xref: /freebsd/lib/geom/eli/geli.8 (revision a0409676120c1e558d0ade943019934e0f15118d)
1.\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd October 15, 2020
28.Dt GELI 8
29.Os
30.Sh NAME
31.Nm geli
32.Nd "control utility for the cryptographic GEOM class"
33.Sh SYNOPSIS
34To compile GEOM_ELI into your kernel, add the following lines to your kernel
35configuration file:
36.Bd -ragged -offset indent
37.Cd "device crypto"
38.Cd "options GEOM_ELI"
39.Ed
40.Pp
41Alternatively, to load the GEOM_ELI module at boot time, add the following line
42to your
43.Xr loader.conf 5 :
44.Bd -literal -offset indent
45geom_eli_load="YES"
46.Ed
47.Pp
48.No Usage of the Nm
49utility:
50.Pp
51.Nm
52.Cm init
53.Op Fl bdgPRTv
54.Op Fl a Ar aalgo
55.Op Fl B Ar backupfile
56.Op Fl e Ar ealgo
57.Op Fl i Ar iterations
58.Op Fl J Ar newpassfile
59.Op Fl K Ar newkeyfile
60.Op Fl l Ar keylen
61.Op Fl s Ar sectorsize
62.Op Fl V Ar version
63.Ar prov ...
64.Nm
65.Cm label - an alias for
66.Cm init
67.Nm
68.Cm attach
69.Op Fl Cdprv
70.Op Fl n Ar keyno
71.Op Fl j Ar passfile
72.Op Fl k Ar keyfile
73.Ar prov ...
74.Nm
75.Cm detach
76.Op Fl fl
77.Ar prov ...
78.Nm
79.Cm stop - an alias for
80.Cm detach
81.Nm
82.Cm onetime
83.Op Fl dRT
84.Op Fl a Ar aalgo
85.Op Fl e Ar ealgo
86.Op Fl l Ar keylen
87.Op Fl s Ar sectorsize
88.Ar prov
89.Nm
90.Cm configure
91.Op Fl bBdDgGrRtT
92.Ar prov ...
93.Nm
94.Cm setkey
95.Op Fl pPv
96.Op Fl i Ar iterations
97.Op Fl j Ar passfile
98.Op Fl J Ar newpassfile
99.Op Fl k Ar keyfile
100.Op Fl K Ar newkeyfile
101.Op Fl n Ar keyno
102.Ar prov
103.Nm
104.Cm delkey
105.Op Fl afv
106.Op Fl n Ar keyno
107.Ar prov
108.Nm
109.Cm kill
110.Op Fl av
111.Op Ar prov ...
112.Nm
113.Cm backup
114.Op Fl v
115.Ar prov
116.Ar file
117.Nm
118.Cm restore
119.Op Fl fv
120.Ar file
121.Ar prov
122.Nm
123.Cm suspend
124.Op Fl v
125.Fl a | Ar prov ...
126.Nm
127.Cm resume
128.Op Fl pv
129.Op Fl j Ar passfile
130.Op Fl k Ar keyfile
131.Ar prov
132.Nm
133.Cm resize
134.Op Fl v
135.Fl s Ar oldsize
136.Ar prov
137.Nm
138.Cm version
139.Op Ar prov ...
140.Nm
141.Cm clear
142.Op Fl v
143.Ar prov ...
144.Nm
145.Cm dump
146.Op Fl v
147.Ar prov ...
148.Nm
149.Cm list
150.Nm
151.Cm status
152.Nm
153.Cm load
154.Nm
155.Cm unload
156.Sh DESCRIPTION
157The
158.Nm
159utility is used to configure encryption on GEOM providers.
160.Pp
161The following is a list of the most important features:
162.Pp
163.Bl -bullet -offset indent -compact
164.It
165Utilizes the
166.Xr crypto 9
167framework, so when there is crypto hardware available,
168.Nm
169will make use of it automatically.
170.It
171Supports many cryptographic algorithms (currently
172.Nm AES-XTS ,
173.Nm AES-CBC ,
174and
175.Nm Camellia-CBC ) .
176.It
177Can optionally perform data authentication (integrity verification) utilizing
178one of the following algorithms:
179.Nm HMAC/SHA1 ,
180.Nm HMAC/RIPEMD160 ,
181.Nm HMAC/SHA256 ,
182.Nm HMAC/SHA384
183or
184.Nm HMAC/SHA512 .
185.It
186Can create a User Key from up to two, piecewise components: a passphrase
187entered via prompt or read from one or more passfiles; a keyfile read from
188one or more files.
189.It
190Allows encryption of the root partition.
191The user is asked for the passphrase before the root filesystem is mounted.
192.It
193Strengthens the passphrase component of the User Key with:
194.Rs
195.%A B. Kaliski
196.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
197.%R RFC
198.%N 2898
199.Re
200.It
201Allows the use of two independent User Keys (e.g., a
202.Qq "user key"
203and a
204.Qq "company key" ) .
205.It
206It is fast -
207.Nm
208performs simple sector-to-sector encryption.
209.It
210Allows the encrypted Master Key to be backed up and restored,
211so that if a user has to quickly destroy key material,
212it is possible to get the data back by restoring keys from
213backup.
214.It
215Providers can be configured to automatically detach on last close,
216so users do not have to remember to detach providers after unmounting
217the filesystems.
218.It
219Allows attaching a provider with a random, one-time Master Key,
220which is useful for swap partitions and temporary filesystems.
221.It
222Allows verification of data integrity (data authentication).
223.It
224Allows suspending and resuming encrypted devices.
225.El
226.Pp
227The first argument to
228.Nm
229indicates an action to be performed:
230.Bl -tag -width ".Cm configure"
231.It Cm init
232Initialize providers which need to be encrypted.
233If multiple providers are listed as arguments, they will all be initialized
234with the same passphrase and/or User Key.
235A unique salt will be randomly generated for each provider to ensure the
236Master Key for each is unique.
237Here you can set up the cryptographic algorithm to use, Data Key length,
238etc.
239The last sector of the providers is used to store metadata.
240The
241.Cm init
242subcommand also automatically writes metadata backups to
243.Pa /var/backups/<prov>.eli
244file.
245The metadata can be recovered with the
246.Cm restore
247subcommand described below.
248.Pp
249Additional options include:
250.Bl -tag -width ".Fl J Ar newpassfile"
251.It Fl a Ar aalgo
252Enable data integrity verification (authentication) using the given algorithm.
253This will reduce the size of storage available and also reduce speed.
254For example, when using 4096 bytes sector and
255.Nm HMAC/SHA256
256algorithm, 89% of the original provider storage will be available for use.
257Currently supported algorithms are:
258.Nm HMAC/SHA1 ,
259.Nm HMAC/RIPEMD160 ,
260.Nm HMAC/SHA256 ,
261.Nm HMAC/SHA384
262and
263.Nm HMAC/SHA512 .
264If the option is not given, there will be no authentication, only encryption.
265The recommended algorithm is
266.Nm HMAC/SHA256 .
267.It Fl b
268Try to decrypt this partition during boot, before the root partition is mounted.
269This makes it possible to use an encrypted root partition.
270One will still need bootable unencrypted storage with a
271.Pa /boot/
272directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
273after boot.
274.It Fl B Ar backupfile
275File name to use for metadata backup instead of the default
276.Pa /var/backups/<prov>.eli .
277To inhibit backups, you can use
278.Pa none
279as the
280.Ar backupfile .
281If multiple providers were initialized in the one command, you can use
282.Pa PROV
283(all upper-case) in the file name, and it will be replaced with the provider
284name.
285If
286.Pa PROV
287is not found in the file name and multiple providers were initialized in the
288one command,
289.Pa -<prov>
290will be appended to the end of the file name specified.
291.It Fl d
292When entering the passphrase to boot from this encrypted root filesystem, echo
293.Ql *
294characters.
295This makes the length of the passphrase visible.
296.It Fl e Ar ealgo
297Encryption algorithm to use.
298Currently supported algorithms are:
299.Nm AES-XTS ,
300.Nm AES-CBC ,
301.Nm Camellia-CBC ,
302and
303.Nm NULL .
304The default and recommended algorithm is
305.Nm AES-XTS .
306.Nm NULL
307is unencrypted.
308.It Fl g
309Enable booting from this encrypted root filesystem.
310The boot loader prompts for the passphrase and loads
311.Xr loader 8
312from the encrypted partition.
313.It Fl i Ar iterations
314Number of iterations to use with PKCS#5v2 when processing User Key
315passphrase component.
316If this option is not specified,
317.Nm
318will find the number of iterations which is equal to 2 seconds of crypto work.
319If 0 is given, PKCS#5v2 will not be used.
320PKCS#5v2 processing is performed once, after all parts of the passphrase
321component have been read.
322.It Fl J Ar newpassfile
323Specifies a file which contains the passphrase component of the User Key
324(or part of it).
325If
326.Ar newpassfile
327is given as -, standard input will be used.
328Only the first line (excluding new-line character) is taken from the given file.
329This argument can be specified multiple times, which has the effect of
330reassembling a single passphrase split across multiple files.
331Cannot be combined with the
332.Fl P
333option.
334.It Fl K Ar newkeyfile
335Specifies a file which contains the keyfile component of the User Key
336(or part of it).
337If
338.Ar newkeyfile
339is given as -, standard input will be used.
340This argument can be specified multiple times, which has the effect of
341reassembling a single keyfile split across multiple keyfile parts.
342.It Fl l Ar keylen
343Data Key length to use with the given cryptographic algorithm.
344If the length is not specified, the selected algorithm uses its
345.Em default
346key length.
347.Bl -ohang -offset indent
348.It Nm AES-XTS
349.Em 128 ,
350256
351.It Nm AES-CBC , Nm Camellia-CBC
352.Em 128 ,
353192,
354256
355.El
356.It Fl P
357Do not use a passphrase as a component of the User Key.
358Cannot be combined with the
359.Fl J
360option.
361.It Fl s Ar sectorsize
362Change decrypted provider's sector size.
363Increasing the sector size allows increased performance,
364because encryption/decryption which requires an initialization vector
365is done per sector; fewer sectors means less computational work.
366.It Fl R
367Turn off automatic expansion.
368By default, if the underlying provider grows, the encrypted provider will
369grow automatically too.
370The metadata will be moved to the new location.
371If automatic expansion if turned off and the underlying provider changes
372size, attaching encrypted provider will no longer be possible as the metadata
373will no longer be located in the last sector.
374In this case
375.Nm GELI
376will only log the previous size of the underlying provider, so metadata can
377be found easier, if resize was done by mistake.
378.It Fl T
379Don't pass through
380.Dv BIO_DELETE
381calls (i.e., TRIM/UNMAP).
382This can prevent an attacker from knowing how much space you're actually
383using and which sectors contain live data, but will also prevent the
384backing store (SSD, etc) from reclaiming space you're not using, which
385may degrade its performance and lifespan.
386The underlying provider may or may not actually obliterate the deleted
387sectors when TRIM is enabled, so it should not be considered to add any
388security.
389.It Fl V Ar version
390Metadata version to use.
391This option is helpful when creating a provider that may be used by older
392.Nm FreeBSD/GELI
393versions.
394Consult the
395.Sx HISTORY
396section to find which metadata version is supported by which
397.Fx
398version.
399Note that using an older version of metadata may limit the number of
400features available.
401.El
402.It Cm attach
403Attach the given providers.
404The encrypted Master Keys are loaded from the metadata and decrypted
405using the given passphrase/keyfile and new GEOM providers are created
406using the specified provider names.
407A
408.Qq .eli
409suffix is added to the user specified provider names.
410Multiple providers can only be attached with a single
411.Cm attach
412command if they all have the same passphrase and keyfiles.
413.Pp
414Additional options include:
415.Bl -tag -width ".Fl j Ar passfile"
416.It Fl C
417Do a dry-run decryption.
418This is useful to verify passphrase and keyfile without decrypting the device.
419.It Fl d
420If specified, the decrypted providers are detached automatically on last close,
421so the user does not have to remember to detach
422providers after unmounting the filesystems.
423This only works when providers were opened for writing, and will not work if
424the filesystems on the providers were mounted read-only.
425Probably a better choice is the
426.Fl l
427option for the
428.Cm detach
429subcommand.
430.It Fl n Ar keyno
431Specifies the index number of the Master Key copy to use (could be 0 or 1).
432If the index number is not provided all keys will be tested.
433.It Fl j Ar passfile
434Specifies a file which contains the passphrase component of the User Key
435(or part of it).
436For more information see the description of the
437.Fl J
438option for the
439.Cm init
440subcommand.
441The same passfiles are used for all listed providers.
442.It Fl k Ar keyfile
443Specifies a file which contains the keyfile component of the User Key
444(or part of it).
445For more information see the description of the
446.Fl K
447option for the
448.Cm init
449subcommand.
450The same keyfiles are used for all listed providers.
451.It Fl p
452Do not use a passphrase as a component of the User Keys.
453Cannot be combined with the
454.Fl j
455option.
456.It Fl r
457Attach read-only providers.
458They are not opened for writing.
459.El
460.It Cm detach
461Detach the given providers, which means remove the devfs entry
462and clear the Master Key and Data Keys from memory.
463.Pp
464Additional options include:
465.Bl -tag -width ".Fl f"
466.It Fl f
467Force detach - detach even if the provider is open.
468.It Fl l
469Mark provider to detach on last close, after the last filesystem has been
470unmounted.
471If this option is specified, the provider will not be detached
472while it is open, but will be automatically detached when it is closed for the
473last time even if it was only opened for reading.
474.El
475.It Cm onetime
476Attach the given providers with a random, one-time (ephemeral) Master Key.
477The command can be used to encrypt swap partitions or temporary filesystems.
478.Pp
479Additional options include:
480.Bl -tag -width ".Fl a Ar sectorsize"
481.It Fl a Ar aalgo
482Enable data integrity verification (authentication).
483For more information, see the description of the
484.Cm init
485subcommand.
486.It Fl e Ar ealgo
487Encryption algorithm to use.
488For more information, see the description of the
489.Cm init
490subcommand.
491.It Fl d
492Detach on last close, after the last filesystem has been unmounted.
493Note: this option is not usable for temporary filesystems as the provider is
494detached after the filesystem has been created.
495It still can, and should, be used for swap partitions.
496For more information, see the description of the
497.Cm attach
498subcommand.
499.It Fl l Ar keylen
500Data Key length to use with the given cryptographic algorithm.
501For more information, see the description of the
502.Cm init
503subcommand.
504.It Fl s Ar sectorsize
505Change decrypted provider's sector size.
506For more information, see the description of the
507.Cm init
508subcommand.
509.It Fl R
510Turn off automatic expansion.
511For more information, see the description of the
512.Cm init
513subcommand.
514.It Fl T
515Disable TRIM/UNMAP passthru.
516For more information, see the description of the
517.Cm init
518subcommand.
519.El
520.It Cm configure
521Change configuration of the given providers.
522.Pp
523Additional options include:
524.Bl -tag -width ".Fl b"
525.It Fl b
526Set the BOOT flag on the given providers.
527For more information, see the description of the
528.Cm init
529subcommand.
530.It Fl B
531Remove the BOOT flag from the given providers.
532.It Fl d
533When entering the passphrase to boot from this encrypted root filesystem, echo
534.Ql *
535characters.
536This makes the length of the passphrase visible.
537.It Fl D
538Disable echoing of any characters when a passphrase is entered to boot from this
539encrypted root filesystem.
540This hides the passphrase length.
541.It Fl g
542Enable booting from this encrypted root filesystem.
543The boot loader prompts for the passphrase and loads
544.Xr loader 8
545from the encrypted partition.
546.It Fl G
547Deactivate booting from this encrypted root partition.
548.It Fl r
549Turn on automatic expansion.
550For more information, see the description of the
551.Cm init
552subcommand.
553.It Fl R
554Turn off automatic expansion.
555.It Fl t
556Enable TRIM/UNMAP passthru.
557For more information, see the description of the
558.Cm init
559subcommand.
560.It Fl T
561Disable TRIM/UNMAP passthru.
562.El
563.It Cm setkey
564Install a copy of the Master Key into the selected slot, encrypted with
565a new User Key.
566If the selected slot is populated, replace the existing copy.
567A provider has one Master Key, which can be stored in one or both slots,
568each encrypted with an independent User Key.
569With the
570.Cm init
571subcommand, only key number 0 is initialized.
572The User Key can be changed at any time: for an attached provider,
573for a detached provider, or on the backup file.
574When a provider is attached, the user does not have to provide
575an existing passphrase/keyfile.
576.Pp
577Additional options include:
578.Bl -tag -width ".Fl J Ar newpassfile"
579.It Fl i Ar iterations
580Number of iterations to use with PKCS#5v2.
581If 0 is given, PKCS#5v2 will not be used.
582To be able to use this option with the
583.Cm setkey
584subcommand, only one key has to be defined and this key must be changed.
585.It Fl j Ar passfile
586Specifies a file which contains the passphrase component of a current User Key
587(or part of it).
588.It Fl J Ar newpassfile
589Specifies a file which contains the passphrase component of the new User Key
590(or part of it).
591.It Fl k Ar keyfile
592Specifies a file which contains the keyfile component of a current User Key
593(or part of it).
594.It Fl K Ar newkeyfile
595Specifies a file which contains the keyfile component of the new User Key
596(or part of it).
597.It Fl n Ar keyno
598Specifies the index number of the Master Key copy to change (could be 0 or 1).
599If the provider is attached and no key number is given, the key
600used for attaching the provider will be changed.
601If the provider is detached (or we are operating on a backup file)
602and no key number is given, the first Master Key copy to be successfully
603decrypted with the provided User Key passphrase/keyfile will be changed.
604.It Fl p
605Do not use a passphrase as a component of the current User Key.
606Cannot be combined with the
607.Fl j
608option.
609.It Fl P
610Do not use a passphrase as a component of the new User Key.
611Cannot be combined with the
612.Fl J
613option.
614.El
615.It Cm delkey
616Destroy (overwrite with random data) the selected Master Key copy.
617If one is destroying keys for an attached provider, the provider
618will not be detached even if all copies of the Master Key are destroyed.
619It can even be rescued with the
620.Cm setkey
621subcommand because the Master Key is still in memory.
622.Pp
623Additional options include:
624.Bl -tag -width ".Fl a Ar keyno"
625.It Fl a
626Destroy all copies of the Master Key (does not need
627.Fl f
628option).
629.It Fl f
630Force key destruction.
631This option is needed to destroy the last copy of the Master Key.
632.It Fl n Ar keyno
633Specifies the index number of the Master Key copy.
634If the provider is attached and no key number is given, the key
635used for attaching the provider will be destroyed.
636If provider is detached (or we are operating on a backup file) the key number
637has to be given.
638.El
639.It Cm kill
640This command should be used only in emergency situations.
641It will destroy all copies of the Master Key on a given provider and will
642detach it forcibly (if it is attached).
643This is absolutely a one-way command - if you do not have a metadata
644backup, your data is gone for good.
645In case the provider was attached with the
646.Fl r
647flag, the keys will not be destroyed, only the provider will be detached.
648.Pp
649Additional options include:
650.Bl -tag -width ".Fl a"
651.It Fl a
652If specified, all currently attached providers will be killed.
653.El
654.It Cm backup
655Backup metadata from the given provider to the given file.
656.It Cm restore
657Restore metadata from the given file to the given provider.
658.Pp
659Additional options include:
660.Bl -tag -width ".Fl f"
661.It Fl f
662Metadata contains the size of the provider to ensure that the correct
663partition or slice is attached.
664If an attempt is made to restore metadata to a provider that has a different
665size,
666.Nm
667will refuse to restore the data unless the
668.Fl f
669switch is used.
670If the partition or slice has been grown, the
671.Cm resize
672subcommand should be used rather than attempting to relocate the metadata
673through
674.Cm backup
675and
676.Cm restore .
677.El
678.It Cm suspend
679Suspend device by waiting for all inflight requests to finish, clearing all
680sensitive information such as the Master Key and Data Keys from kernel memory,
681and blocking all further I/O requests until the
682.Cm resume
683subcommand is executed.
684This functionality is useful for laptops.
685Suspending a laptop should not leave an encrypted device attached.
686The
687.Cm suspend
688subcommand can be used rather than closing all files and directories from
689filesystems on the encrypted device, unmounting the filesystem, and
690detaching the device.
691Any access to the encrypted device will be blocked until the Master Key is
692reloaded through the
693.Cm resume
694subcommand.
695Thus there is no need to close nor unmount anything.
696The
697.Cm suspend
698subcommand does not work with devices created with the
699.Cm onetime
700subcommand.
701Please note that sensitive data might still be present in memory locations
702such as the filesystem cache after suspending an encrypted device.
703.Pp
704Additional options include:
705.Bl -tag -width ".Fl a"
706.It Fl a
707Suspend all
708.Nm
709devices.
710.El
711.It Cm resume
712Resume previously suspended device.
713The caller must ensure that executing this subcommand does not access the
714suspended device, leading to a deadlock.
715For example, suspending a device which contains the filesystem where the
716.Nm
717utility is stored is a bad idea.
718.Pp
719Additional options include:
720.Bl -tag -width ".Fl j Ar passfile"
721.It Fl j Ar passfile
722Specifies a file which contains the passphrase component of the User Key,
723or part of it.
724For more information see the description of the
725.Fl J
726option for the
727.Cm init
728subcommand.
729.It Fl k Ar keyfile
730Specifies a file which contains the keyfile component of the User Key,
731or part of it.
732For more information see the description of the
733.Fl K
734option for the
735.Cm init
736subcommand.
737.It Fl p
738Do not use a passphrase as a component of the User Key.
739Cannot be combined with the
740.Fl j
741option.
742.El
743.It Cm resize
744Inform
745.Nm
746that the provider has been resized.
747The old metadata block is relocated to the correct position at the end of the
748provider and the provider size is updated.
749.Pp
750Additional options include:
751.Bl -tag -width ".Fl s Ar oldsize"
752.It Fl s Ar oldsize
753The size of the provider before it was resized.
754.El
755.It Cm version
756If no arguments are given, the
757.Cm version
758subcommand will print the version of
759.Nm
760userland utility as well as the version of the
761.Nm ELI
762GEOM class.
763.Pp
764If GEOM providers are specified, the
765.Cm version
766subcommand will print metadata version used by each of them.
767.It Cm clear
768Clear metadata from the given providers.
769.Em WARNING :
770This will erase with zeros the encrypted Master Key copies stored in the
771metadata.
772.It Cm dump
773Dump metadata stored on the given providers.
774.It Cm list
775See
776.Xr geom 8 .
777.It Cm status
778See
779.Xr geom 8 .
780.It Cm load
781See
782.Xr geom 8 .
783.It Cm unload
784See
785.Xr geom 8 .
786.El
787.Pp
788Additional options include:
789.Bl -tag -width ".Fl v"
790.It Fl v
791Be more verbose.
792.El
793.Sh KEY SUMMARY
794.Ss Master Key
795Upon
796.Cm init ,
797the
798.Nm
799utility generates a random Master Key for the provider.
800The Master Key never changes during the lifetime of the provider.
801Each copy of the provider metadata, active or backed up to a file, can store
802up to two, independently-encrypted copies of the Master Key.
803.Ss User Key
804Each stored copy of the Master Key is encrypted with a User Key, which
805is generated by the
806.Nm
807utility from a passphrase and/or a keyfile.
808The
809.Nm
810utility first reads all parts of the keyfile in the order specified on the
811command line, then reads all parts of the stored passphrase in the order
812specified on the command line.
813If no passphrase parts are specified, the system prompts the user to enter
814the passphrase.
815The passphrase is optionally strengthened by PKCS#5v2.
816The User Key is a digest computed over the concatenated keyfile and passphrase.
817.Ss Data Key
818During operation, one or more Data Keys are deterministically derived by
819the kernel from the Master Key and cached in memory.
820The number of Data Keys used by a given provider, and the way they are
821derived, depend on the GELI version and whether the provider is configured to
822use data authentication.
823.Sh SYSCTL VARIABLES
824The following
825.Xr sysctl 8
826variables can be used to control the behavior of the
827.Nm ELI
828GEOM class.
829The default value is shown next to each variable.
830Some variables can also be set in
831.Pa /boot/loader.conf .
832.Bl -tag -width indent
833.It Va kern.geom.eli.version
834Version number of the
835.Nm ELI
836GEOM class.
837.It Va kern.geom.eli.debug : No 0
838Debug level of the
839.Nm ELI
840GEOM class.
841This can be set to a number between 0 and 3 inclusive.
842If set to 0, minimal debug information is printed.
843If set to 3, the
844maximum amount of debug information is printed.
845.It Va kern.geom.eli.tries : No 3
846Number of times a user is asked for the passphrase.
847This is only used for providers which are attached on boot,
848before the root filesystem is mounted.
849If set to 0, attaching providers on boot will be disabled.
850This variable should be set in
851.Pa /boot/loader.conf .
852.It Va kern.geom.eli.overwrites : No 5
853Specifies how many times the Master Key is overwritten
854with random values when it is destroyed.
855After this operation it is filled with zeros.
856.It Va kern.geom.eli.visible_passphrase : No 0
857If set to 1, the passphrase entered on boot will be visible.
858This alternative should be used with caution as the entered
859passphrase can be logged and exposed via
860.Xr dmesg 8 .
861This variable should be set in
862.Pa /boot/loader.conf .
863.It Va kern.geom.eli.threads : No 0
864Specifies how many kernel threads should be used for doing software
865cryptography.
866Its purpose is to increase performance on SMP systems.
867If set to 0, a CPU-pinned thread will be started for every active CPU.
868.It Va kern.geom.eli.batch : No 0
869When set to 1, can speed-up crypto operations by using batching.
870Batching reduces the number of interrupts by responding to a group of
871crypto requests with one interrupt.
872The crypto card and the driver has to support this feature.
873.It Va kern.geom.eli.key_cache_limit : No 8192
874Specifies how many Data Keys to cache.
875The default limit
876(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
877sectors and will take around 1MB of memory.
878.It Va kern.geom.eli.key_cache_hits
879Reports how many times we were looking up a Data Key and it was already in
880cache.
881This sysctl is not updated for providers that need fewer Data Keys than
882the limit specified in
883.Va kern.geom.eli.key_cache_limit .
884.It Va kern.geom.eli.key_cache_misses
885Reports how many times we were looking up a Data Key and it was not in cache.
886This sysctl is not updated for providers that need fewer Data Keys than the limit
887specified in
888.Va kern.geom.eli.key_cache_limit .
889.El
890.Sh EXIT STATUS
891Exit status is 0 on success, and 1 if the command fails.
892.Sh EXAMPLES
893Initialize a provider which is going to be encrypted with a
894passphrase and random data from a file on the user's pen drive.
895Use 4kB sector size.
896Attach the provider, create a filesystem, and mount it.
897Do the work.
898Unmount the provider and detach it:
899.Bd -literal -offset indent
900# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
901# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
902Enter new passphrase:
903Reenter new passphrase:
904# geli attach -k /mnt/pendrive/da2.key /dev/da2
905Enter passphrase:
906# dd if=/dev/random of=/dev/da2.eli bs=1m
907# newfs /dev/da2.eli
908# mount /dev/da2.eli /mnt/secret
909\&...
910# umount /mnt/secret
911# geli detach da2.eli
912.Ed
913.Pp
914Create an encrypted provider, but use two User Keys:
915one for your employee and one for you as the company's security officer
916(so it is not a tragedy if the employee
917.Qq accidentally
918forgets his passphrase):
919.Bd -literal -offset indent
920# geli init /dev/da2
921Enter new passphrase:	(enter security officer's passphrase)
922Reenter new passphrase:
923# geli setkey -n 1 /dev/da2
924Enter passphrase:	(enter security officer's passphrase)
925Enter new passphrase:	(let your employee enter his passphrase ...)
926Reenter new passphrase:	(... twice)
927.Ed
928.Pp
929You are the security officer in your company.
930Create an encrypted provider for use by the user, but remember that users
931forget their passphrases, so backup the Master Key with your own random key:
932.Bd -literal -offset indent
933# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
934# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
935# geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
936(use key number 0, so the encrypted Master Key will be re-encrypted by this)
937# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
938(allow the user to enter his passphrase)
939Enter new passphrase:
940Reenter new passphrase:
941.Ed
942.Pp
943Encrypted swap partition setup:
944.Bd -literal -offset indent
945# dd if=/dev/random of=/dev/ada0s1b bs=1m
946# geli onetime -d ada0s1b
947# swapon /dev/ada0s1b.eli
948.Ed
949.Pp
950The example below shows how to configure two providers which will be attached
951on boot, before the root filesystem is mounted.
952One of them is using passphrase and three keyfile parts and the other is
953using only a keyfile in one part:
954.Bd -literal -offset indent
955# dd if=/dev/random of=/dev/da0 bs=1m
956# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
957# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
958# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
959# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
960Enter new passphrase:
961Reenter new passphrase:
962# dd if=/dev/random of=/dev/da1s3a bs=1m
963# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
964# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
965.Ed
966.Pp
967The providers are initialized, now we have to add these lines to
968.Pa /boot/loader.conf :
969.Bd -literal -offset indent
970geli_da0_keyfile0_load="YES"
971geli_da0_keyfile0_type="da0:geli_keyfile0"
972geli_da0_keyfile0_name="/boot/keys/da0.key0"
973geli_da0_keyfile1_load="YES"
974geli_da0_keyfile1_type="da0:geli_keyfile1"
975geli_da0_keyfile1_name="/boot/keys/da0.key1"
976geli_da0_keyfile2_load="YES"
977geli_da0_keyfile2_type="da0:geli_keyfile2"
978geli_da0_keyfile2_name="/boot/keys/da0.key2"
979
980geli_da1s3a_keyfile0_load="YES"
981geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
982geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
983.Ed
984.Pp
985If there is only one keyfile, the index might be omitted:
986.Bd -literal -offset indent
987geli_da1s3a_keyfile_load="YES"
988geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
989geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
990.Ed
991.Pp
992By convention, these loader variables are called
993.Sm off
994.Va geli_ No < Ar device No > Va _load .
995.Sm on
996However, the actual name prefix before
997.Va _load , _type ,
998or
999.Va _name
1000does not matter.
1001At boot time, the
1002.Nm
1003module searches through all
1004.Sm off
1005.No < Va prefix No > Va _type No -like
1006.Sm on
1007variables that have a value of
1008.Sm off
1009.Dq < Ar device No > :geli_keyfile .
1010.Sm on
1011The paths to keyfiles are then extracted from
1012.Sm off
1013.No < Ar prefix No > Va _name
1014.Sm on
1015variables.
1016In the example above,
1017.Ar prefix
1018is
1019.Dq Li geli_da1s3a_keyfile .
1020.Pp
1021Not only configure encryption, but also data integrity verification using
1022.Nm HMAC/SHA256 .
1023.Bd -literal -offset indent
1024# geli init -a hmac/sha256 -s 4096 /dev/da0
1025Enter new passphrase:
1026Reenter new passphrase:
1027# geli attach /dev/da0
1028Enter passphrase:
1029# dd if=/dev/random of=/dev/da0.eli bs=1m
1030# newfs /dev/da0.eli
1031# mount /dev/da0.eli /mnt/secret
1032.Ed
1033.Pp
1034.Cm geli
1035writes the metadata backup by default to the
1036.Pa /var/backups/<prov>.eli
1037file.
1038If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1039Consider the following situation:
1040.Bd -literal -offset indent
1041# geli init /dev/da0
1042Enter new passphrase:
1043Reenter new passphrase:
1044
1045Metadata backup can be found in /var/backups/da0.eli and
1046can be restored with the following command:
1047
1048	# geli restore /var/backups/da0.eli /dev/da0
1049
1050# geli clear /dev/da0
1051# geli attach /dev/da0
1052geli: Cannot read metadata from /dev/da0: Invalid argument.
1053# geli restore /var/backups/da0.eli /dev/da0
1054# geli attach /dev/da0
1055Enter passphrase:
1056.Ed
1057.Pp
1058If an encrypted filesystem is extended, it is necessary to relocate and
1059update the metadata:
1060.Bd -literal -offset indent
1061# gpart create -s GPT ada0
1062# gpart add -s 1g -t freebsd-ufs -i 1 ada0
1063# geli init -K keyfile -P ada0p1
1064# gpart resize -s 2g -i 1 ada0
1065# geli resize -s 1g ada0p1
1066# geli attach -k keyfile -p ada0p1
1067.Ed
1068.Pp
1069Initialize provider with the passphrase split into two files.
1070The provider can be attached using those two files or by entering
1071.Dq foobar
1072as the passphrase at the
1073.Nm
1074prompt:
1075.Bd -literal -offset indent
1076# echo foo > da0.pass0
1077# echo bar > da0.pass1
1078# geli init -J da0.pass0 -J da0.pass1 da0
1079# geli attach -j da0.pass0 -j da0.pass1 da0
1080# geli detach da0
1081# geli attach da0
1082Enter passphrase: foobar
1083.Ed
1084.Pp
1085Suspend all
1086.Nm
1087devices on a laptop, suspend the laptop, then resume devices one by one after
1088resuming the laptop:
1089.Bd -literal -offset indent
1090# geli suspend -a
1091# zzz
1092<resume your laptop>
1093# geli resume -p -k keyfile gpt/secret
1094# geli resume gpt/private
1095Enter passphrase:
1096.Ed
1097.Pp
1098To create a
1099.Nm
1100encrypted filesystem with a file as storage device follow this example.
1101First a file named private0 is created in
1102.Pa /usr
1103and attached as a memory disk like
1104.Pa /dev/md0
1105for example.
1106.Bd -literal -offset indent
1107# dd if=/dev/zero of=/usr/private0 bs=1m count=256
1108# chmod 0600 /usr/private0
1109# mdconfig -t vnode -f /usr/private0
1110.Ed
1111.Pp
1112It is recommended to place the following line in
1113.Xr rc.conf 5
1114to have the memory disk automatically created during boot.
1115.Bd -literal -offset indent
1116mdconfig_md0="-t vnode -f /usr/private0"
1117.Ed
1118.Pp
1119After
1120.Pa /dev/md0
1121is created a random key has to be generated and stored in a secure location,
1122like
1123.Pa /root
1124for example.
1125This key should be protected by a passphrase, which
1126is requested when geli init is called.
1127.Bd -literal -offset indent
1128# dd if=/dev/random of=/root/private0.key bs=64 count=1
1129# geli init -K /root/private0.key -s 4096 /dev/md0
1130Enter new passphrase:
1131Reenter new passphrase:
1132# geli attach -k /root/private0.key /dev/md0
1133Enter passphrase:
1134# dd if=/dev/random of=/dev/md0.eli bs=1m
1135.Ed
1136.Pp
1137Once the initialization of the
1138.Pa /dev/md0.eli
1139device is ready create a UFS filesystem and mount it for example in
1140.Pa /private .
1141.Bd -literal -offset indent
1142# newfs /dev/md0.eli
1143# mount /dev/md0.eli /private
1144.Ed
1145.Pp
1146After a system reboot the
1147.Nm
1148device can be mounted again with the following commands.
1149The call of geli attach will ask for the passphrase.
1150It is recommended to do this procedure after the boot, because otherwise
1151the boot process would be waiting for the passphrase input.
1152.Bd -literal -offset indent
1153# geli attach -k /root/private0.key /dev/md0
1154Enter passphrase:
1155# mount /dev/md0.eli /private
1156.Ed
1157.Sh ENCRYPTION MODES
1158.Nm
1159supports two encryption modes:
1160.Nm XTS ,
1161which was standardized as
1162.Nm IEEE P1619
1163and
1164.Nm CBC
1165with unpredictable IV.
1166The
1167.Nm CBC
1168mode used by
1169.Nm
1170is very similar to the mode
1171.Nm ESSIV .
1172.Sh DATA AUTHENTICATION
1173.Nm
1174can verify data integrity when an authentication algorithm is specified.
1175When data corruption/modification is detected,
1176.Nm
1177will not return any data, but instead will return an error
1178.Pq Er EINVAL .
1179The offset and size of the corrupted data will be printed on the console.
1180It is important to know against which attacks
1181.Nm
1182provides protection for your data.
1183If data is modified in-place or copied from one place on the disk
1184to another even without modification,
1185.Nm
1186should be able to detect such a change.
1187If an attacker can remember the encrypted data, he can overwrite any future
1188changes with the data he owns without it being noticed.
1189In other words
1190.Nm
1191will not protect your data against replay attacks.
1192.Pp
1193It is recommended to write to the whole provider before first use,
1194in order to make sure that all sectors and their corresponding
1195checksums are properly initialized into a consistent state.
1196One can safely ignore data authentication errors that occur immediately
1197after the first time a provider is attached and before it is
1198initialized in this way.
1199.Sh SEE ALSO
1200.Xr crypto 4 ,
1201.Xr gbde 4 ,
1202.Xr geom 4 ,
1203.Xr loader.conf 5 ,
1204.Xr gbde 8 ,
1205.Xr geom 8 ,
1206.Xr crypto 9
1207.Sh HISTORY
1208The
1209.Nm
1210utility appeared in
1211.Fx 6.0 .
1212Support for the
1213.Nm Camellia
1214block cipher was implemented by Yoshisato Yanagisawa in
1215.Fx 7.0 .
1216.Pp
1217Highest
1218.Nm GELI
1219metadata version supported by the given
1220.Fx
1221version:
1222.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1223.It Sy FreeBSD Ta Sy GELI
1224.It Sy version Ta Sy version
1225.Pp
1226.It Li 6.0 Ta 0
1227.It Li 6.1 Ta 0
1228.It Li 6.2 Ta 3
1229.It Li 6.3 Ta 3
1230.It Li 6.4 Ta 3
1231.Pp
1232.It Li 7.0 Ta 3
1233.It Li 7.1 Ta 3
1234.It Li 7.2 Ta 3
1235.It Li 7.3 Ta 3
1236.It Li 7.4 Ta 3
1237.Pp
1238.It Li 8.0 Ta 3
1239.It Li 8.1 Ta 3
1240.It Li 8.2 Ta 5
1241.Pp
1242.It Li 9.0 Ta 6
1243.Pp
1244.It Li 10.0 Ta 7
1245.El
1246.Sh AUTHORS
1247.An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org
1248