thread will be started for every active CPU. 866.It Va kern.geom.eli.batch : No 0 867When set to 1, can speed-up crypto operations by using batching. 868Batching reduces the number of interrupts by responding to a group of 869crypto requests with one interrupt. 870The crypto card and the driver has to support this feature. 871.It Va kern.geom.eli.key_cache_limit : No 8192 872Specifies how many Data Keys to cache. 873The default limit 874(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte 875sectors and will take around 1MB of memory. 876.It Va kern.geom.eli.key_cache_hits 877Reports how many times we were looking up a Data Key and it was already in 878cache. 879This sysctl is not updated for providers that need fewer Data Keys than 880the limit specified in 881.Va kern.geom.eli.key_cache_limit . 882.It Va kern.geom.eli.key_cache_misses 883Reports how many times we were looking up a Data Key and it was not in cache. 884This sysctl is not updated for providers that need fewer Data Keys than the limit 885specified in 886.Va kern.geom.eli.key_cache_limit . 887.Va kern.geom.eli.unmapped_io 888Enable support for unmapped I/O buffers, currently implemented only on 64-bit 889platforms. 890This is an optimization which reduces the overhead of I/O processing. 891This variable is intended for debugging purposes and must be set in 892.Pa /boot/loader.conf . 893.El 894.Sh EXIT STATUS 895Exit status is 0 on success, and 1 if the command fails. 896.Sh EXAMPLES 897Initialize a provider which is going to be encrypted with a 898passphrase and random data from a file on the user's pen drive. 899Use 4kB sector size. 900Attach the provider, create a filesystem, and mount it. 901Do the work. 902Unmount the provider and detach it: 903.Bd -literal -offset indent 904# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1 905# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2 906Enter new passphrase: 907Reenter new passphrase: 908# geli attach -k /mnt/pendrive/da2.key /dev/da2 909Enter passphrase: 910# dd if=/dev/random of=/dev/da2.eli bs=1m 911# newfs /dev/da2.eli 912# mount /dev/da2.eli /mnt/secret 913\&... 914# umount /mnt/secret 915# geli detach da2.eli 916.Ed 917.Pp 918Create an encrypted provider, but use two User Keys: 919one for your employee and one for you as the company's security officer 920(so it is not a tragedy if the employee 921.Qq accidentally 922forgets his passphrase): 923.Bd -literal -offset indent 924# geli init /dev/da2 925Enter new passphrase: (enter security officer's passphrase) 926Reenter new passphrase: 927# geli setkey -n 1 /dev/da2 928Enter passphrase: (enter security officer's passphrase) 929Enter new passphrase: (let your employee enter his passphrase ...) 930Reenter new passphrase: (... twice) 931.Ed 932.Pp 933You are the security officer in your company. 934Create an encrypted provider for use by the user, but remember that users 935forget their passphrases, so backup the Master Key with your own random key: 936.Bd -literal -offset indent 937# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1 938# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e 939# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname` 940(use key number 0, so the encrypted Master Key will be re-encrypted by this) 941# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e 942(allow the user to enter his passphrase) 943Enter new passphrase: 944Reenter new passphrase: 945.Ed 946.Pp 947Encrypted swap partition setup: 948.Bd -literal -offset indent 949# dd if=/dev/random of=/dev/ada0s1b bs=1m 950# geli onetime -d ada0s1b 951# swapon /dev/ada0s1b.eli 952.Ed 953.Pp 954The example below shows how to configure two providers which will be attached 955on boot, before the root filesystem is mounted. 956One of them is using passphrase and three keyfile parts and the other is 957using only a keyfile in one part: 958.Bd -literal -offset indent 959# dd if=/dev/random of=/dev/da0 bs=1m 960# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1 961# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1 962# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1 963# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0 964Enter new passphrase: 965Reenter new passphrase: 966# dd if=/dev/random of=/dev/da1s3a bs=1m 967# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1 968# geli init -b -P -K /boot/keys/da1s3a.key da1s3a 969.Ed 970.Pp 971The providers are initialized, now we have to add these lines to 972.Pa /boot/loader.conf : 973.Bd -literal -offset indent 974geli_da0_keyfile0_load="YES" 975geli_da0_keyfile0_type="da0:geli_keyfile0" 976geli_da0_keyfile0_name="/boot/keys/da0.key0" 977geli_da0_keyfile1_load="YES" 978geli_da0_keyfile1_type="da0:geli_keyfile1" 979geli_da0_keyfile1_name="/boot/keys/da0.key1" 980geli_da0_keyfile2_load="YES" 981geli_da0_keyfile2_type="da0:geli_keyfile2" 982geli_da0_keyfile2_name="/boot/keys/da0.key2" 983 984geli_da1s3a_keyfile0_load="YES" 985geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0" 986geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key" 987.Ed 988.Pp 989If there is only one keyfile, the index might be omitted: 990.Bd -literal -offset indent 991geli_da1s3a_keyfile_load="YES" 992geli_da1s3a_keyfile_type="da1s3a:geli_keyfile" 993geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key" 994.Ed 995.Pp 996By convention, these loader variables are called 997.Sm off 998.Va geli_ No < Ar device No > Va _load . 999.Sm on 1000However, the actual name prefix before 1001.Va _load , _type , 1002or 1003.Va _name 1004does not matter. 1005At boot time, the 1006.Nm 1007module searches through all 1008.Sm off 1009.No < Va prefix No > Va _type No -like 1010.Sm on 1011variables that have a value of 1012.Sm off 1013.Dq < Ar device No > :geli_keyfile . 1014.Sm on 1015The paths to keyfiles are then extracted from 1016.Sm off 1017.No < Ar prefix No > Va _name 1018.Sm on 1019variables. 1020In the example above, 1021.Ar prefix 1022is 1023.Dq Li geli_da1s3a_keyfile . 1024.Pp 1025Not only configure encryption, but also data integrity verification using 1026.Nm HMAC/SHA256 . 1027.Bd -literal -offset indent 1028# geli init -a hmac/sha256 -s 4096 /dev/da0 1029Enter new passphrase: 1030Reenter new passphrase: 1031# geli attach /dev/da0 1032Enter passphrase: 1033# dd if=/dev/random of=/dev/da0.eli bs=1m 1034# newfs /dev/da0.eli 1035# mount /dev/da0.eli /mnt/secret 1036.Ed 1037.Pp 1038.Cm geli 1039writes the metadata backup by default to the 1040.Pa /var/backups/<prov>.eli 1041file. 1042If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored. 1043Consider the following situation: 1044.Bd -literal -offset indent 1045# geli init /dev/da0 1046Enter new passphrase: 1047Reenter new passphrase: 1048 1049Metadata backup can be found in /var/backups/da0.eli and 1050can be restored with the following command: 1051 1052 # geli restore /var/backups/da0.eli /dev/da0 1053 1054# geli clear /dev/da0 1055# geli attach /dev/da0 1056geli: Cannot read metadata from /dev/da0: Invalid argument. 1057# geli restore /var/backups/da0.eli /dev/da0 1058# geli attach /dev/da0 1059Enter passphrase: 1060.Ed 1061.Pp 1062If an encrypted filesystem is extended, it is necessary to relocate and 1063update the metadata: 1064.Bd -literal -offset indent 1065# gpart create -s GPT ada0 1066# gpart add -s 1g -t freebsd-ufs -i 1 ada0 1067# geli init -K keyfile -P ada0p1 1068# gpart resize -s 2g -i 1 ada0 1069# geli resize -s 1g ada0p1 1070# geli attach -k keyfile -p ada0p1 1071.Ed 1072.Pp 1073Initialize provider with the passphrase split into two files. 1074The provider can be attached using those two files or by entering 1075.Dq foobar 1076as the passphrase at the 1077.Nm 1078prompt: 1079.Bd -literal -offset indent 1080# echo foo > da0.pass0 1081# echo bar > da0.pass1 1082# geli init -J da0.pass0 -J da0.pass1 da0 1083# geli attach -j da0.pass0 -j da0.pass1 da0 1084# geli detach da0 1085# geli attach da0 1086Enter passphrase: foobar 1087.Ed 1088.Pp 1089Suspend all 1090.Nm 1091devices on a laptop, suspend the laptop, then resume devices one by one after 1092resuming the laptop: 1093.Bd -literal -offset indent 1094# geli suspend -a 1095# zzz 1096<resume your laptop> 1097# geli resume -p -k keyfile gpt/secret 1098# geli resume gpt/private 1099Enter passphrase: 1100.Ed 1101.Pp 1102To create a 1103.Nm 1104encrypted filesystem with a file as storage device follow this example. 1105First a file named private0 is created in 1106.Pa /usr 1107and attached as a memory disk like 1108.Pa /dev/md0 1109for example. 1110.Bd -literal -offset indent 1111# dd if=/dev/zero of=/usr/private0 bs=1m count=256 1112# chmod 0600 /usr/private0 1113# mdconfig -t vnode -f /usr/private0 1114.Ed 1115.Pp 1116It is recommended to place the following line in 1117.Xr rc.conf 5 1118to have the memory disk automatically created during boot. 1119.Bd -literal -offset indent 1120mdconfig_md0="-t vnode -f /usr/private0" 1121.Ed 1122.Pp 1123After 1124.Pa /dev/md0 1125is created a random key has to be generated and stored in a secure location, 1126like 1127.Pa /root 1128for example. 1129This key should be protected by a passphrase, which 1130is requested when geli init is called. 1131.Bd -literal -offset indent 1132# dd if=/dev/random of=/root/private0.key bs=64 count=1 1133# geli init -K /root/private0.key -s 4096 /dev/md0 1134Enter new passphrase: 1135Reenter new passphrase: 1136# geli attach -k /root/private0.key /dev/md0 1137Enter passphrase: 1138# dd if=/dev/random of=/dev/md0.eli bs=1m 1139.Ed 1140.Pp 1141Once the initialization of the 1142.Pa /dev/md0.eli 1143device is ready create a UFS filesystem and mount it for example in 1144.Pa /private . 1145.Bd -literal -offset indent 1146# newfs /dev/md0.eli 1147# mount /dev/md0.eli /private 1148.Ed 1149.Pp 1150After a system reboot the 1151.Nm 1152device can be mounted again with the following commands. 1153The call of geli attach will ask for the passphrase. 1154It is recommended to do this procedure after the boot, because otherwise 1155the boot process would be waiting for the passphrase input. 1156.Bd -literal -offset indent 1157# geli attach -k /root/private0.key /dev/md0 1158Enter passphrase: 1159# mount /dev/md0.eli /private 1160.Ed 1161.Sh ENCRYPTION MODES 1162.Nm 1163supports two encryption modes: 1164.Nm XTS , 1165which was standardized as 1166.Nm IEEE P1619 1167and 1168.Nm CBC 1169with unpredictable IV. 1170The 1171.Nm CBC 1172mode used by 1173.Nm 1174is very similar to the mode 1175.Nm ESSIV . 1176.Sh DATA AUTHENTICATION 1177.Nm 1178can verify data integrity when an authentication algorithm is specified. 1179When data corruption/modification is detected, 1180.Nm 1181will not return any data, but instead will return an error 1182.Pq Er EINVAL . 1183The offset and size of the corrupted data will be printed on the console. 1184It is important to know against which attacks 1185.Nm 1186provides protection for your data. 1187If data is modified in-place or copied from one place on the disk 1188to another even without modification, 1189.Nm 1190should be able to detect such a change. 1191If an attacker can remember the encrypted data, he can overwrite any future 1192changes with the data he owns without it being noticed. 1193In other words 1194.Nm 1195will not protect your data against replay attacks. 1196.Pp 1197It is recommended to write to the whole provider before first use, 1198in order to make sure that all sectors and their corresponding 1199checksums are properly initialized into a consistent state. 1200One can safely ignore data authentication errors that occur immediately 1201after the first time a provider is attached and before it is 1202initialized in this way. 1203.Sh SEE ALSO 1204.Xr crypto 4 , 1205.Xr gbde 4 , 1206.Xr geom 4 , 1207.Xr loader.conf 5 , 1208.Xr gbde 8 , 1209.Xr geom 8 , 1210.Xr crypto 9 1211.Sh HISTORY 1212The 1213.Nm 1214utility appeared in 1215.Fx 6.0 . 1216Support for the 1217.Nm Camellia 1218block cipher was implemented by Yoshisato Yanagisawa in 1219.Fx 7.0 . 1220.Pp 1221Highest 1222.Nm GELI 1223metadata version supported by the given 1224.Fx 1225version: 1226.Bl -column -offset indent ".Sy FreeBSD" ".Sy version" 1227.It Sy FreeBSD Ta Sy GELI 1228.It Sy version Ta Sy version 1229.Pp 1230.It Li 6.0 Ta 0 1231.It Li 6.1 Ta 0 1232.It Li 6.2 Ta 3 1233.It Li 6.3 Ta 3 1234.It Li 6.4 Ta 3 1235.Pp 1236.It Li 7.0 Ta 3 1237.It Li 7.1 Ta 3 1238.It Li 7.2 Ta 3 1239.It Li 7.3 Ta 3 1240.It Li 7.4 Ta 3 1241.Pp 1242.It Li 8.0 Ta 3 1243.It Li 8.1 Ta 3 1244.It Li 8.2 Ta 5 1245.Pp 1246.It Li 9.0 Ta 6 1247.Pp 1248.It Li 10.0 Ta 7 1249.El 1250.Sh AUTHORS 1251.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org 1252