xref: /freebsd/lib/geom/eli/geli.8 (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf)
1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd April 18, 2022
26.Dt GELI 8
27.Os
28.Sh NAME
29.Nm geli
30.Nd "control utility for the cryptographic GEOM class"
31.Sh SYNOPSIS
32To compile GEOM_ELI into your kernel, add the following lines to your kernel
33configuration file:
34.Bd -ragged -offset indent
35.Cd "device crypto"
36.Cd "options GEOM_ELI"
37.Ed
38.Pp
39Alternatively, to load the GEOM_ELI module at boot time, add the following line
40to your
41.Xr loader.conf 5 :
42.Bd -literal -offset indent
43geom_eli_load="YES"
44.Ed
45.Pp
46.No Usage of the Nm
47utility:
48.Pp
49.Nm
50.Cm init
51.Op Fl bdgPRTv
52.Op Fl a Ar aalgo
53.Op Fl B Ar backupfile
54.Op Fl e Ar ealgo
55.Op Fl i Ar iterations
56.Op Fl J Ar newpassfile
57.Op Fl K Ar newkeyfile
58.Op Fl l Ar keylen
59.Op Fl s Ar sectorsize
60.Op Fl V Ar version
61.Ar prov ...
62.Nm
63.Cm label - an alias for
64.Cm init
65.Nm
66.Cm attach
67.Op Fl Cdprv
68.Op Fl n Ar keyno
69.Op Fl j Ar passfile
70.Op Fl k Ar keyfile
71.Ar prov ...
72.Nm
73.Cm detach
74.Op Fl fl
75.Ar prov ...
76.Nm
77.Cm stop - an alias for
78.Cm detach
79.Nm
80.Cm onetime
81.Op Fl dRT
82.Op Fl a Ar aalgo
83.Op Fl e Ar ealgo
84.Op Fl l Ar keylen
85.Op Fl s Ar sectorsize
86.Ar prov
87.Nm
88.Cm configure
89.Op Fl bBdDgGrRtT
90.Ar prov ...
91.Nm
92.Cm setkey
93.Op Fl pPv
94.Op Fl i Ar iterations
95.Op Fl j Ar passfile
96.Op Fl J Ar newpassfile
97.Op Fl k Ar keyfile
98.Op Fl K Ar newkeyfile
99.Op Fl n Ar keyno
100.Ar prov
101.Nm
102.Cm delkey
103.Op Fl afv
104.Op Fl n Ar keyno
105.Ar prov
106.Nm
107.Cm kill
108.Op Fl av
109.Op Ar prov ...
110.Nm
111.Cm backup
112.Op Fl v
113.Ar prov
114.Ar file
115.Nm
116.Cm restore
117.Op Fl fv
118.Ar file
119.Ar prov
120.Nm
121.Cm suspend
122.Op Fl v
123.Fl a | Ar prov ...
124.Nm
125.Cm resume
126.Op Fl pv
127.Op Fl j Ar passfile
128.Op Fl k Ar keyfile
129.Ar prov
130.Nm
131.Cm resize
132.Op Fl v
133.Fl s Ar oldsize
134.Ar prov
135.Nm
136.Cm version
137.Op Ar prov ...
138.Nm
139.Cm clear
140.Op Fl v
141.Ar prov ...
142.Nm
143.Cm dump
144.Op Fl v
145.Ar prov ...
146.Nm
147.Cm list
148.Nm
149.Cm status
150.Nm
151.Cm load
152.Nm
153.Cm unload
154.Sh DESCRIPTION
155The
156.Nm
157utility is used to configure encryption on GEOM providers.
158.Pp
159The following is a list of the most important features:
160.Pp
161.Bl -bullet -offset indent -compact
162.It
163Utilizes the
164.Xr crypto 9
165framework, so when there is crypto hardware available,
166.Nm
167will make use of it automatically.
168.It
169Supports many cryptographic algorithms (currently
170.Nm AES-XTS ,
171.Nm AES-CBC ,
172and
173.Nm Camellia-CBC ) .
174.It
175Can optionally perform data authentication (integrity verification) utilizing
176one of the following algorithms:
177.Nm HMAC/SHA1 ,
178.Nm HMAC/RIPEMD160 ,
179.Nm HMAC/SHA256 ,
180.Nm HMAC/SHA384
181or
182.Nm HMAC/SHA512 .
183.It
184Can create a User Key from up to two, piecewise components: a passphrase
185entered via prompt or read from one or more passfiles; a keyfile read from
186one or more files.
187.It
188Allows encryption of the root partition.
189The user is asked for the passphrase before the root filesystem is mounted.
190.It
191Strengthens the passphrase component of the User Key with:
192.Rs
193.%A B. Kaliski
194.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
195.%R RFC
196.%N 2898
197.Re
198.It
199Allows the use of two independent User Keys (e.g., a
200.Qq "user key"
201and a
202.Qq "company key" ) .
203.It
204It is fast -
205.Nm
206performs simple sector-to-sector encryption.
207.It
208Allows the encrypted Master Key to be backed up and restored,
209so that if a user has to quickly destroy key material,
210it is possible to get the data back by restoring keys from
211backup.
212.It
213Providers can be configured to automatically detach on last close,
214so users do not have to remember to detach providers after unmounting
215the filesystems.
216.It
217Allows attaching a provider with a random, one-time Master Key,
218which is useful for swap partitions and temporary filesystems.
219.It
220Allows verification of data integrity (data authentication).
221.It
222Allows suspending and resuming encrypted devices.
223.El
224.Pp
225The first argument to
226.Nm
227indicates an action to be performed:
228.Bl -tag -width ".Cm configure"
229.It Cm init
230Initialize providers which need to be encrypted.
231If multiple providers are listed as arguments, they will all be initialized
232with the same passphrase and/or User Key.
233A unique salt will be randomly generated for each provider to ensure the
234Master Key for each is unique.
235Here you can set up the cryptographic algorithm to use, Data Key length,
236etc.
237The last sector of the providers is used to store metadata.
238The
239.Cm init
240subcommand also automatically writes metadata backups to
241.Pa /var/backups/<prov>.eli
242file.
243The metadata can be recovered with the
244.Cm restore
245subcommand described below.
246.Pp
247Additional options include:
248.Bl -tag -width ".Fl J Ar newpassfile"
249.It Fl a Ar aalgo
250Enable data integrity verification (authentication) using the given algorithm.
251This will reduce the size of storage available and also reduce speed.
252For example, when using 4096 bytes sector and
253.Nm HMAC/SHA256
254algorithm, 89% of the original provider storage will be available for use.
255Currently supported algorithms are:
256.Nm HMAC/SHA1 ,
257.Nm HMAC/RIPEMD160 ,
258.Nm HMAC/SHA256 ,
259.Nm HMAC/SHA384
260and
261.Nm HMAC/SHA512 .
262If the option is not given, there will be no authentication, only encryption.
263The recommended algorithm is
264.Nm HMAC/SHA256 .
265.It Fl b
266Try to decrypt this partition during boot, before the root partition is mounted.
267This makes it possible to use an encrypted root partition.
268One will still need bootable unencrypted storage with a
269.Pa /boot/
270directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
271after boot.
272.It Fl B Ar backupfile
273File name to use for metadata backup instead of the default
274.Pa /var/backups/<prov>.eli .
275To inhibit backups, you can use
276.Pa none
277as the
278.Ar backupfile .
279If multiple providers were initialized in the one command, you can use
280.Pa PROV
281(all upper-case) in the file name, and it will be replaced with the provider
282name.
283If
284.Pa PROV
285is not found in the file name and multiple providers were initialized in the
286one command,
287.Pa -<prov>
288will be appended to the end of the file name specified.
289.It Fl d
290When entering the passphrase to boot from this encrypted root filesystem, echo
291.Ql *
292characters.
293This makes the length of the passphrase visible.
294.It Fl e Ar ealgo
295Encryption algorithm to use.
296Currently supported algorithms are:
297.Nm AES-XTS ,
298.Nm AES-CBC ,
299.Nm Camellia-CBC ,
300and
301.Nm NULL .
302The default and recommended algorithm is
303.Nm AES-XTS .
304.Nm NULL
305is unencrypted.
306.It Fl g
307Enable booting from this encrypted root filesystem.
308The boot loader prompts for the passphrase and loads
309.Xr loader 8
310from the encrypted partition.
311.It Fl i Ar iterations
312Number of iterations to use with PKCS#5v2 when processing User Key
313passphrase component.
314If this option is not specified,
315.Nm
316will find the number of iterations which is equal to 2 seconds of crypto work.
317If 0 is given, PKCS#5v2 will not be used.
318PKCS#5v2 processing is performed once, after all parts of the passphrase
319component have been read.
320.It Fl J Ar newpassfile
321Specifies a file which contains the passphrase component of the User Key
322(or part of it).
323If
324.Ar newpassfile
325is given as -, standard input will be used.
326Only the first line (excluding new-line character) is taken from the given file.
327This argument can be specified multiple times, which has the effect of
328reassembling a single passphrase split across multiple files.
329Cannot be combined with the
330.Fl P
331option.
332.It Fl K Ar newkeyfile
333Specifies a file which contains the keyfile component of the User Key
334(or part of it).
335If
336.Ar newkeyfile
337is given as -, standard input will be used.
338This argument can be specified multiple times, which has the effect of
339reassembling a single keyfile split across multiple keyfile parts.
340.It Fl l Ar keylen
341Data Key length to use with the given cryptographic algorithm.
342If the length is not specified, the selected algorithm uses its
343.Em default
344key length.
345.Bl -ohang -offset indent
346.It Nm AES-XTS
347.Em 128 ,
348256
349.It Nm AES-CBC , Nm Camellia-CBC
350.Em 128 ,
351192,
352256
353.El
354.It Fl P
355Do not use a passphrase as a component of the User Key.
356Cannot be combined with the
357.Fl J
358option.
359.It Fl s Ar sectorsize
360Change decrypted provider's sector size.
361Increasing the sector size allows increased performance,
362because encryption/decryption which requires an initialization vector
363is done per sector; fewer sectors means less computational work.
364.It Fl R
365Turn off automatic expansion.
366By default, if the underlying provider grows, the encrypted provider will
367grow automatically too.
368The metadata will be moved to the new location.
369If automatic expansion if turned off and the underlying provider changes
370size, attaching encrypted provider will no longer be possible as the metadata
371will no longer be located in the last sector.
372In this case
373.Nm GELI
374will only log the previous size of the underlying provider, so metadata can
375be found easier, if resize was done by mistake.
376.It Fl T
377Don't pass through
378.Dv BIO_DELETE
379calls (i.e., TRIM/UNMAP).
380This can prevent an attacker from knowing how much space you're actually
381using and which sectors contain live data, but will also prevent the
382backing store (SSD, etc) from reclaiming space you're not using, which
383may degrade its performance and lifespan.
384The underlying provider may or may not actually obliterate the deleted
385sectors when TRIM is enabled, so it should not be considered to add any
386security.
387.It Fl V Ar version
388Metadata version to use.
389This option is helpful when creating a provider that may be used by older
390.Nm FreeBSD/GELI
391versions.
392Consult the
393.Sx HISTORY
394section to find which metadata version is supported by which
395.Fx
396version.
397Note that using an older version of metadata may limit the number of
398features available.
399.El
400.It Cm attach
401Attach the given providers.
402The encrypted Master Keys are loaded from the metadata and decrypted
403using the given passphrase/keyfile and new GEOM providers are created
404using the specified provider names.
405A
406.Qq .eli
407suffix is added to the user specified provider names.
408Multiple providers can only be attached with a single
409.Cm attach
410command if they all have the same passphrase and keyfiles.
411.Pp
412Additional options include:
413.Bl -tag -width ".Fl j Ar passfile"
414.It Fl C
415Do a dry-run decryption.
416This is useful to verify passphrase and keyfile without decrypting the device.
417.It Fl d
418If specified, the decrypted providers are detached automatically on last close,
419so the user does not have to remember to detach
420providers after unmounting the filesystems.
421This only works when providers were opened for writing, and will not work if
422the filesystems on the providers were mounted read-only.
423Probably a better choice is the
424.Fl l
425option for the
426.Cm detach
427subcommand.
428.It Fl n Ar keyno
429Specifies the index number of the Master Key copy to use (could be 0 or 1).
430If the index number is not provided all keys will be tested.
431.It Fl j Ar passfile
432Specifies a file which contains the passphrase component of the User Key
433(or part of it).
434For more information see the description of the
435.Fl J
436option for the
437.Cm init
438subcommand.
439The same passfiles are used for all listed providers.
440.It Fl k Ar keyfile
441Specifies a file which contains the keyfile component of the User Key
442(or part of it).
443For more information see the description of the
444.Fl K
445option for the
446.Cm init
447subcommand.
448The same keyfiles are used for all listed providers.
449.It Fl p
450Do not use a passphrase as a component of the User Keys.
451Cannot be combined with the
452.Fl j
453option.
454.It Fl r
455Attach read-only providers.
456They are not opened for writing.
457.El
458.It Cm detach
459Detach the given providers, which means remove the devfs entry
460and clear the Master Key and Data Keys from memory.
461.Pp
462Additional options include:
463.Bl -tag -width ".Fl f"
464.It Fl f
465Force detach - detach even if the provider is open.
466.It Fl l
467Mark provider to detach on last close, after the last filesystem has been
468unmounted.
469If this option is specified, the provider will not be detached
470while it is open, but will be automatically detached when it is closed for the
471last time even if it was only opened for reading.
472.El
473.It Cm onetime
474Attach the given providers with a random, one-time (ephemeral) Master Key.
475The command can be used to encrypt swap partitions or temporary filesystems.
476.Pp
477Additional options include:
478.Bl -tag -width ".Fl a Ar sectorsize"
479.It Fl a Ar aalgo
480Enable data integrity verification (authentication).
481For more information, see the description of the
482.Cm init
483subcommand.
484.It Fl e Ar ealgo
485Encryption algorithm to use.
486For more information, see the description of the
487.Cm init
488subcommand.
489.It Fl d
490Detach on last close, after the last filesystem has been unmounted.
491Note: this option is not usable for temporary filesystems as the provider is
492detached after the filesystem has been created.
493It still can, and should, be used for swap partitions.
494For more information, see the description of the
495.Cm attach
496subcommand.
497.It Fl l Ar keylen
498Data Key length to use with the given cryptographic algorithm.
499For more information, see the description of the
500.Cm init
501subcommand.
502.It Fl s Ar sectorsize
503Change decrypted provider's sector size.
504For more information, see the description of the
505.Cm init
506subcommand.
507.It Fl R
508Turn off automatic expansion.
509For more information, see the description of the
510.Cm init
511subcommand.
512.It Fl T
513Disable TRIM/UNMAP passthru.
514For more information, see the description of the
515.Cm init
516subcommand.
517.El
518.It Cm configure
519Change configuration of the given providers.
520.Pp
521Additional options include:
522.Bl -tag -width ".Fl b"
523.It Fl b
524Set the BOOT flag on the given providers.
525For more information, see the description of the
526.Cm init
527subcommand.
528.It Fl B
529Remove the BOOT flag from the given providers.
530.It Fl d
531When entering the passphrase to boot from this encrypted root filesystem, echo
532.Ql *
533characters.
534This makes the length of the passphrase visible.
535.It Fl D
536Disable echoing of any characters when a passphrase is entered to boot from this
537encrypted root filesystem.
538This hides the passphrase length.
539.It Fl g
540Enable booting from this encrypted root filesystem.
541The boot loader prompts for the passphrase and loads
542.Xr loader 8
543from the encrypted partition.
544.It Fl G
545Deactivate booting from this encrypted root partition.
546.It Fl r
547Turn on automatic expansion.
548For more information, see the description of the
549.Cm init
550subcommand.
551.It Fl R
552Turn off automatic expansion.
553.It Fl t
554Enable TRIM/UNMAP passthru.
555For more information, see the description of the
556.Cm init
557subcommand.
558.It Fl T
559Disable TRIM/UNMAP passthru.
560.El
561.It Cm setkey
562Install a copy of the Master Key into the selected slot, encrypted with
563a new User Key.
564If the selected slot is populated, replace the existing copy.
565A provider has one Master Key, which can be stored in one or both slots,
566each encrypted with an independent User Key.
567With the
568.Cm init
569subcommand, only key number 0 is initialized.
570The User Key can be changed at any time: for an attached provider,
571for a detached provider, or on the backup file.
572When a provider is attached, the user does not have to provide
573an existing passphrase/keyfile.
574.Pp
575Additional options include:
576.Bl -tag -width ".Fl J Ar newpassfile"
577.It Fl i Ar iterations
578Number of iterations to use with PKCS#5v2.
579If 0 is given, PKCS#5v2 will not be used.
580To be able to use this option with the
581.Cm setkey
582subcommand, only one key has to be defined and this key must be changed.
583.It Fl j Ar passfile
584Specifies a file which contains the passphrase component of a current User Key
585(or part of it).
586.It Fl J Ar newpassfile
587Specifies a file which contains the passphrase component of the new User Key
588(or part of it).
589.It Fl k Ar keyfile
590Specifies a file which contains the keyfile component of a current User Key
591(or part of it).
592.It Fl K Ar newkeyfile
593Specifies a file which contains the keyfile component of the new User Key
594(or part of it).
595.It Fl n Ar keyno
596Specifies the index number of the Master Key copy to change (could be 0 or 1).
597If the provider is attached and no key number is given, the key
598used for attaching the provider will be changed.
599If the provider is detached (or we are operating on a backup file)
600and no key number is given, the first Master Key copy to be successfully
601decrypted with the provided User Key passphrase/keyfile will be changed.
602.It Fl p
603Do not use a passphrase as a component of the current User Key.
604Cannot be combined with the
605.Fl j
606option.
607.It Fl P
608Do not use a passphrase as a component of the new User Key.
609Cannot be combined with the
610.Fl J
611option.
612.El
613.It Cm delkey
614Destroy (overwrite with random data) the selected Master Key copy.
615If one is destroying keys for an attached provider, the provider
616will not be detached even if all copies of the Master Key are destroyed.
617It can even be rescued with the
618.Cm setkey
619subcommand because the Master Key is still in memory.
620.Pp
621Additional options include:
622.Bl -tag -width ".Fl a Ar keyno"
623.It Fl a
624Destroy all copies of the Master Key (does not need
625.Fl f
626option).
627.It Fl f
628Force key destruction.
629This option is needed to destroy the last copy of the Master Key.
630.It Fl n Ar keyno
631Specifies the index number of the Master Key copy.
632If the provider is attached and no key number is given, the key
633used for attaching the provider will be destroyed.
634If provider is detached (or we are operating on a backup file) the key number
635has to be given.
636.El
637.It Cm kill
638This command should be used only in emergency situations.
639It will destroy all copies of the Master Key on a given provider and will
640detach it forcibly (if it is attached).
641This is absolutely a one-way command - if you do not have a metadata
642backup, your data is gone for good.
643In case the provider was attached with the
644.Fl r
645flag, the keys will not be destroyed, only the provider will be detached.
646.Pp
647Additional options include:
648.Bl -tag -width ".Fl a"
649.It Fl a
650If specified, all currently attached providers will be killed.
651.El
652.It Cm backup
653Backup metadata from the given provider to the given file.
654.It Cm restore
655Restore metadata from the given file to the given provider.
656.Pp
657Additional options include:
658.Bl -tag -width ".Fl f"
659.It Fl f
660Metadata contains the size of the provider to ensure that the correct
661partition or slice is attached.
662If an attempt is made to restore metadata to a provider that has a different
663size,
664.Nm
665will refuse to restore the data unless the
666.Fl f
667switch is used.
668If the partition or slice has been grown, the
669.Cm resize
670subcommand should be used rather than attempting to relocate the metadata
671through
672.Cm backup
673and
674.Cm restore .
675.El
676.It Cm suspend
677Suspend device by waiting for all inflight requests to finish, clearing all
678sensitive information such as the Master Key and Data Keys from kernel memory,
679and blocking all further I/O requests until the
680.Cm resume
681subcommand is executed.
682This functionality is useful for laptops.
683Suspending a laptop should not leave an encrypted device attached.
684The
685.Cm suspend
686subcommand can be used rather than closing all files and directories from
687filesystems on the encrypted device, unmounting the filesystem, and
688detaching the device.
689Any access to the encrypted device will be blocked until the Master Key is
690reloaded through the
691.Cm resume
692subcommand.
693Thus there is no need to close nor unmount anything.
694The
695.Cm suspend
696subcommand does not work with devices created with the
697.Cm onetime
698subcommand.
699Please note that sensitive data might still be present in memory locations
700such as the filesystem cache after suspending an encrypted device.
701.Pp
702Additional options include:
703.Bl -tag -width ".Fl a"
704.It Fl a
705Suspend all
706.Nm
707devices.
708.El
709.It Cm resume
710Resume previously suspended device.
711The caller must ensure that executing this subcommand does not access the
712suspended device, leading to a deadlock.
713For example, suspending a device which contains the filesystem where the
714.Nm
715utility is stored is a bad idea.
716.Pp
717Additional options include:
718.Bl -tag -width ".Fl j Ar passfile"
719.It Fl j Ar passfile
720Specifies a file which contains the passphrase component of the User Key,
721or part of it.
722For more information see the description of the
723.Fl J
724option for the
725.Cm init
726subcommand.
727.It Fl k Ar keyfile
728Specifies a file which contains the keyfile component of the User Key,
729or part of it.
730For more information see the description of the
731.Fl K
732option for the
733.Cm init
734subcommand.
735.It Fl p
736Do not use a passphrase as a component of the User Key.
737Cannot be combined with the
738.Fl j
739option.
740.El
741.It Cm resize
742Inform
743.Nm
744that the provider has been resized.
745The old metadata block is relocated to the correct position at the end of the
746provider and the provider size is updated.
747.Pp
748Additional options include:
749.Bl -tag -width ".Fl s Ar oldsize"
750.It Fl s Ar oldsize
751The size of the provider before it was resized.
752.El
753.It Cm version
754If no arguments are given, the
755.Cm version
756subcommand will print the version of
757.Nm
758userland utility as well as the version of the
759.Nm ELI
760GEOM class.
761.Pp
762If GEOM providers are specified, the
763.Cm version
764subcommand will print metadata version used by each of them.
765.It Cm clear
766Clear metadata from the given providers.
767.Em WARNING :
768This will erase with zeros the encrypted Master Key copies stored in the
769metadata.
770.It Cm dump
771Dump metadata stored on the given providers.
772.It Cm list
773See
774.Xr geom 8 .
775.It Cm status
776See
777.Xr geom 8 .
778.It Cm load
779See
780.Xr geom 8 .
781.It Cm unload
782See
783.Xr geom 8 .
784.El
785.Pp
786Additional options include:
787.Bl -tag -width ".Fl v"
788.It Fl v
789Be more verbose.
790.El
791.Sh KEY SUMMARY
792.Ss Master Key
793Upon
794.Cm init ,
795the
796.Nm
797utility generates a random Master Key for the provider.
798The Master Key never changes during the lifetime of the provider.
799Each copy of the provider metadata, active or backed up to a file, can store
800up to two, independently-encrypted copies of the Master Key.
801.Ss User Key
802Each stored copy of the Master Key is encrypted with a User Key, which
803is generated by the
804.Nm
805utility from a passphrase and/or a keyfile.
806The
807.Nm
808utility first reads all parts of the keyfile in the order specified on the
809command line, then reads all parts of the stored passphrase in the order
810specified on the command line.
811If no passphrase parts are specified, the system prompts the user to enter
812the passphrase.
813The passphrase is optionally strengthened by PKCS#5v2.
814The User Key is a digest computed over the concatenated keyfile and passphrase.
815.Ss Data Key
816During operation, one or more Data Keys are deterministically derived by
817the kernel from the Master Key and cached in memory.
818The number of Data Keys used by a given provider, and the way they are
819derived, depend on the GELI version and whether the provider is configured to
820use data authentication.
821.Sh SYSCTL VARIABLES
822The following
823.Xr sysctl 8
824variables can be used to control the behavior of the
825.Nm ELI
826GEOM class.
827The default value is shown next to each variable.
828Some variables can also be set in
829.Pa /boot/loader.conf .
830.Bl -tag -width indent
831.It Va kern.geom.eli.version
832Version number of the
833.Nm ELI
834GEOM class.
835.It Va kern.geom.eli.debug : No 0
836Debug level of the
837.Nm ELI
838GEOM class.
839This can be set to a number between 0 and 3 inclusive.
840If set to 0, minimal debug information is printed.
841If set to 3, the
842maximum amount of debug information is printed.
843.It Va kern.geom.eli.tries : No 3
844Number of times a user is asked for the passphrase.
845This is only used for providers which are attached on boot,
846before the root filesystem is mounted.
847If set to 0, attaching providers on boot will be disabled.
848This variable should be set in
849.Pa /boot/loader.conf .
850.It Va kern.geom.eli.overwrites : No 5
851Specifies how many times the Master Key is overwritten
852with random values when it is destroyed.
853After this operation it is filled with zeros.
854.It Va kern.geom.eli.visible_passphrase : No 0
855If set to 1, the passphrase entered on boot will be visible.
856This alternative should be used with caution as the entered
857passphrase can be logged and exposed via
858.Xr dmesg 8 .
859This variable should be set in
860.Pa /boot/loader.conf .
861.It Va kern.geom.eli.threads : No 0
862Specifies how many kernel threads should be used for doing software
863cryptography.
864Its purpose is to increase performance on SMP systems.
865If set to 0, a CPU-pinned thread will be started for every active CPU.
866.It Va kern.geom.eli.batch : No 0
867When set to 1, can speed-up crypto operations by using batching.
868Batching reduces the number of interrupts by responding to a group of
869crypto requests with one interrupt.
870The crypto card and the driver has to support this feature.
871.It Va kern.geom.eli.key_cache_limit : No 8192
872Specifies how many Data Keys to cache.
873The default limit
874(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
875sectors and will take around 1MB of memory.
876.It Va kern.geom.eli.key_cache_hits
877Reports how many times we were looking up a Data Key and it was already in
878cache.
879This sysctl is not updated for providers that need fewer Data Keys than
880the limit specified in
881.Va kern.geom.eli.key_cache_limit .
882.It Va kern.geom.eli.key_cache_misses
883Reports how many times we were looking up a Data Key and it was not in cache.
884This sysctl is not updated for providers that need fewer Data Keys than the limit
885specified in
886.Va kern.geom.eli.key_cache_limit .
887.Va kern.geom.eli.unmapped_io
888Enable support for unmapped I/O buffers, currently implemented only on 64-bit
889platforms.
890This is an optimization which reduces the overhead of I/O processing.
891This variable is intended for debugging purposes and must be set in
892.Pa /boot/loader.conf .
893.El
894.Sh EXIT STATUS
895Exit status is 0 on success, and 1 if the command fails.
896.Sh EXAMPLES
897Initialize a provider which is going to be encrypted with a
898passphrase and random data from a file on the user's pen drive.
899Use 4kB sector size.
900Attach the provider, create a filesystem, and mount it.
901Do the work.
902Unmount the provider and detach it:
903.Bd -literal -offset indent
904# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
905# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
906Enter new passphrase:
907Reenter new passphrase:
908# geli attach -k /mnt/pendrive/da2.key /dev/da2
909Enter passphrase:
910# dd if=/dev/random of=/dev/da2.eli bs=1m
911# newfs /dev/da2.eli
912# mount /dev/da2.eli /mnt/secret
913\&...
914# umount /mnt/secret
915# geli detach da2.eli
916.Ed
917.Pp
918Create an encrypted provider, but use two User Keys:
919one for your employee and one for you as the company's security officer
920(so it is not a tragedy if the employee
921.Qq accidentally
922forgets his passphrase):
923.Bd -literal -offset indent
924# geli init /dev/da2
925Enter new passphrase:	(enter security officer's passphrase)
926Reenter new passphrase:
927# geli setkey -n 1 /dev/da2
928Enter passphrase:	(enter security officer's passphrase)
929Enter new passphrase:	(let your employee enter his passphrase ...)
930Reenter new passphrase:	(... twice)
931.Ed
932.Pp
933You are the security officer in your company.
934Create an encrypted provider for use by the user, but remember that users
935forget their passphrases, so backup the Master Key with your own random key:
936.Bd -literal -offset indent
937# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
938# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
939# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
940(use key number 0, so the encrypted Master Key will be re-encrypted by this)
941# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
942(allow the user to enter his passphrase)
943Enter new passphrase:
944Reenter new passphrase:
945.Ed
946.Pp
947Encrypted swap partition setup:
948.Bd -literal -offset indent
949# dd if=/dev/random of=/dev/ada0s1b bs=1m
950# geli onetime -d ada0s1b
951# swapon /dev/ada0s1b.eli
952.Ed
953.Pp
954The example below shows how to configure two providers which will be attached
955on boot, before the root filesystem is mounted.
956One of them is using passphrase and three keyfile parts and the other is
957using only a keyfile in one part:
958.Bd -literal -offset indent
959# dd if=/dev/random of=/dev/da0 bs=1m
960# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
961# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
962# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
963# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
964Enter new passphrase:
965Reenter new passphrase:
966# dd if=/dev/random of=/dev/da1s3a bs=1m
967# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
968# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
969.Ed
970.Pp
971The providers are initialized, now we have to add these lines to
972.Pa /boot/loader.conf :
973.Bd -literal -offset indent
974geli_da0_keyfile0_load="YES"
975geli_da0_keyfile0_type="da0:geli_keyfile0"
976geli_da0_keyfile0_name="/boot/keys/da0.key0"
977geli_da0_keyfile1_load="YES"
978geli_da0_keyfile1_type="da0:geli_keyfile1"
979geli_da0_keyfile1_name="/boot/keys/da0.key1"
980geli_da0_keyfile2_load="YES"
981geli_da0_keyfile2_type="da0:geli_keyfile2"
982geli_da0_keyfile2_name="/boot/keys/da0.key2"
983
984geli_da1s3a_keyfile0_load="YES"
985geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
986geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
987.Ed
988.Pp
989If there is only one keyfile, the index might be omitted:
990.Bd -literal -offset indent
991geli_da1s3a_keyfile_load="YES"
992geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
993geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
994.Ed
995.Pp
996By convention, these loader variables are called
997.Sm off
998.Va geli_ No < Ar device No > Va _load .
999.Sm on
1000However, the actual name prefix before
1001.Va _load , _type ,
1002or
1003.Va _name
1004does not matter.
1005At boot time, the
1006.Nm
1007module searches through all
1008.Sm off
1009.No < Va prefix No > Va _type No -like
1010.Sm on
1011variables that have a value of
1012.Sm off
1013.Dq < Ar device No > :geli_keyfile .
1014.Sm on
1015The paths to keyfiles are then extracted from
1016.Sm off
1017.No < Ar prefix No > Va _name
1018.Sm on
1019variables.
1020In the example above,
1021.Ar prefix
1022is
1023.Dq Li geli_da1s3a_keyfile .
1024.Pp
1025Not only configure encryption, but also data integrity verification using
1026.Nm HMAC/SHA256 .
1027.Bd -literal -offset indent
1028# geli init -a hmac/sha256 -s 4096 /dev/da0
1029Enter new passphrase:
1030Reenter new passphrase:
1031# geli attach /dev/da0
1032Enter passphrase:
1033# dd if=/dev/random of=/dev/da0.eli bs=1m
1034# newfs /dev/da0.eli
1035# mount /dev/da0.eli /mnt/secret
1036.Ed
1037.Pp
1038.Cm geli
1039writes the metadata backup by default to the
1040.Pa /var/backups/<prov>.eli
1041file.
1042If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1043Consider the following situation:
1044.Bd -literal -offset indent
1045# geli init /dev/da0
1046Enter new passphrase:
1047Reenter new passphrase:
1048
1049Metadata backup can be found in /var/backups/da0.eli and
1050can be restored with the following command:
1051
1052	# geli restore /var/backups/da0.eli /dev/da0
1053
1054# geli clear /dev/da0
1055# geli attach /dev/da0
1056geli: Cannot read metadata from /dev/da0: Invalid argument.
1057# geli restore /var/backups/da0.eli /dev/da0
1058# geli attach /dev/da0
1059Enter passphrase:
1060.Ed
1061.Pp
1062If an encrypted filesystem is extended, it is necessary to relocate and
1063update the metadata:
1064.Bd -literal -offset indent
1065# gpart create -s GPT ada0
1066# gpart add -s 1g -t freebsd-ufs -i 1 ada0
1067# geli init -K keyfile -P ada0p1
1068# gpart resize -s 2g -i 1 ada0
1069# geli resize -s 1g ada0p1
1070# geli attach -k keyfile -p ada0p1
1071.Ed
1072.Pp
1073Initialize provider with the passphrase split into two files.
1074The provider can be attached using those two files or by entering
1075.Dq foobar
1076as the passphrase at the
1077.Nm
1078prompt:
1079.Bd -literal -offset indent
1080# echo foo > da0.pass0
1081# echo bar > da0.pass1
1082# geli init -J da0.pass0 -J da0.pass1 da0
1083# geli attach -j da0.pass0 -j da0.pass1 da0
1084# geli detach da0
1085# geli attach da0
1086Enter passphrase: foobar
1087.Ed
1088.Pp
1089Suspend all
1090.Nm
1091devices on a laptop, suspend the laptop, then resume devices one by one after
1092resuming the laptop:
1093.Bd -literal -offset indent
1094# geli suspend -a
1095# zzz
1096<resume your laptop>
1097# geli resume -p -k keyfile gpt/secret
1098# geli resume gpt/private
1099Enter passphrase:
1100.Ed
1101.Pp
1102To create a
1103.Nm
1104encrypted filesystem with a file as storage device follow this example.
1105First a file named private0 is created in
1106.Pa /usr
1107and attached as a memory disk like
1108.Pa /dev/md0
1109for example.
1110.Bd -literal -offset indent
1111# dd if=/dev/zero of=/usr/private0 bs=1m count=256
1112# chmod 0600 /usr/private0
1113# mdconfig -t vnode -f /usr/private0
1114.Ed
1115.Pp
1116It is recommended to place the following line in
1117.Xr rc.conf 5
1118to have the memory disk automatically created during boot.
1119.Bd -literal -offset indent
1120mdconfig_md0="-t vnode -f /usr/private0"
1121.Ed
1122.Pp
1123After
1124.Pa /dev/md0
1125is created a random key has to be generated and stored in a secure location,
1126like
1127.Pa /root
1128for example.
1129This key should be protected by a passphrase, which
1130is requested when geli init is called.
1131.Bd -literal -offset indent
1132# dd if=/dev/random of=/root/private0.key bs=64 count=1
1133# geli init -K /root/private0.key -s 4096 /dev/md0
1134Enter new passphrase:
1135Reenter new passphrase:
1136# geli attach -k /root/private0.key /dev/md0
1137Enter passphrase:
1138# dd if=/dev/random of=/dev/md0.eli bs=1m
1139.Ed
1140.Pp
1141Once the initialization of the
1142.Pa /dev/md0.eli
1143device is ready create a UFS filesystem and mount it for example in
1144.Pa /private .
1145.Bd -literal -offset indent
1146# newfs /dev/md0.eli
1147# mount /dev/md0.eli /private
1148.Ed
1149.Pp
1150After a system reboot the
1151.Nm
1152device can be mounted again with the following commands.
1153The call of geli attach will ask for the passphrase.
1154It is recommended to do this procedure after the boot, because otherwise
1155the boot process would be waiting for the passphrase input.
1156.Bd -literal -offset indent
1157# geli attach -k /root/private0.key /dev/md0
1158Enter passphrase:
1159# mount /dev/md0.eli /private
1160.Ed
1161.Sh ENCRYPTION MODES
1162.Nm
1163supports two encryption modes:
1164.Nm XTS ,
1165which was standardized as
1166.Nm IEEE P1619
1167and
1168.Nm CBC
1169with unpredictable IV.
1170The
1171.Nm CBC
1172mode used by
1173.Nm
1174is very similar to the mode
1175.Nm ESSIV .
1176.Sh DATA AUTHENTICATION
1177.Nm
1178can verify data integrity when an authentication algorithm is specified.
1179When data corruption/modification is detected,
1180.Nm
1181will not return any data, but instead will return an error
1182.Pq Er EINVAL .
1183The offset and size of the corrupted data will be printed on the console.
1184It is important to know against which attacks
1185.Nm
1186provides protection for your data.
1187If data is modified in-place or copied from one place on the disk
1188to another even without modification,
1189.Nm
1190should be able to detect such a change.
1191If an attacker can remember the encrypted data, he can overwrite any future
1192changes with the data he owns without it being noticed.
1193In other words
1194.Nm
1195will not protect your data against replay attacks.
1196.Pp
1197It is recommended to write to the whole provider before first use,
1198in order to make sure that all sectors and their corresponding
1199checksums are properly initialized into a consistent state.
1200One can safely ignore data authentication errors that occur immediately
1201after the first time a provider is attached and before it is
1202initialized in this way.
1203.Sh SEE ALSO
1204.Xr crypto 4 ,
1205.Xr gbde 4 ,
1206.Xr geom 4 ,
1207.Xr loader.conf 5 ,
1208.Xr gbde 8 ,
1209.Xr geom 8 ,
1210.Xr crypto 9
1211.Sh HISTORY
1212The
1213.Nm
1214utility appeared in
1215.Fx 6.0 .
1216Support for the
1217.Nm Camellia
1218block cipher was implemented by Yoshisato Yanagisawa in
1219.Fx 7.0 .
1220.Pp
1221Highest
1222.Nm GELI
1223metadata version supported by the given
1224.Fx
1225version:
1226.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1227.It Sy FreeBSD Ta Sy GELI
1228.It Sy version Ta Sy version
1229.Pp
1230.It Li 6.0 Ta 0
1231.It Li 6.1 Ta 0
1232.It Li 6.2 Ta 3
1233.It Li 6.3 Ta 3
1234.It Li 6.4 Ta 3
1235.Pp
1236.It Li 7.0 Ta 3
1237.It Li 7.1 Ta 3
1238.It Li 7.2 Ta 3
1239.It Li 7.3 Ta 3
1240.It Li 7.4 Ta 3
1241.Pp
1242.It Li 8.0 Ta 3
1243.It Li 8.1 Ta 3
1244.It Li 8.2 Ta 5
1245.Pp
1246.It Li 9.0 Ta 6
1247.Pp
1248.It Li 10.0 Ta 7
1249.El
1250.Sh AUTHORS
1251.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org
1252