xref: /freebsd/lib/geom/eli/geli.8 (revision 7899f917b1c0ea178f1d2be0cfb452086d079d23)
1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd April 24, 2024
26.Dt GELI 8
27.Os
28.Sh NAME
29.Nm geli
30.Nd "control utility for the cryptographic GEOM class"
31.Sh SYNOPSIS
32To compile GEOM_ELI into your kernel, add the following lines to your kernel
33configuration file:
34.Bd -ragged -offset indent
35.Cd "device crypto"
36.Cd "options GEOM_ELI"
37.Ed
38.Pp
39Alternatively, to load the GEOM_ELI module at boot time, add the following line
40to your
41.Xr loader.conf 5 :
42.Bd -literal -offset indent
43geom_eli_load="YES"
44.Ed
45.Pp
46.No Usage of the Nm
47utility:
48.Pp
49.Nm
50.Cm init
51.Op Fl bdgPRTv
52.Op Fl a Ar aalgo
53.Op Fl B Ar backupfile
54.Op Fl e Ar ealgo
55.Op Fl i Ar iterations
56.Op Fl J Ar newpassfile
57.Op Fl K Ar newkeyfile
58.Op Fl l Ar keylen
59.Op Fl s Ar sectorsize
60.Op Fl V Ar version
61.Ar prov ...
62.Nm
63.Cm label - an alias for
64.Cm init
65.Nm
66.Cm attach
67.Op Fl Cdprv
68.Op Fl n Ar keyno
69.Op Fl j Ar passfile
70.Op Fl k Ar keyfile
71.Ar prov ...
72.Nm
73.Cm detach
74.Op Fl fl
75.Ar prov ...
76.Nm
77.Cm stop - an alias for
78.Cm detach
79.Nm
80.Cm onetime
81.Op Fl dRT
82.Op Fl a Ar aalgo
83.Op Fl e Ar ealgo
84.Op Fl l Ar keylen
85.Op Fl s Ar sectorsize
86.Ar prov
87.Nm
88.Cm configure
89.Op Fl bBdDgGrRtT
90.Ar prov ...
91.Nm
92.Cm setkey
93.Op Fl pPv
94.Op Fl i Ar iterations
95.Op Fl j Ar passfile
96.Op Fl J Ar newpassfile
97.Op Fl k Ar keyfile
98.Op Fl K Ar newkeyfile
99.Op Fl n Ar keyno
100.Ar prov
101.Nm
102.Cm delkey
103.Op Fl afv
104.Op Fl n Ar keyno
105.Ar prov
106.Nm
107.Cm kill
108.Op Fl av
109.Op Ar prov ...
110.Nm
111.Cm backup
112.Op Fl v
113.Ar prov
114.Ar file
115.Nm
116.Cm restore
117.Op Fl fv
118.Ar file
119.Ar prov
120.Nm
121.Cm suspend
122.Op Fl v
123.Fl a | Ar prov ...
124.Nm
125.Cm resume
126.Op Fl pv
127.Op Fl j Ar passfile
128.Op Fl k Ar keyfile
129.Ar prov
130.Nm
131.Cm resize
132.Op Fl v
133.Fl s Ar oldsize
134.Ar prov
135.Nm
136.Cm version
137.Op Ar prov ...
138.Nm
139.Cm clear
140.Op Fl v
141.Ar prov ...
142.Nm
143.Cm dump
144.Op Fl v
145.Ar prov ...
146.Nm
147.Cm list
148.Nm
149.Cm status
150.Nm
151.Cm load
152.Nm
153.Cm unload
154.Sh DESCRIPTION
155The
156.Nm
157utility is used to configure encryption on GEOM providers.
158.Pp
159The following is a list of the most important features:
160.Pp
161.Bl -bullet -offset indent -compact
162.It
163Utilizes the
164.Xr crypto 9
165framework, so when there is crypto hardware available,
166.Nm
167will make use of it automatically.
168.It
169Supports many cryptographic algorithms (currently
170.Nm AES-XTS ,
171.Nm AES-CBC ,
172and
173.Nm Camellia-CBC ) .
174.It
175Can optionally perform data authentication (integrity verification) utilizing
176one of the following algorithms:
177.Nm HMAC/SHA1 ,
178.Nm HMAC/RIPEMD160 ,
179.Nm HMAC/SHA256 ,
180.Nm HMAC/SHA384
181or
182.Nm HMAC/SHA512 .
183.It
184Can create a User Key from up to two, piecewise components: a passphrase
185entered via prompt or read from one or more passfiles; a keyfile read from
186one or more files.
187.It
188Allows encryption of the root partition.
189The user is asked for the passphrase before the root filesystem is mounted.
190.It
191Strengthens the passphrase component of the User Key with:
192.Rs
193.%A B. Kaliski
194.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
195.%R RFC
196.%N 2898
197.Re
198.It
199Allows the use of two independent User Keys (e.g., a
200.Qq "user key"
201and a
202.Qq "company key" ) .
203.It
204It is fast -
205.Nm
206performs simple sector-to-sector encryption.
207.It
208Allows the encrypted Master Key to be backed up and restored,
209so that if a user has to quickly destroy key material,
210it is possible to get the data back by restoring keys from
211backup.
212.It
213Providers can be configured to automatically detach on last close,
214so users do not have to remember to detach providers after unmounting
215the filesystems.
216.It
217Allows attaching a provider with a random, one-time Master Key,
218which is useful for swap partitions and temporary filesystems.
219.It
220Allows verification of data integrity (data authentication).
221.It
222Allows suspending and resuming encrypted devices.
223.El
224.Pp
225The first argument to
226.Nm
227indicates an action to be performed:
228.Bl -tag -width ".Cm configure"
229.It Cm init
230Initialize providers which need to be encrypted.
231If multiple providers are listed as arguments, they will all be initialized
232with the same passphrase and/or User Key.
233A unique salt will be randomly generated for each provider to ensure the
234Master Key for each is unique.
235Here you can set up the cryptographic algorithm to use, Data Key length,
236etc.
237The last sector of the providers is used to store metadata.
238The
239.Cm init
240subcommand also automatically writes metadata backups to
241.Pa /var/backups/<prov>.eli
242file.
243The metadata can be recovered with the
244.Cm restore
245subcommand described below.
246.Pp
247Additional options include:
248.Bl -tag -width ".Fl J Ar newpassfile"
249.It Fl a Ar aalgo
250Enable data integrity verification (authentication) using the given algorithm.
251This will reduce the size of storage available and also reduce speed.
252For example, when using 4096 bytes sector and
253.Nm HMAC/SHA256
254algorithm, 89% of the original provider storage will be available for use.
255Currently supported algorithms are:
256.Nm HMAC/SHA1 ,
257.Nm HMAC/RIPEMD160 ,
258.Nm HMAC/SHA256 ,
259.Nm HMAC/SHA384
260and
261.Nm HMAC/SHA512 .
262If the option is not given, there will be no authentication, only encryption.
263The recommended algorithm is
264.Nm HMAC/SHA256 .
265.It Fl b
266Try to decrypt this partition during boot, before the root partition is mounted.
267This makes it possible to use an encrypted root partition.
268One will still need bootable unencrypted storage with a
269.Pa /boot/
270directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
271after boot.
272.It Fl B Ar backupfile
273File name to use for metadata backup instead of the default
274.Pa /var/backups/<prov>.eli .
275To inhibit backups, you can use
276.Pa none
277as the
278.Ar backupfile .
279If multiple providers were initialized in the one command, you can use
280.Pa PROV
281(all upper-case) in the file name, and it will be replaced with the provider
282name.
283If
284.Pa PROV
285is not found in the file name and multiple providers were initialized in the
286one command,
287.Pa -<prov>
288will be appended to the end of the file name specified.
289.It Fl d
290When entering the passphrase to boot from this encrypted root filesystem, echo
291.Ql *
292characters.
293This makes the length of the passphrase visible.
294.It Fl e Ar ealgo
295Encryption algorithm to use.
296Currently supported algorithms are:
297.Nm AES-XTS ,
298.Nm AES-CBC ,
299.Nm Camellia-CBC ,
300and
301.Nm NULL .
302The default and recommended algorithm is
303.Nm AES-XTS .
304.Nm NULL
305is unencrypted.
306.It Fl g
307Enable booting from this encrypted root filesystem.
308The boot loader prompts for the passphrase and loads
309.Xr loader 8
310from the encrypted partition.
311.It Fl i Ar iterations
312Number of iterations to use with PKCS#5v2 when processing User Key
313passphrase component.
314If this option is not specified,
315.Nm
316will find the number of iterations which is equal to 2 seconds of crypto work.
317If 0 is given, PKCS#5v2 will not be used.
318PKCS#5v2 processing is performed once, after all parts of the passphrase
319component have been read.
320.It Fl J Ar newpassfile
321Specifies a file which contains the passphrase component of the User Key
322(or part of it).
323If
324.Ar newpassfile
325is given as -, standard input will be used.
326Only the first line (excluding new-line character) is taken from the given file.
327This argument can be specified multiple times, which has the effect of
328reassembling a single passphrase split across multiple files.
329Cannot be combined with the
330.Fl P
331option.
332.It Fl K Ar newkeyfile
333Specifies a file which contains the keyfile component of the User Key
334(or part of it).
335If
336.Ar newkeyfile
337is given as -, standard input will be used.
338This argument can be specified multiple times, which has the effect of
339reassembling a single keyfile split across multiple keyfile parts.
340.It Fl l Ar keylen
341Data Key length to use with the given cryptographic algorithm.
342If the length is not specified, the selected algorithm uses its
343.Em default
344key length.
345.Bl -ohang -offset indent
346.It Nm AES-XTS
347.Em 128 ,
348256
349.It Nm AES-CBC , Nm Camellia-CBC
350.Em 128 ,
351192,
352256
353.El
354.It Fl P
355Do not use a passphrase as a component of the User Key.
356Cannot be combined with the
357.Fl J
358option.
359.It Fl s Ar sectorsize
360Change decrypted provider's sector size.
361Increasing the sector size allows increased performance,
362because encryption/decryption which requires an initialization vector
363is done per sector; fewer sectors means less computational work.
364.It Fl R
365Turn off automatic expansion.
366By default, if the underlying provider grows, the encrypted provider will
367grow automatically too.
368The metadata will be moved to the new location.
369If automatic expansion if turned off and the underlying provider changes
370size, attaching encrypted provider will no longer be possible as the metadata
371will no longer be located in the last sector.
372In this case
373.Nm GELI
374will only log the previous size of the underlying provider, so metadata can
375be found easier, if resize was done by mistake.
376.It Fl T
377Don't pass through
378.Dv BIO_DELETE
379calls (i.e., TRIM/UNMAP).
380This can prevent an attacker from knowing how much space you're actually
381using and which sectors contain live data, but will also prevent the
382backing store (SSD, etc) from reclaiming space you're not using, which
383may degrade its performance and lifespan.
384The underlying provider may or may not actually obliterate the deleted
385sectors when TRIM is enabled, so it should not be considered to add any
386security.
387.It Fl V Ar version
388Metadata version to use.
389This option is helpful when creating a provider that may be used by older
390.Nm FreeBSD/GELI
391versions.
392Consult the
393.Sx HISTORY
394section to find which metadata version is supported by which
395.Fx
396version.
397Note that using an older version of metadata may limit the number of
398features available.
399.El
400.It Cm attach
401Attach the given providers.
402The encrypted Master Keys are loaded from the metadata and decrypted
403using the given passphrase/keyfile and new GEOM providers are created
404using the specified provider names.
405A
406.Qq .eli
407suffix is added to the user specified provider names.
408Multiple providers can only be attached with a single
409.Cm attach
410command if they all have the same passphrase and keyfiles.
411.Pp
412Additional options include:
413.Bl -tag -width ".Fl j Ar passfile"
414.It Fl C
415Do a dry-run decryption.
416This is useful to verify passphrase and keyfile without decrypting the device.
417.It Fl d
418If specified, the decrypted providers are detached automatically on last close,
419so the user does not have to remember to detach
420providers after unmounting the filesystems.
421This only works when providers were opened for writing, and will not work if
422the filesystems on the providers were mounted read-only.
423Probably a better choice is the
424.Fl l
425option for the
426.Cm detach
427subcommand.
428.It Fl n Ar keyno
429Specifies the index number of the Master Key copy to use (could be 0 or 1).
430If the index number is not provided all keys will be tested.
431.It Fl j Ar passfile
432Specifies a file which contains the passphrase component of the User Key
433(or part of it).
434For more information see the description of the
435.Fl J
436option for the
437.Cm init
438subcommand.
439The same passfiles are used for all listed providers.
440.It Fl k Ar keyfile
441Specifies a file which contains the keyfile component of the User Key
442(or part of it).
443For more information see the description of the
444.Fl K
445option for the
446.Cm init
447subcommand.
448The same keyfiles are used for all listed providers.
449.It Fl p
450Do not use a passphrase as a component of the User Keys.
451Cannot be combined with the
452.Fl j
453option.
454.It Fl r
455Attach read-only providers.
456They are not opened for writing.
457.El
458.It Cm detach
459Detach the given providers, which means remove the devfs entry
460and clear the Master Key and Data Keys from memory.
461.Pp
462Additional options include:
463.Bl -tag -width ".Fl f"
464.It Fl f
465Force detach - detach even if the provider is open.
466.It Fl l
467Mark provider to detach on last close, after the last filesystem has been
468unmounted.
469If this option is specified, the provider will not be detached
470while it is open, but will be automatically detached when it is closed for the
471last time even if it was only opened for reading.
472.El
473.It Cm onetime
474Attach the given providers with a random, one-time (ephemeral) Master Key.
475The command can be used to encrypt swap partitions or temporary filesystems.
476.Pp
477Additional options include:
478.Bl -tag -width ".Fl a Ar sectorsize"
479.It Fl a Ar aalgo
480Enable data integrity verification (authentication).
481For more information, see the description of the
482.Cm init
483subcommand.
484.It Fl e Ar ealgo
485Encryption algorithm to use.
486For more information, see the description of the
487.Cm init
488subcommand.
489.It Fl d
490Detach on last close, after the last filesystem has been unmounted.
491Note: this option is not usable for temporary filesystems as the provider is
492detached after the filesystem has been created.
493It still can, and should, be used for swap partitions.
494For more information, see the description of the
495.Cm attach
496subcommand.
497.It Fl l Ar keylen
498Data Key length to use with the given cryptographic algorithm.
499For more information, see the description of the
500.Cm init
501subcommand.
502.It Fl s Ar sectorsize
503Change decrypted provider's sector size.
504For more information, see the description of the
505.Cm init
506subcommand.
507.It Fl R
508Turn off automatic expansion.
509For more information, see the description of the
510.Cm init
511subcommand.
512.It Fl T
513Disable TRIM/UNMAP passthru.
514For more information, see the description of the
515.Cm init
516subcommand.
517.El
518.It Cm configure
519Change configuration of the given providers.
520.Pp
521Additional options include:
522.Bl -tag -width ".Fl b"
523.It Fl b
524Set the BOOT flag on the given providers.
525For more information, see the description of the
526.Cm init
527subcommand.
528.It Fl B
529Remove the BOOT flag from the given providers.
530.It Fl d
531When entering the passphrase to boot from this encrypted root filesystem, echo
532.Ql *
533characters.
534This makes the length of the passphrase visible.
535.It Fl D
536Disable echoing of any characters when a passphrase is entered to boot from this
537encrypted root filesystem.
538This hides the passphrase length.
539.It Fl g
540Enable booting from this encrypted root filesystem.
541The boot loader prompts for the passphrase and loads
542.Xr loader 8
543from the encrypted partition.
544.It Fl G
545Deactivate booting from this encrypted root partition.
546.It Fl r
547Turn on automatic expansion.
548For more information, see the description of the
549.Cm init
550subcommand.
551.It Fl R
552Turn off automatic expansion.
553.It Fl t
554Enable TRIM/UNMAP passthru.
555For more information, see the description of the
556.Cm init
557subcommand.
558.It Fl T
559Disable TRIM/UNMAP passthru.
560.El
561.It Cm setkey
562Install a copy of the Master Key into the selected slot, encrypted with
563a new User Key.
564If the selected slot is populated, replace the existing copy.
565A provider has one Master Key, which can be stored in one or both slots,
566each encrypted with an independent User Key.
567With the
568.Cm init
569subcommand, only key number 0 is initialized.
570The User Key can be changed at any time: for an attached provider,
571for a detached provider, or on the backup file.
572When a provider is attached, the user does not have to provide
573an existing passphrase/keyfile.
574.Pp
575Additional options include:
576.Bl -tag -width ".Fl J Ar newpassfile"
577.It Fl i Ar iterations
578Number of iterations to use with PKCS#5v2.
579If 0 is given, PKCS#5v2 will not be used.
580To be able to use this option with the
581.Cm setkey
582subcommand, only one key has to be defined and this key must be changed.
583.It Fl j Ar passfile
584Specifies a file which contains the passphrase component of a current User Key
585(or part of it).
586.It Fl J Ar newpassfile
587Specifies a file which contains the passphrase component of the new User Key
588(or part of it).
589.It Fl k Ar keyfile
590Specifies a file which contains the keyfile component of a current User Key
591(or part of it).
592.It Fl K Ar newkeyfile
593Specifies a file which contains the keyfile component of the new User Key
594(or part of it).
595.It Fl n Ar keyno
596Specifies the index number of the Master Key copy to change (could be 0 or 1).
597If the provider is attached and no key number is given, the key
598used for attaching the provider will be changed.
599If the provider is detached (or we are operating on a backup file)
600and no key number is given, the first Master Key copy to be successfully
601decrypted with the provided User Key passphrase/keyfile will be changed.
602.It Fl p
603Do not use a passphrase as a component of the current User Key.
604Cannot be combined with the
605.Fl j
606option.
607.It Fl P
608Do not use a passphrase as a component of the new User Key.
609Cannot be combined with the
610.Fl J
611option.
612.El
613.It Cm delkey
614Destroy (overwrite with random data) the selected Master Key copy.
615If one is destroying keys for an attached provider, the provider
616will not be detached even if all copies of the Master Key are destroyed.
617It can even be rescued with the
618.Cm setkey
619subcommand because the Master Key is still in memory.
620.Pp
621Additional options include:
622.Bl -tag -width ".Fl a Ar keyno"
623.It Fl a
624Destroy all copies of the Master Key (does not need
625.Fl f
626option).
627.It Fl f
628Force key destruction.
629This option is needed to destroy the last copy of the Master Key.
630.It Fl n Ar keyno
631Specifies the index number of the Master Key copy.
632If the provider is attached and no key number is given, the key
633used for attaching the provider will be destroyed.
634If provider is detached (or we are operating on a backup file) the key number
635has to be given.
636.El
637.It Cm kill
638This command should be used only in emergency situations.
639It will destroy all copies of the Master Key on a given provider and will
640detach it forcibly (if it is attached).
641This is absolutely a one-way command - if you do not have a metadata
642backup, your data is gone for good.
643In case the provider was attached with the
644.Fl r
645flag, the keys will not be destroyed, only the provider will be detached.
646.Pp
647Additional options include:
648.Bl -tag -width ".Fl a"
649.It Fl a
650If specified, all currently attached providers will be killed.
651.El
652.It Cm backup
653Backup metadata from the given provider to the given file.
654.It Cm restore
655Restore metadata from the given file to the given provider.
656.Pp
657Additional options include:
658.Bl -tag -width ".Fl f"
659.It Fl f
660Metadata contains the size of the provider to ensure that the correct
661partition or slice is attached.
662If an attempt is made to restore metadata to a provider that has a different
663size,
664.Nm
665will refuse to restore the data unless the
666.Fl f
667switch is used.
668If the partition or slice has been grown, the
669.Cm resize
670subcommand should be used rather than attempting to relocate the metadata
671through
672.Cm backup
673and
674.Cm restore .
675.El
676.It Cm suspend
677Suspend device by waiting for all inflight requests to finish, clearing all
678sensitive information such as the Master Key and Data Keys from kernel memory,
679and blocking all further I/O requests until the
680.Cm resume
681subcommand is executed.
682This functionality is useful for laptops.
683Suspending a laptop should not leave an encrypted device attached.
684The
685.Cm suspend
686subcommand can be used rather than closing all files and directories from
687filesystems on the encrypted device, unmounting the filesystem, and
688detaching the device.
689Any access to the encrypted device will be blocked until the Master Key is
690reloaded through the
691.Cm resume
692subcommand.
693Thus there is no need to close nor unmount anything.
694The
695.Cm suspend
696subcommand does not work with devices created with the
697.Cm onetime
698subcommand.
699Please note that sensitive data might still be present in memory locations
700such as the filesystem cache after suspending an encrypted device.
701.Pp
702Additional options include:
703.Bl -tag -width ".Fl a"
704.It Fl a
705Suspend all
706.Nm
707devices.
708.El
709.It Cm resume
710Resume previously suspended device.
711The caller must ensure that executing this subcommand does not access the
712suspended device, leading to a deadlock.
713For example, suspending a device which contains the filesystem where the
714.Nm
715utility is stored is a bad idea.
716.Pp
717Additional options include:
718.Bl -tag -width ".Fl j Ar passfile"
719.It Fl j Ar passfile
720Specifies a file which contains the passphrase component of the User Key,
721or part of it.
722For more information see the description of the
723.Fl J
724option for the
725.Cm init
726subcommand.
727.It Fl k Ar keyfile
728Specifies a file which contains the keyfile component of the User Key,
729or part of it.
730For more information see the description of the
731.Fl K
732option for the
733.Cm init
734subcommand.
735.It Fl p
736Do not use a passphrase as a component of the User Key.
737Cannot be combined with the
738.Fl j
739option.
740.El
741.It Cm resize
742Inform
743.Nm
744that the provider has been resized.
745The old metadata block is relocated to the correct position at the end of the
746provider and the provider size is updated.
747.Pp
748Additional options include:
749.Bl -tag -width ".Fl s Ar oldsize"
750.It Fl s Ar oldsize
751The size of the provider before it was resized.
752.El
753.It Cm version
754If no arguments are given, the
755.Cm version
756subcommand will print the version of
757.Nm
758userland utility as well as the version of the
759.Nm ELI
760GEOM class.
761.Pp
762If GEOM providers are specified, the
763.Cm version
764subcommand will print metadata version used by each of them.
765.It Cm clear
766Clear metadata from the given providers.
767.Em WARNING :
768This will erase with zeros the encrypted Master Key copies stored in the
769metadata.
770.It Cm dump
771Dump metadata stored on the given providers.
772.It Cm list
773See
774.Xr geom 8 .
775.It Cm status
776See
777.Xr geom 8 .
778.It Cm load
779See
780.Xr geom 8 .
781.It Cm unload
782See
783.Xr geom 8 .
784.El
785.Pp
786Additional options include:
787.Bl -tag -width ".Fl v"
788.It Fl v
789Be more verbose.
790.El
791.Sh KEY SUMMARY
792.Ss Master Key
793Upon
794.Cm init ,
795the
796.Nm
797utility generates a random Master Key for the provider.
798The Master Key never changes during the lifetime of the provider.
799Each copy of the provider metadata, active or backed up to a file, can store
800up to two, independently-encrypted copies of the Master Key.
801.Ss User Key
802Each stored copy of the Master Key is encrypted with a User Key, which
803is generated by the
804.Nm
805utility from a passphrase and/or a keyfile.
806The
807.Nm
808utility first reads all parts of the keyfile in the order specified on the
809command line, then reads all parts of the stored passphrase in the order
810specified on the command line.
811If no passphrase parts are specified, the system prompts the user to enter
812the passphrase.
813The passphrase is optionally strengthened by PKCS#5v2.
814The User Key is a digest computed over the concatenated keyfile and passphrase.
815.Ss Data Key
816During operation, one or more Data Keys are deterministically derived by
817the kernel from the Master Key and cached in memory.
818The number of Data Keys used by a given provider, and the way they are
819derived, depend on the GELI version and whether the provider is configured to
820use data authentication.
821.Sh SYSCTL VARIABLES
822The following
823.Xr sysctl 8
824variables can be used to control the behavior of the
825.Nm ELI
826GEOM class.
827The default value is shown next to each variable.
828Some variables can also be set in
829.Pa /boot/loader.conf .
830.Bl -tag -width indent
831.It Va kern.geom.eli.version
832Version number of the
833.Nm ELI
834GEOM class.
835.It Va kern.geom.eli.debug : No 0
836Debug level of the
837.Nm ELI
838GEOM class.
839This can be set to a number between 0 and 3 inclusive.
840If set to 0, minimal debug information is printed.
841If set to 3, the
842maximum amount of debug information is printed.
843.It Va kern.geom.eli.tries : No 3
844Number of times a user is asked for the passphrase.
845This is only used for providers which are attached on boot,
846before the root filesystem is mounted.
847If set to 0, attaching providers on boot will be disabled.
848This variable should be set in
849.Pa /boot/loader.conf .
850.It Va kern.geom.eli.overwrites : No 5
851Specifies how many times the Master Key is overwritten
852with random values when it is destroyed.
853After this operation it is filled with zeros.
854.It Va kern.geom.eli.use_uma_bytes
855.Nm
856must allocate a buffer for every write operation, used when performing
857encryption.
858This sysctl reports the maximum size in bytes for which geli will perform the
859allocation using
860.Xr UMA 9 ,
861as opposed to
862.Xr malloc 9 .
863.It Va kern.geom.eli.visible_passphrase : No 0
864If set to 1, the passphrase entered on boot will be visible.
865This alternative should be used with caution as the entered
866passphrase can be logged and exposed via
867.Xr dmesg 8 .
868This variable should be set in
869.Pa /boot/loader.conf .
870.It Va kern.geom.eli.threads : No 0
871Specifies how many kernel threads should be used for doing software
872cryptography.
873Its purpose is to increase performance on SMP systems.
874If set to 0, a CPU-pinned thread will be started for every active CPU.
875Note that this variable must be set prior to attaching
876.Nm
877to a disk.
878.It Va kern.geom.eli.batch : No 0
879When set to 1, can speed-up crypto operations by using batching.
880Batching reduces the number of interrupts by responding to a group of
881crypto requests with one interrupt.
882The crypto card and the driver have to support this feature.
883.It Va kern.geom.eli.key_cache_limit : No 8192
884Specifies how many Data Keys to cache.
885The default limit
886(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
887sectors and will take around 1MB of memory.
888.It Va kern.geom.eli.key_cache_hits
889Reports how many times we were looking up a Data Key and it was already in
890cache.
891This sysctl is not updated for providers that need fewer Data Keys than
892the limit specified in
893.Va kern.geom.eli.key_cache_limit .
894.It Va kern.geom.eli.key_cache_misses
895Reports how many times we were looking up a Data Key and it was not in cache.
896This sysctl is not updated for providers that need fewer Data Keys than the limit
897specified in
898.Va kern.geom.eli.key_cache_limit .
899.It Va kern.geom.eli.unmapped_io
900Enable support for unmapped I/O buffers, currently implemented only on 64-bit
901platforms.
902This is an optimization which reduces the overhead of I/O processing.
903This variable is intended for debugging purposes and must be set in
904.Pa /boot/loader.conf .
905.El
906.Sh PERFORMANCE CONSIDERATIONS
907The default value of
908.Va kern.geom.eli.threads
909is usually good for a system with one SSD.
910However, it may need to be lowered on systems with many disks,
911so as to avoid creating too much thread-switching overhead.
912On systems with more disks than CPUs, it's best to set this variable
913to 1.
914.Pp
915.Nm
916internally uses
917.Xr malloc 9
918to allocate memory for operations larger than
919.Va kern.geom.eli.use_uma_bytes ,
920but malloc is slow for allocations larger than
921.Va vm.kmem_zmax .
922So it's best to avoid writing more than
923.Ms MAX(kern.geom.eli.use_uma_bytes, vm.kmem_zmax)
924in a single write operation.
925On systems that format
926.Xr zfs 4
927on top of
928.Nm ,
929the maximum write size can be controlled by
930.Va vfs.zfs.vdev.aggregation_limit
931and
932.Va vfs.zfs.vdev.aggregation_limit_non_rotating
933for HDDs and SSDs, respectively.
934.Sh EXIT STATUS
935Exit status is 0 on success, and 1 if the command fails.
936.Sh EXAMPLES
937Initialize a provider which is going to be encrypted with a
938passphrase and random data from a file on the user's pen drive.
939Use 4kB sector size.
940Attach the provider, create a filesystem, and mount it.
941Do the work.
942Unmount the provider and detach it:
943.Bd -literal -offset indent
944# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
945# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
946Enter new passphrase:
947Reenter new passphrase:
948# geli attach -k /mnt/pendrive/da2.key /dev/da2
949Enter passphrase:
950# dd if=/dev/random of=/dev/da2.eli bs=1m
951# newfs /dev/da2.eli
952# mount /dev/da2.eli /mnt/secret
953\&...
954# umount /mnt/secret
955# geli detach da2.eli
956.Ed
957.Pp
958Create an encrypted provider, but use two User Keys:
959one for your employee and one for you as the company's security officer
960(so it is not a tragedy if the employee
961.Qq accidentally
962forgets his passphrase):
963.Bd -literal -offset indent
964# geli init /dev/da2
965Enter new passphrase:	(enter security officer's passphrase)
966Reenter new passphrase:
967# geli setkey -n 1 /dev/da2
968Enter passphrase:	(enter security officer's passphrase)
969Enter new passphrase:	(let your employee enter his passphrase ...)
970Reenter new passphrase:	(... twice)
971.Ed
972.Pp
973You are the security officer in your company.
974Create an encrypted provider for use by the user, but remember that users
975forget their passphrases, so backup the Master Key with your own random key:
976.Bd -literal -offset indent
977# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
978# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
979# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
980(use key number 0, so the encrypted Master Key will be re-encrypted by this)
981# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
982(allow the user to enter his passphrase)
983Enter new passphrase:
984Reenter new passphrase:
985.Ed
986.Pp
987Encrypted swap partition setup:
988.Bd -literal -offset indent
989# dd if=/dev/random of=/dev/ada0s1b bs=1m
990# geli onetime -d ada0s1b
991# swapon /dev/ada0s1b.eli
992.Ed
993.Pp
994The example below shows how to configure two providers which will be attached
995on boot, before the root filesystem is mounted.
996One of them is using passphrase and three keyfile parts and the other is
997using only a keyfile in one part:
998.Bd -literal -offset indent
999# dd if=/dev/random of=/dev/da0 bs=1m
1000# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
1001# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
1002# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
1003# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
1004Enter new passphrase:
1005Reenter new passphrase:
1006# dd if=/dev/random of=/dev/da1s3a bs=1m
1007# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
1008# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
1009.Ed
1010.Pp
1011The providers are initialized, now we have to add these lines to
1012.Pa /boot/loader.conf :
1013.Bd -literal -offset indent
1014geli_da0_keyfile0_load="YES"
1015geli_da0_keyfile0_type="da0:geli_keyfile0"
1016geli_da0_keyfile0_name="/boot/keys/da0.key0"
1017geli_da0_keyfile1_load="YES"
1018geli_da0_keyfile1_type="da0:geli_keyfile1"
1019geli_da0_keyfile1_name="/boot/keys/da0.key1"
1020geli_da0_keyfile2_load="YES"
1021geli_da0_keyfile2_type="da0:geli_keyfile2"
1022geli_da0_keyfile2_name="/boot/keys/da0.key2"
1023
1024geli_da1s3a_keyfile0_load="YES"
1025geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
1026geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
1027.Ed
1028.Pp
1029If there is only one keyfile, the index might be omitted:
1030.Bd -literal -offset indent
1031geli_da1s3a_keyfile_load="YES"
1032geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
1033geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
1034.Ed
1035.Pp
1036By convention, these loader variables are called
1037.Sm off
1038.Va geli_ No < Ar device No > Va _load .
1039.Sm on
1040However, the actual name prefix before
1041.Va _load , _type ,
1042or
1043.Va _name
1044does not matter.
1045At boot time, the
1046.Nm
1047module searches through all
1048.Sm off
1049.No < Va prefix No > Va _type No -like
1050.Sm on
1051variables that have a value of
1052.Sm off
1053.Dq < Ar device No > :geli_keyfile .
1054.Sm on
1055The paths to keyfiles are then extracted from
1056.Sm off
1057.No < Ar prefix No > Va _name
1058.Sm on
1059variables.
1060In the example above,
1061.Ar prefix
1062is
1063.Dq Li geli_da1s3a_keyfile .
1064.Pp
1065Not only configure encryption, but also data integrity verification using
1066.Nm HMAC/SHA256 .
1067.Bd -literal -offset indent
1068# geli init -a hmac/sha256 -s 4096 /dev/da0
1069Enter new passphrase:
1070Reenter new passphrase:
1071# geli attach /dev/da0
1072Enter passphrase:
1073# dd if=/dev/random of=/dev/da0.eli bs=1m
1074# newfs /dev/da0.eli
1075# mount /dev/da0.eli /mnt/secret
1076.Ed
1077.Pp
1078.Cm geli
1079writes the metadata backup by default to the
1080.Pa /var/backups/<prov>.eli
1081file.
1082If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1083Consider the following situation:
1084.Bd -literal -offset indent
1085# geli init /dev/da0
1086Enter new passphrase:
1087Reenter new passphrase:
1088
1089Metadata backup can be found in /var/backups/da0.eli and
1090can be restored with the following command:
1091
1092	# geli restore /var/backups/da0.eli /dev/da0
1093
1094# geli clear /dev/da0
1095# geli attach /dev/da0
1096geli: Cannot read metadata from /dev/da0: Invalid argument.
1097# geli restore /var/backups/da0.eli /dev/da0
1098# geli attach /dev/da0
1099Enter passphrase:
1100.Ed
1101.Pp
1102If an encrypted filesystem is extended, it is necessary to relocate and
1103update the metadata:
1104.Bd -literal -offset indent
1105# gpart create -s GPT ada0
1106# gpart add -s 1g -t freebsd-ufs -i 1 ada0
1107# geli init -K keyfile -P ada0p1
1108# gpart resize -s 2g -i 1 ada0
1109# geli resize -s 1g ada0p1
1110# geli attach -k keyfile -p ada0p1
1111.Ed
1112.Pp
1113Initialize provider with the passphrase split into two files.
1114The provider can be attached using those two files or by entering
1115.Dq foobar
1116as the passphrase at the
1117.Nm
1118prompt:
1119.Bd -literal -offset indent
1120# echo foo > da0.pass0
1121# echo bar > da0.pass1
1122# geli init -J da0.pass0 -J da0.pass1 da0
1123# geli attach -j da0.pass0 -j da0.pass1 da0
1124# geli detach da0
1125# geli attach da0
1126Enter passphrase: foobar
1127.Ed
1128.Pp
1129Suspend all
1130.Nm
1131devices on a laptop, suspend the laptop, then resume devices one by one after
1132resuming the laptop:
1133.Bd -literal -offset indent
1134# geli suspend -a
1135# zzz
1136<resume your laptop>
1137# geli resume -p -k keyfile gpt/secret
1138# geli resume gpt/private
1139Enter passphrase:
1140.Ed
1141.Pp
1142To create a
1143.Nm
1144encrypted filesystem with a file as storage device follow this example.
1145First a file named private0 is created in
1146.Pa /usr
1147and attached as a memory disk like
1148.Pa /dev/md0
1149for example.
1150.Bd -literal -offset indent
1151# dd if=/dev/zero of=/usr/private0 bs=1m count=256
1152# chmod 0600 /usr/private0
1153# mdconfig -t vnode -f /usr/private0
1154.Ed
1155.Pp
1156It is recommended to place the following line in
1157.Xr rc.conf 5
1158to have the memory disk automatically created during boot.
1159.Bd -literal -offset indent
1160mdconfig_md0="-t vnode -f /usr/private0"
1161.Ed
1162.Pp
1163After
1164.Pa /dev/md0
1165is created a random key has to be generated and stored in a secure location,
1166like
1167.Pa /root
1168for example.
1169This key should be protected by a passphrase, which
1170is requested when geli init is called.
1171.Bd -literal -offset indent
1172# dd if=/dev/random of=/root/private0.key bs=64 count=1
1173# geli init -K /root/private0.key -s 4096 /dev/md0
1174Enter new passphrase:
1175Reenter new passphrase:
1176# geli attach -k /root/private0.key /dev/md0
1177Enter passphrase:
1178# dd if=/dev/random of=/dev/md0.eli bs=1m
1179.Ed
1180.Pp
1181Once the initialization of the
1182.Pa /dev/md0.eli
1183device is ready create a UFS filesystem and mount it for example in
1184.Pa /private .
1185.Bd -literal -offset indent
1186# newfs /dev/md0.eli
1187# mount /dev/md0.eli /private
1188.Ed
1189.Pp
1190After a system reboot the
1191.Nm
1192device can be mounted again with the following commands.
1193The call of geli attach will ask for the passphrase.
1194It is recommended to do this procedure after the boot, because otherwise
1195the boot process would be waiting for the passphrase input.
1196.Bd -literal -offset indent
1197# geli attach -k /root/private0.key /dev/md0
1198Enter passphrase:
1199# mount /dev/md0.eli /private
1200.Ed
1201.Sh ENCRYPTION MODES
1202.Nm
1203supports two encryption modes:
1204.Nm XTS ,
1205which was standardized as
1206.Nm IEEE P1619
1207and
1208.Nm CBC
1209with unpredictable IV.
1210The
1211.Nm CBC
1212mode used by
1213.Nm
1214is very similar to the mode
1215.Nm ESSIV .
1216.Sh DATA AUTHENTICATION
1217.Nm
1218can verify data integrity when an authentication algorithm is specified.
1219When data corruption/modification is detected,
1220.Nm
1221will not return any data, but instead will return an error
1222.Pq Er EINVAL .
1223The offset and size of the corrupted data will be printed on the console.
1224It is important to know against which attacks
1225.Nm
1226provides protection for your data.
1227If data is modified in-place or copied from one place on the disk
1228to another even without modification,
1229.Nm
1230should be able to detect such a change.
1231If an attacker can remember the encrypted data, he can overwrite any future
1232changes with the data he owns without it being noticed.
1233In other words
1234.Nm
1235will not protect your data against replay attacks.
1236.Pp
1237It is recommended to write to the whole provider before first use,
1238in order to make sure that all sectors and their corresponding
1239checksums are properly initialized into a consistent state.
1240One can safely ignore data authentication errors that occur immediately
1241after the first time a provider is attached and before it is
1242initialized in this way.
1243.Sh SEE ALSO
1244.Xr crypto 4 ,
1245.Xr geom 4 ,
1246.Xr loader.conf 5 ,
1247.Xr geom 8 ,
1248.Xr crypto 9
1249.Sh HISTORY
1250The
1251.Nm
1252utility appeared in
1253.Fx 6.0 .
1254Support for the
1255.Nm Camellia
1256block cipher was implemented by Yoshisato Yanagisawa in
1257.Fx 7.0 .
1258.Pp
1259Highest
1260.Nm GELI
1261metadata version supported by the given
1262.Fx
1263version:
1264.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1265.It Sy FreeBSD Ta Sy GELI
1266.It Sy version Ta Sy version
1267.Pp
1268.It Li 6.0 Ta 0
1269.It Li 6.1 Ta 0
1270.It Li 6.2 Ta 3
1271.It Li 6.3 Ta 3
1272.It Li 6.4 Ta 3
1273.Pp
1274.It Li 7.0 Ta 3
1275.It Li 7.1 Ta 3
1276.It Li 7.2 Ta 3
1277.It Li 7.3 Ta 3
1278.It Li 7.4 Ta 3
1279.Pp
1280.It Li 8.0 Ta 3
1281.It Li 8.1 Ta 3
1282.It Li 8.2 Ta 5
1283.Pp
1284.It Li 9.0 Ta 6
1285.Pp
1286.It Li 10.0 Ta 7
1287.El
1288.Sh AUTHORS
1289.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org
1290