1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd April 18, 2022 28.Dt GELI 8 29.Os 30.Sh NAME 31.Nm geli 32.Nd "control utility for the cryptographic GEOM class" 33.Sh SYNOPSIS 34To compile GEOM_ELI into your kernel, add the following lines to your kernel 35configuration file: 36.Bd -ragged -offset indent 37.Cd "device crypto" 38.Cd "options GEOM_ELI" 39.Ed 40.Pp 41Alternatively, to load the GEOM_ELI module at boot time, add the following line 42to your 43.Xr loader.conf 5 : 44.Bd -literal -offset indent 45geom_eli_load="YES" 46.Ed 47.Pp 48.No Usage of the Nm 49utility: 50.Pp 51.Nm 52.Cm init 53.Op Fl bdgPRTv 54.Op Fl a Ar aalgo 55.Op Fl B Ar backupfile 56.Op Fl e Ar ealgo 57.Op Fl i Ar iterations 58.Op Fl J Ar newpassfile 59.Op Fl K Ar newkeyfile 60.Op Fl l Ar keylen 61.Op Fl s Ar sectorsize 62.Op Fl V Ar version 63.Ar prov ... 64.Nm 65.Cm label - an alias for 66.Cm init 67.Nm 68.Cm attach 69.Op Fl Cdprv 70.Op Fl n Ar keyno 71.Op Fl j Ar passfile 72.Op Fl k Ar keyfile 73.Ar prov ... 74.Nm 75.Cm detach 76.Op Fl fl 77.Ar prov ... 78.Nm 79.Cm stop - an alias for 80.Cm detach 81.Nm 82.Cm onetime 83.Op Fl dRT 84.Op Fl a Ar aalgo 85.Op Fl e Ar ealgo 86.Op Fl l Ar keylen 87.Op Fl s Ar sectorsize 88.Ar prov 89.Nm 90.Cm configure 91.Op Fl bBdDgGrRtT 92.Ar prov ... 93.Nm 94.Cm setkey 95.Op Fl pPv 96.Op Fl i Ar iterations 97.Op Fl j Ar passfile 98.Op Fl J Ar newpassfile 99.Op Fl k Ar keyfile 100.Op Fl K Ar newkeyfile 101.Op Fl n Ar keyno 102.Ar prov 103.Nm 104.Cm delkey 105.Op Fl afv 106.Op Fl n Ar keyno 107.Ar prov 108.Nm 109.Cm kill 110.Op Fl av 111.Op Ar prov ... 112.Nm 113.Cm backup 114.Op Fl v 115.Ar prov 116.Ar file 117.Nm 118.Cm restore 119.Op Fl fv 120.Ar file 121.Ar prov 122.Nm 123.Cm suspend 124.Op Fl v 125.Fl a | Ar prov ... 126.Nm 127.Cm resume 128.Op Fl pv 129.Op Fl j Ar passfile 130.Op Fl k Ar keyfile 131.Ar prov 132.Nm 133.Cm resize 134.Op Fl v 135.Fl s Ar oldsize 136.Ar prov 137.Nm 138.Cm version 139.Op Ar prov ... 140.Nm 141.Cm clear 142.Op Fl v 143.Ar prov ... 144.Nm 145.Cm dump 146.Op Fl v 147.Ar prov ... 148.Nm 149.Cm list 150.Nm 151.Cm status 152.Nm 153.Cm load 154.Nm 155.Cm unload 156.Sh DESCRIPTION 157The 158.Nm 159utility is used to configure encryption on GEOM providers. 160.Pp 161The following is a list of the most important features: 162.Pp 163.Bl -bullet -offset indent -compact 164.It 165Utilizes the 166.Xr crypto 9 167framework, so when there is crypto hardware available, 168.Nm 169will make use of it automatically. 170.It 171Supports many cryptographic algorithms (currently 172.Nm AES-XTS , 173.Nm AES-CBC , 174and 175.Nm Camellia-CBC ) . 176.It 177Can optionally perform data authentication (integrity verification) utilizing 178one of the following algorithms: 179.Nm HMAC/SHA1 , 180.Nm HMAC/RIPEMD160 , 181.Nm HMAC/SHA256 , 182.Nm HMAC/SHA384 183or 184.Nm HMAC/SHA512 . 185.It 186Can create a User Key from up to two, piecewise components: a passphrase 187entered via prompt or read from one or more passfiles; a keyfile read from 188one or more files. 189.It 190Allows encryption of the root partition. 191The user is asked for the passphrase before the root filesystem is mounted. 192.It 193Strengthens the passphrase component of the User Key with: 194.Rs 195.%A B. Kaliski 196.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0." 197.%R RFC 198.%N 2898 199.Re 200.It 201Allows the use of two independent User Keys (e.g., a 202.Qq "user key" 203and a 204.Qq "company key" ) . 205.It 206It is fast - 207.Nm 208performs simple sector-to-sector encryption. 209.It 210Allows the encrypted Master Key to be backed up and restored, 211so that if a user has to quickly destroy key material, 212it is possible to get the data back by restoring keys from 213backup. 214.It 215Providers can be configured to automatically detach on last close, 216so users do not have to remember to detach providers after unmounting 217the filesystems. 218.It 219Allows attaching a provider with a random, one-time Master Key, 220which is useful for swap partitions and temporary filesystems. 221.It 222Allows verification of data integrity (data authentication). 223.It 224Allows suspending and resuming encrypted devices. 225.El 226.Pp 227The first argument to 228.Nm 229indicates an action to be performed: 230.Bl -tag -width ".Cm configure" 231.It Cm init 232Initialize providers which need to be encrypted. 233If multiple providers are listed as arguments, they will all be initialized 234with the same passphrase and/or User Key. 235A unique salt will be randomly generated for each provider to ensure the 236Master Key for each is unique. 237Here you can set up the cryptographic algorithm to use, Data Key length, 238etc. 239The last sector of the providers is used to store metadata. 240The 241.Cm init 242subcommand also automatically writes metadata backups to 243.Pa /var/backups/<prov>.eli 244file. 245The metadata can be recovered with the 246.Cm restore 247subcommand described below. 248.Pp 249Additional options include: 250.Bl -tag -width ".Fl J Ar newpassfile" 251.It Fl a Ar aalgo 252Enable data integrity verification (authentication) using the given algorithm. 253This will reduce the size of storage available and also reduce speed. 254For example, when using 4096 bytes sector and 255.Nm HMAC/SHA256 256algorithm, 89% of the original provider storage will be available for use. 257Currently supported algorithms are: 258.Nm HMAC/SHA1 , 259.Nm HMAC/RIPEMD160 , 260.Nm HMAC/SHA256 , 261.Nm HMAC/SHA384 262and 263.Nm HMAC/SHA512 . 264If the option is not given, there will be no authentication, only encryption. 265The recommended algorithm is 266.Nm HMAC/SHA256 . 267.It Fl b 268Try to decrypt this partition during boot, before the root partition is mounted. 269This makes it possible to use an encrypted root partition. 270One will still need bootable unencrypted storage with a 271.Pa /boot/ 272directory, which can be a CD-ROM disc or USB pen-drive, that can be removed 273after boot. 274.It Fl B Ar backupfile 275File name to use for metadata backup instead of the default 276.Pa /var/backups/<prov>.eli . 277To inhibit backups, you can use 278.Pa none 279as the 280.Ar backupfile . 281If multiple providers were initialized in the one command, you can use 282.Pa PROV 283(all upper-case) in the file name, and it will be replaced with the provider 284name. 285If 286.Pa PROV 287is not found in the file name and multiple providers were initialized in the 288one command, 289.Pa -<prov> 290will be appended to the end of the file name specified. 291.It Fl d 292When entering the passphrase to boot from this encrypted root filesystem, echo 293.Ql * 294characters. 295This makes the length of the passphrase visible. 296.It Fl e Ar ealgo 297Encryption algorithm to use. 298Currently supported algorithms are: 299.Nm AES-XTS , 300.Nm AES-CBC , 301.Nm Camellia-CBC , 302and 303.Nm NULL . 304The default and recommended algorithm is 305.Nm AES-XTS . 306.Nm NULL 307is unencrypted. 308.It Fl g 309Enable booting from this encrypted root filesystem. 310The boot loader prompts for the passphrase and loads 311.Xr loader 8 312from the encrypted partition. 313.It Fl i Ar iterations 314Number of iterations to use with PKCS#5v2 when processing User Key 315passphrase component. 316If this option is not specified, 317.Nm 318will find the number of iterations which is equal to 2 seconds of crypto work. 319If 0 is given, PKCS#5v2 will not be used. 320PKCS#5v2 processing is performed once, after all parts of the passphrase 321component have been read. 322.It Fl J Ar newpassfile 323Specifies a file which contains the passphrase component of the User Key 324(or part of it). 325If 326.Ar newpassfile 327is given as -, standard input will be used. 328Only the first line (excluding new-line character) is taken from the given file. 329This argument can be specified multiple times, which has the effect of 330reassembling a single passphrase split across multiple files. 331Cannot be combined with the 332.Fl P 333option. 334.It Fl K Ar newkeyfile 335Specifies a file which contains the keyfile component of the User Key 336(or part of it). 337If 338.Ar newkeyfile 339is given as -, standard input will be used. 340This argument can be specified multiple times, which has the effect of 341reassembling a single keyfile split across multiple keyfile parts. 342.It Fl l Ar keylen 343Data Key length to use with the given cryptographic algorithm. 344If the length is not specified, the selected algorithm uses its 345.Em default 346key length. 347.Bl -ohang -offset indent 348.It Nm AES-XTS 349.Em 128 , 350256 351.It Nm AES-CBC , Nm Camellia-CBC 352.Em 128 , 353192, 354256 355.El 356.It Fl P 357Do not use a passphrase as a component of the User Key. 358Cannot be combined with the 359.Fl J 360option. 361.It Fl s Ar sectorsize 362Change decrypted provider's sector size. 363Increasing the sector size allows increased performance, 364because encryption/decryption which requires an initialization vector 365is done per sector; fewer sectors means less computational work. 366.It Fl R 367Turn off automatic expansion. 368By default, if the underlying provider grows, the encrypted provider will 369grow automatically too. 370The metadata will be moved to the new location. 371If automatic expansion if turned off and the underlying provider changes 372size, attaching encrypted provider will no longer be possible as the metadata 373will no longer be located in the last sector. 374In this case 375.Nm GELI 376will only log the previous size of the underlying provider, so metadata can 377be found easier, if resize was done by mistake. 378.It Fl T 379Don't pass through 380.Dv BIO_DELETE 381calls (i.e., TRIM/UNMAP). 382This can prevent an attacker from knowing how much space you're actually 383using and which sectors contain live data, but will also prevent the 384backing store (SSD, etc) from reclaiming space you're not using, which 385may degrade its performance and lifespan. 386The underlying provider may or may not actually obliterate the deleted 387sectors when TRIM is enabled, so it should not be considered to add any 388security. 389.It Fl V Ar version 390Metadata version to use. 391This option is helpful when creating a provider that may be used by older 392.Nm FreeBSD/GELI 393versions. 394Consult the 395.Sx HISTORY 396section to find which metadata version is supported by which 397.Fx 398version. 399Note that using an older version of metadata may limit the number of 400features available. 401.El 402.It Cm attach 403Attach the given providers. 404The encrypted Master Keys are loaded from the metadata and decrypted 405using the given passphrase/keyfile and new GEOM providers are created 406using the specified provider names. 407A 408.Qq .eli 409suffix is added to the user specified provider names. 410Multiple providers can only be attached with a single 411.Cm attach 412command if they all have the same passphrase and keyfiles. 413.Pp 414Additional options include: 415.Bl -tag -width ".Fl j Ar passfile" 416.It Fl C 417Do a dry-run decryption. 418This is useful to verify passphrase and keyfile without decrypting the device. 419.It Fl d 420If specified, the decrypted providers are detached automatically on last close, 421so the user does not have to remember to detach 422providers after unmounting the filesystems. 423This only works when providers were opened for writing, and will not work if 424the filesystems on the providers were mounted read-only. 425Probably a better choice is the 426.Fl l 427option for the 428.Cm detach 429subcommand. 430.It Fl n Ar keyno 431Specifies the index number of the Master Key copy to use (could be 0 or 1). 432If the index number is not provided all keys will be tested. 433.It Fl j Ar passfile 434Specifies a file which contains the passphrase component of the User Key 435(or part of it). 436For more information see the description of the 437.Fl J 438option for the 439.Cm init 440subcommand. 441The same passfiles are used for all listed providers. 442.It Fl k Ar keyfile 443Specifies a file which contains the keyfile component of the User Key 444(or part of it). 445For more information see the description of the 446.Fl K 447option for the 448.Cm init 449subcommand. 450The same keyfiles are used for all listed providers. 451.It Fl p 452Do not use a passphrase as a component of the User Keys. 453Cannot be combined with the 454.Fl j 455option. 456.It Fl r 457Attach read-only providers. 458They are not opened for writing. 459.El 460.It Cm detach 461Detach the given providers, which means remove the devfs entry 462and clear the Master Key and Data Keys from memory. 463.Pp 464Additional options include: 465.Bl -tag -width ".Fl f" 466.It Fl f 467Force detach - detach even if the provider is open. 468.It Fl l 469Mark provider to detach on last close, after the last filesystem has been 470unmounted. 471If this option is specified, the provider will not be detached 472while it is open, but will be automatically detached when it is closed for the 473last time even if it was only opened for reading. 474.El 475.It Cm onetime 476Attach the given providers with a random, one-time (ephemeral) Master Key. 477The command can be used to encrypt swap partitions or temporary filesystems. 478.Pp 479Additional options include: 480.Bl -tag -width ".Fl a Ar sectorsize" 481.It Fl a Ar aalgo 482Enable data integrity verification (authentication). 483For more information, see the description of the 484.Cm init 485subcommand. 486.It Fl e Ar ealgo 487Encryption algorithm to use. 488For more information, see the description of the 489.Cm init 490subcommand. 491.It Fl d 492Detach on last close, after the last filesystem has been unmounted. 493Note: this option is not usable for temporary filesystems as the provider is 494detached after the filesystem has been created. 495It still can, and should, be used for swap partitions. 496For more information, see the description of the 497.Cm attach 498subcommand. 499.It Fl l Ar keylen 500Data Key length to use with the given cryptographic algorithm. 501For more information, see the description of the 502.Cm init 503subcommand. 504.It Fl s Ar sectorsize 505Change decrypted provider's sector size. 506For more information, see the description of the 507.Cm init 508subcommand. 509.It Fl R 510Turn off automatic expansion. 511For more information, see the description of the 512.Cm init 513subcommand. 514.It Fl T 515Disable TRIM/UNMAP passthru. 516For more information, see the description of the 517.Cm init 518subcommand. 519.El 520.It Cm configure 521Change configuration of the given providers. 522.Pp 523Additional options include: 524.Bl -tag -width ".Fl b" 525.It Fl b 526Set the BOOT flag on the given providers. 527For more information, see the description of the 528.Cm init 529subcommand. 530.It Fl B 531Remove the BOOT flag from the given providers. 532.It Fl d 533When entering the passphrase to boot from this encrypted root filesystem, echo 534.Ql * 535characters. 536This makes the length of the passphrase visible. 537.It Fl D 538Disable echoing of any characters when a passphrase is entered to boot from this 539encrypted root filesystem. 540This hides the passphrase length. 541.It Fl g 542Enable booting from this encrypted root filesystem. 543The boot loader prompts for the passphrase and loads 544.Xr loader 8 545from the encrypted partition. 546.It Fl G 547Deactivate booting from this encrypted root partition. 548.It Fl r 549Turn on automatic expansion. 550For more information, see the description of the 551.Cm init 552subcommand. 553.It Fl R 554Turn off automatic expansion. 555.It Fl t 556Enable TRIM/UNMAP passthru. 557For more information, see the description of the 558.Cm init 559subcommand. 560.It Fl T 561Disable TRIM/UNMAP passthru. 562.El 563.It Cm setkey 564Install a copy of the Master Key into the selected slot, encrypted with 565a new User Key. 566If the selected slot is populated, replace the existing copy. 567A provider has one Master Key, which can be stored in one or both slots, 568each encrypted with an independent User Key. 569With the 570.Cm init 571subcommand, only key number 0 is initialized. 572The User Key can be changed at any time: for an attached provider, 573for a detached provider, or on the backup file. 574When a provider is attached, the user does not have to provide 575an existing passphrase/keyfile. 576.Pp 577Additional options include: 578.Bl -tag -width ".Fl J Ar newpassfile" 579.It Fl i Ar iterations 580Number of iterations to use with PKCS#5v2. 581If 0 is given, PKCS#5v2 will not be used. 582To be able to use this option with the 583.Cm setkey 584subcommand, only one key has to be defined and this key must be changed. 585.It Fl j Ar passfile 586Specifies a file which contains the passphrase component of a current User Key 587(or part of it). 588.It Fl J Ar newpassfile 589Specifies a file which contains the passphrase component of the new User Key 590(or part of it). 591.It Fl k Ar keyfile 592Specifies a file which contains the keyfile component of a current User Key 593(or part of it). 594.It Fl K Ar newkeyfile 595Specifies a file which contains the keyfile component of the new User Key 596(or part of it). 597.It Fl n Ar keyno 598Specifies the index number of the Master Key copy to change (could be 0 or 1). 599If the provider is attached and no key number is given, the key 600used for attaching the provider will be changed. 601If the provider is detached (or we are operating on a backup file) 602and no key number is given, the first Master Key copy to be successfully 603decrypted with the provided User Key passphrase/keyfile will be changed. 604.It Fl p 605Do not use a passphrase as a component of the current User Key. 606Cannot be combined with the 607.Fl j 608option. 609.It Fl P 610Do not use a passphrase as a component of the new User Key. 611Cannot be combined with the 612.Fl J 613option. 614.El 615.It Cm delkey 616Destroy (overwrite with random data) the selected Master Key copy. 617If one is destroying keys for an attached provider, the provider 618will not be detached even if all copies of the Master Key are destroyed. 619It can even be rescued with the 620.Cm setkey 621subcommand because the Master Key is still in memory. 622.Pp 623Additional options include: 624.Bl -tag -width ".Fl a Ar keyno" 625.It Fl a 626Destroy all copies of the Master Key (does not need 627.Fl f 628option). 629.It Fl f 630Force key destruction. 631This option is needed to destroy the last copy of the Master Key. 632.It Fl n Ar keyno 633Specifies the index number of the Master Key copy. 634If the provider is attached and no key number is given, the key 635used for attaching the provider will be destroyed. 636If provider is detached (or we are operating on a backup file) the key number 637has to be given. 638.El 639.It Cm kill 640This command should be used only in emergency situations. 641It will destroy all copies of the Master Key on a given provider and will 642detach it forcibly (if it is attached). 643This is absolutely a one-way command - if you do not have a metadata 644backup, your data is gone for good. 645In case the provider was attached with the 646.Fl r 647flag, the keys will not be destroyed, only the provider will be detached. 648.Pp 649Additional options include: 650.Bl -tag -width ".Fl a" 651.It Fl a 652If specified, all currently attached providers will be killed. 653.El 654.It Cm backup 655Backup metadata from the given provider to the given file. 656.It Cm restore 657Restore metadata from the given file to the given provider. 658.Pp 659Additional options include: 660.Bl -tag -width ".Fl f" 661.It Fl f 662Metadata contains the size of the provider to ensure that the correct 663partition or slice is attached. 664If an attempt is made to restore metadata to a provider that has a different 665size, 666.Nm 667will refuse to restore the data unless the 668.Fl f 669switch is used. 670If the partition or slice has been grown, the 671.Cm resize 672subcommand should be used rather than attempting to relocate the metadata 673through 674.Cm backup 675and 676.Cm restore . 677.El 678.It Cm suspend 679Suspend device by waiting for all inflight requests to finish, clearing all 680sensitive information such as the Master Key and Data Keys from kernel memory, 681and blocking all further I/O requests until the 682.Cm resume 683subcommand is executed. 684This functionality is useful for laptops. 685Suspending a laptop should not leave an encrypted device attached. 686The 687.Cm suspend 688subcommand can be used rather than closing all files and directories from 689filesystems on the encrypted device, unmounting the filesystem, and 690detaching the device. 691Any access to the encrypted device will be blocked until the Master Key is 692reloaded through the 693.Cm resume 694subcommand. 695Thus there is no need to close nor unmount anything. 696The 697.Cm suspend 698subcommand does not work with devices created with the 699.Cm onetime 700subcommand. 701Please note that sensitive data might still be present in memory locations 702such as the filesystem cache after suspending an encrypted device. 703.Pp 704Additional options include: 705.Bl -tag -width ".Fl a" 706.It Fl a 707Suspend all 708.Nm 709devices. 710.El 711.It Cm resume 712Resume previously suspended device. 713The caller must ensure that executing this subcommand does not access the 714suspended device, leading to a deadlock. 715For example, suspending a device which contains the filesystem where the 716.Nm 717utility is stored is a bad idea. 718.Pp 719Additional options include: 720.Bl -tag -width ".Fl j Ar passfile" 721.It Fl j Ar passfile 722Specifies a file which contains the passphrase component of the User Key, 723or part of it. 724For more information see the description of the 725.Fl J 726option for the 727.Cm init 728subcommand. 729.It Fl k Ar keyfile 730Specifies a file which contains the keyfile component of the User Key, 731or part of it. 732For more information see the description of the 733.Fl K 734option for the 735.Cm init 736subcommand. 737.It Fl p 738Do not use a passphrase as a component of the User Key. 739Cannot be combined with the 740.Fl j 741option. 742.El 743.It Cm resize 744Inform 745.Nm 746that the provider has been resized. 747The old metadata block is relocated to the correct position at the end of the 748provider and the provider size is updated. 749.Pp 750Additional options include: 751.Bl -tag -width ".Fl s Ar oldsize" 752.It Fl s Ar oldsize 753The size of the provider before it was resized. 754.El 755.It Cm version 756If no arguments are given, the 757.Cm version 758subcommand will print the version of 759.Nm 760userland utility as well as the version of the 761.Nm ELI 762GEOM class. 763.Pp 764If GEOM providers are specified, the 765.Cm version 766subcommand will print metadata version used by each of them. 767.It Cm clear 768Clear metadata from the given providers. 769.Em WARNING : 770This will erase with zeros the encrypted Master Key copies stored in the 771metadata. 772.It Cm dump 773Dump metadata stored on the given providers. 774.It Cm list 775See 776.Xr geom 8 . 777.It Cm status 778See 779.Xr geom 8 . 780.It Cm load 781See 782.Xr geom 8 . 783.It Cm unload 784See 785.Xr geom 8 . 786.El 787.Pp 788Additional options include: 789.Bl -tag -width ".Fl v" 790.It Fl v 791Be more verbose. 792.El 793.Sh KEY SUMMARY 794.Ss Master Key 795Upon 796.Cm init , 797the 798.Nm 799utility generates a random Master Key for the provider. 800The Master Key never changes during the lifetime of the provider. 801Each copy of the provider metadata, active or backed up to a file, can store 802up to two, independently-encrypted copies of the Master Key. 803.Ss User Key 804Each stored copy of the Master Key is encrypted with a User Key, which 805is generated by the 806.Nm 807utility from a passphrase and/or a keyfile. 808The 809.Nm 810utility first reads all parts of the keyfile in the order specified on the 811command line, then reads all parts of the stored passphrase in the order 812specified on the command line. 813If no passphrase parts are specified, the system prompts the user to enter 814the passphrase. 815The passphrase is optionally strengthened by PKCS#5v2. 816The User Key is a digest computed over the concatenated keyfile and passphrase. 817.Ss Data Key 818During operation, one or more Data Keys are deterministically derived by 819the kernel from the Master Key and cached in memory. 820The number of Data Keys used by a given provider, and the way they are 821derived, depend on the GELI version and whether the provider is configured to 822use data authentication. 823.Sh SYSCTL VARIABLES 824The following 825.Xr sysctl 8 826variables can be used to control the behavior of the 827.Nm ELI 828GEOM class. 829The default value is shown next to each variable. 830Some variables can also be set in 831.Pa /boot/loader.conf . 832.Bl -tag -width indent 833.It Va kern.geom.eli.version 834Version number of the 835.Nm ELI 836GEOM class. 837.It Va kern.geom.eli.debug : No 0 838Debug level of the 839.Nm ELI 840GEOM class. 841This can be set to a number between 0 and 3 inclusive. 842If set to 0, minimal debug information is printed. 843If set to 3, the 844maximum amount of debug information is printed. 845.It Va kern.geom.eli.tries : No 3 846Number of times a user is asked for the passphrase. 847This is only used for providers which are attached on boot, 848before the root filesystem is mounted. 849If set to 0, attaching providers on boot will be disabled. 850This variable should be set in 851.Pa /boot/loader.conf . 852.It Va kern.geom.eli.overwrites : No 5 853Specifies how many times the Master Key is overwritten 854with random values when it is destroyed. 855After this operation it is filled with zeros. 856.It Va kern.geom.eli.visible_passphrase : No 0 857If set to 1, the passphrase entered on boot will be visible. 858This alternative should be used with caution as the entered 859passphrase can be logged and exposed via 860.Xr dmesg 8 . 861This variable should be set in 862.Pa /boot/loader.conf . 863.It Va kern.geom.eli.threads : No 0 864Specifies how many kernel threads should be used for doing software 865cryptography. 866Its purpose is to increase performance on SMP systems. 867If set to 0, a CPU-pinned thread will be started for every active CPU. 868.It Va kern.geom.eli.batch : No 0 869When set to 1, can speed-up crypto operations by using batching. 870Batching reduces the number of interrupts by responding to a group of 871crypto requests with one interrupt. 872The crypto card and the driver has to support this feature. 873.It Va kern.geom.eli.key_cache_limit : No 8192 874Specifies how many Data Keys to cache. 875The default limit 876(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte 877sectors and will take around 1MB of memory. 878.It Va kern.geom.eli.key_cache_hits 879Reports how many times we were looking up a Data Key and it was already in 880cache. 881This sysctl is not updated for providers that need fewer Data Keys than 882the limit specified in 883.Va kern.geom.eli.key_cache_limit . 884.It Va kern.geom.eli.key_cache_misses 885Reports how many times we were looking up a Data Key and it was not in cache. 886This sysctl is not updated for providers that need fewer Data Keys than the limit 887specified in 888.Va kern.geom.eli.key_cache_limit . 889.Va kern.geom.eli.unmapped_io 890Enable support for unmapped I/O buffers, currently implemented only on 64-bit 891platforms. 892This is an optimization which reduces the overhead of I/O processing. 893This variable is intended for debugging purposes and must be set in 894.Pa /boot/loader.conf . 895.El 896.Sh EXIT STATUS 897Exit status is 0 on success, and 1 if the command fails. 898.Sh EXAMPLES 899Initialize a provider which is going to be encrypted with a 900passphrase and random data from a file on the user's pen drive. 901Use 4kB sector size. 902Attach the provider, create a filesystem, and mount it. 903Do the work. 904Unmount the provider and detach it: 905.Bd -literal -offset indent 906# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1 907# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2 908Enter new passphrase: 909Reenter new passphrase: 910# geli attach -k /mnt/pendrive/da2.key /dev/da2 911Enter passphrase: 912# dd if=/dev/random of=/dev/da2.eli bs=1m 913# newfs /dev/da2.eli 914# mount /dev/da2.eli /mnt/secret 915\&... 916# umount /mnt/secret 917# geli detach da2.eli 918.Ed 919.Pp 920Create an encrypted provider, but use two User Keys: 921one for your employee and one for you as the company's security officer 922(so it is not a tragedy if the employee 923.Qq accidentally 924forgets his passphrase): 925.Bd -literal -offset indent 926# geli init /dev/da2 927Enter new passphrase: (enter security officer's passphrase) 928Reenter new passphrase: 929# geli setkey -n 1 /dev/da2 930Enter passphrase: (enter security officer's passphrase) 931Enter new passphrase: (let your employee enter his passphrase ...) 932Reenter new passphrase: (... twice) 933.Ed 934.Pp 935You are the security officer in your company. 936Create an encrypted provider for use by the user, but remember that users 937forget their passphrases, so backup the Master Key with your own random key: 938.Bd -literal -offset indent 939# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1 940# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e 941# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname` 942(use key number 0, so the encrypted Master Key will be re-encrypted by this) 943# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e 944(allow the user to enter his passphrase) 945Enter new passphrase: 946Reenter new passphrase: 947.Ed 948.Pp 949Encrypted swap partition setup: 950.Bd -literal -offset indent 951# dd if=/dev/random of=/dev/ada0s1b bs=1m 952# geli onetime -d ada0s1b 953# swapon /dev/ada0s1b.eli 954.Ed 955.Pp 956The example below shows how to configure two providers which will be attached 957on boot, before the root filesystem is mounted. 958One of them is using passphrase and three keyfile parts and the other is 959using only a keyfile in one part: 960.Bd -literal -offset indent 961# dd if=/dev/random of=/dev/da0 bs=1m 962# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1 963# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1 964# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1 965# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0 966Enter new passphrase: 967Reenter new passphrase: 968# dd if=/dev/random of=/dev/da1s3a bs=1m 969# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1 970# geli init -b -P -K /boot/keys/da1s3a.key da1s3a 971.Ed 972.Pp 973The providers are initialized, now we have to add these lines to 974.Pa /boot/loader.conf : 975.Bd -literal -offset indent 976geli_da0_keyfile0_load="YES" 977geli_da0_keyfile0_type="da0:geli_keyfile0" 978geli_da0_keyfile0_name="/boot/keys/da0.key0" 979geli_da0_keyfile1_load="YES" 980geli_da0_keyfile1_type="da0:geli_keyfile1" 981geli_da0_keyfile1_name="/boot/keys/da0.key1" 982geli_da0_keyfile2_load="YES" 983geli_da0_keyfile2_type="da0:geli_keyfile2" 984geli_da0_keyfile2_name="/boot/keys/da0.key2" 985 986geli_da1s3a_keyfile0_load="YES" 987geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0" 988geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key" 989.Ed 990.Pp 991If there is only one keyfile, the index might be omitted: 992.Bd -literal -offset indent 993geli_da1s3a_keyfile_load="YES" 994geli_da1s3a_keyfile_type="da1s3a:geli_keyfile" 995geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key" 996.Ed 997.Pp 998By convention, these loader variables are called 999.Sm off 1000.Va geli_ No < Ar device No > Va _load . 1001.Sm on 1002However, the actual name prefix before 1003.Va _load , _type , 1004or 1005.Va _name 1006does not matter. 1007At boot time, the 1008.Nm 1009module searches through all 1010.Sm off 1011.No < Va prefix No > Va _type No -like 1012.Sm on 1013variables that have a value of 1014.Sm off 1015.Dq < Ar device No > :geli_keyfile . 1016.Sm on 1017The paths to keyfiles are then extracted from 1018.Sm off 1019.No < Ar prefix No > Va _name 1020.Sm on 1021variables. 1022In the example above, 1023.Ar prefix 1024is 1025.Dq Li geli_da1s3a_keyfile . 1026.Pp 1027Not only configure encryption, but also data integrity verification using 1028.Nm HMAC/SHA256 . 1029.Bd -literal -offset indent 1030# geli init -a hmac/sha256 -s 4096 /dev/da0 1031Enter new passphrase: 1032Reenter new passphrase: 1033# geli attach /dev/da0 1034Enter passphrase: 1035# dd if=/dev/random of=/dev/da0.eli bs=1m 1036# newfs /dev/da0.eli 1037# mount /dev/da0.eli /mnt/secret 1038.Ed 1039.Pp 1040.Cm geli 1041writes the metadata backup by default to the 1042.Pa /var/backups/<prov>.eli 1043file. 1044If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored. 1045Consider the following situation: 1046.Bd -literal -offset indent 1047# geli init /dev/da0 1048Enter new passphrase: 1049Reenter new passphrase: 1050 1051Metadata backup can be found in /var/backups/da0.eli and 1052can be restored with the following command: 1053 1054 # geli restore /var/backups/da0.eli /dev/da0 1055 1056# geli clear /dev/da0 1057# geli attach /dev/da0 1058geli: Cannot read metadata from /dev/da0: Invalid argument. 1059# geli restore /var/backups/da0.eli /dev/da0 1060# geli attach /dev/da0 1061Enter passphrase: 1062.Ed 1063.Pp 1064If an encrypted filesystem is extended, it is necessary to relocate and 1065update the metadata: 1066.Bd -literal -offset indent 1067# gpart create -s GPT ada0 1068# gpart add -s 1g -t freebsd-ufs -i 1 ada0 1069# geli init -K keyfile -P ada0p1 1070# gpart resize -s 2g -i 1 ada0 1071# geli resize -s 1g ada0p1 1072# geli attach -k keyfile -p ada0p1 1073.Ed 1074.Pp 1075Initialize provider with the passphrase split into two files. 1076The provider can be attached using those two files or by entering 1077.Dq foobar 1078as the passphrase at the 1079.Nm 1080prompt: 1081.Bd -literal -offset indent 1082# echo foo > da0.pass0 1083# echo bar > da0.pass1 1084# geli init -J da0.pass0 -J da0.pass1 da0 1085# geli attach -j da0.pass0 -j da0.pass1 da0 1086# geli detach da0 1087# geli attach da0 1088Enter passphrase: foobar 1089.Ed 1090.Pp 1091Suspend all 1092.Nm 1093devices on a laptop, suspend the laptop, then resume devices one by one after 1094resuming the laptop: 1095.Bd -literal -offset indent 1096# geli suspend -a 1097# zzz 1098<resume your laptop> 1099# geli resume -p -k keyfile gpt/secret 1100# geli resume gpt/private 1101Enter passphrase: 1102.Ed 1103.Pp 1104To create a 1105.Nm 1106encrypted filesystem with a file as storage device follow this example. 1107First a file named private0 is created in 1108.Pa /usr 1109and attached as a memory disk like 1110.Pa /dev/md0 1111for example. 1112.Bd -literal -offset indent 1113# dd if=/dev/zero of=/usr/private0 bs=1m count=256 1114# chmod 0600 /usr/private0 1115# mdconfig -t vnode -f /usr/private0 1116.Ed 1117.Pp 1118It is recommended to place the following line in 1119.Xr rc.conf 5 1120to have the memory disk automatically created during boot. 1121.Bd -literal -offset indent 1122mdconfig_md0="-t vnode -f /usr/private0" 1123.Ed 1124.Pp 1125After 1126.Pa /dev/md0 1127is created a random key has to be generated and stored in a secure location, 1128like 1129.Pa /root 1130for example. 1131This key should be protected by a passphrase, which 1132is requested when geli init is called. 1133.Bd -literal -offset indent 1134# dd if=/dev/random of=/root/private0.key bs=64 count=1 1135# geli init -K /root/private0.key -s 4096 /dev/md0 1136Enter new passphrase: 1137Reenter new passphrase: 1138# geli attach -k /root/private0.key /dev/md0 1139Enter passphrase: 1140# dd if=/dev/random of=/dev/md0.eli bs=1m 1141.Ed 1142.Pp 1143Once the initialization of the 1144.Pa /dev/md0.eli 1145device is ready create a UFS filesystem and mount it for example in 1146.Pa /private . 1147.Bd -literal -offset indent 1148# newfs /dev/md0.eli 1149# mount /dev/md0.eli /private 1150.Ed 1151.Pp 1152After a system reboot the 1153.Nm 1154device can be mounted again with the following commands. 1155The call of geli attach will ask for the passphrase. 1156It is recommended to do this procedure after the boot, because otherwise 1157the boot process would be waiting for the passphrase input. 1158.Bd -literal -offset indent 1159# geli attach -k /root/private0.key /dev/md0 1160Enter passphrase: 1161# mount /dev/md0.eli /private 1162.Ed 1163.Sh ENCRYPTION MODES 1164.Nm 1165supports two encryption modes: 1166.Nm XTS , 1167which was standardized as 1168.Nm IEEE P1619 1169and 1170.Nm CBC 1171with unpredictable IV. 1172The 1173.Nm CBC 1174mode used by 1175.Nm 1176is very similar to the mode 1177.Nm ESSIV . 1178.Sh DATA AUTHENTICATION 1179.Nm 1180can verify data integrity when an authentication algorithm is specified. 1181When data corruption/modification is detected, 1182.Nm 1183will not return any data, but instead will return an error 1184.Pq Er EINVAL . 1185The offset and size of the corrupted data will be printed on the console. 1186It is important to know against which attacks 1187.Nm 1188provides protection for your data. 1189If data is modified in-place or copied from one place on the disk 1190to another even without modification, 1191.Nm 1192should be able to detect such a change. 1193If an attacker can remember the encrypted data, he can overwrite any future 1194changes with the data he owns without it being noticed. 1195In other words 1196.Nm 1197will not protect your data against replay attacks. 1198.Pp 1199It is recommended to write to the whole provider before first use, 1200in order to make sure that all sectors and their corresponding 1201checksums are properly initialized into a consistent state. 1202One can safely ignore data authentication errors that occur immediately 1203after the first time a provider is attached and before it is 1204initialized in this way. 1205.Sh SEE ALSO 1206.Xr crypto 4 , 1207.Xr gbde 4 , 1208.Xr geom 4 , 1209.Xr loader.conf 5 , 1210.Xr gbde 8 , 1211.Xr geom 8 , 1212.Xr crypto 9 1213.Sh HISTORY 1214The 1215.Nm 1216utility appeared in 1217.Fx 6.0 . 1218Support for the 1219.Nm Camellia 1220block cipher was implemented by Yoshisato Yanagisawa in 1221.Fx 7.0 . 1222.Pp 1223Highest 1224.Nm GELI 1225metadata version supported by the given 1226.Fx 1227version: 1228.Bl -column -offset indent ".Sy FreeBSD" ".Sy version" 1229.It Sy FreeBSD Ta Sy GELI 1230.It Sy version Ta Sy version 1231.Pp 1232.It Li 6.0 Ta 0 1233.It Li 6.1 Ta 0 1234.It Li 6.2 Ta 3 1235.It Li 6.3 Ta 3 1236.It Li 6.4 Ta 3 1237.Pp 1238.It Li 7.0 Ta 3 1239.It Li 7.1 Ta 3 1240.It Li 7.2 Ta 3 1241.It Li 7.3 Ta 3 1242.It Li 7.4 Ta 3 1243.Pp 1244.It Li 8.0 Ta 3 1245.It Li 8.1 Ta 3 1246.It Li 8.2 Ta 5 1247.Pp 1248.It Li 9.0 Ta 6 1249.Pp 1250.It Li 10.0 Ta 7 1251.El 1252.Sh AUTHORS 1253.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org 1254