Attachment #122462 for bug #165668

View | Details | Raw Unified | Return to bug 165668
Collapse All | Expand All




.Os
.Sh NAME
.Nm geli
.Nd "control utility for the cryptographic GEOM class"
.Sh SYNOPSIS
To compile GEOM_ELI into your kernel, add the following lines to your kernel
configuration file:
.Bd -ragged -offset indent
.Cd "device crypto"
.Cd "options GEOM_ELI"
.Ed
.Pp
Alternatively, to load the GEOM_ELI module at boot time, add the following line
to your
.Xr loader.conf 5 :
.Bd -literal -offset indent
geom_eli_load="YES"

Can create a key from a couple of components (user entered passphrase, random
bits from a file, etc.).
.It
Allows encryption of the root partition - the user will be asked for the
passphrase before the root file system is mounted.
.It
The passphrase of the user is strengthened with:

.%N 2898
.Re
.It
Allows the use of two independent keys (e.g.
.Qq "user key"
and
.Qq "company key" ) .

.Nm
performs simple sector-to-sector encryption.
.It
Allows the backup and restoration of Master Keys, so when a user has to quickly
destroy his keys, it is possible to get the data back by restoring keys from
backup.
.It
Providers can be configured to automatically detach on last close
(so users do not have to remember to detach providers after unmounting
the file systems).
.It
Allows attaching a provider with a random, one-time key - useful for swap
partitions and temporary file systems.
.It
Allows verification of data integrity (data authentication).
.It
Allows suspending and resuming encrypted devices.
.El
.Pp
The first argument to

indicates an action to be performed:
.Bl -tag -width ".Cm configure"
.It Cm init
Initialize the provider which needs to be encrypted.
Here you can set up the cryptographic algorithm to use, key length, etc.
The last sector of the provider is used to store metadata.
The
.Cm init
subcommand also automatically writes metadata backup to
.Pa /var/backups/<prov>.eli
file.
The metadata can be recovered with the

.Bl -tag -width ".Fl J Ar newpassfile"
.It Fl a Ar aalgo
Enable data integrity verification (authentication) using the given algorithm.
This will reduce the size of available storage and also reduce speed.
For example, when using 4096 bytes sector and
.Nm HMAC/SHA256
algorithm, 89% of the original provider storage will be available for use.

Do not use passphrase as the key component.
.It Fl s Ar sectorsize
Change decrypted provider's sector size.
Increasing sector size allows increased performance, because we need to
generate an IV and do encrypt/decrypt for every single sector - fewer numbers
of sectors means less work to do.
.It Fl V Ar version
Metadata version to use.

.Bl -tag -width ".Fl j Ar passfile"
.It Fl d
If specified, a decrypted provider will be detached automatically on last close.
This can help with scarce memory - user does not have to remember to detach the
provider after unmounting the file system.
It only works when the provider was opened for writing, so it will not work if
the file system on the provider is mounted read-only.

.It Fl l
Mark provider to detach on last close.
If this option is specified, the provider will not be detached
while it is open, but will be automatically detached when it is closed for the
last time even if it was only opened for reading.
if it was only opened for reading).
.El
.It Cm onetime
Attach the given providers with random, one-time keys.

subcommand.
.It Fl d
Detach on last close.
Note: this option is not usable for temporary file systems as the provider will
be detached after creating the file system on it.
It still can (and should be) used for swap partitions.
For more information, see the description of the

.Cm init
subcommand, only key number 0 is initialized.
The key can always be changed: for an attached provider,
for a detached provider, or on the backup file.
When a provider is attached, the user does not have to provide
an old passphrase/keyfile.
.Pp

.It Fl i Ar iterations
Number of iterations to use with PKCS#5v2.
If 0 is given, PKCS#5v2 will not be used.
To be able to use this option with the
.Cm setkey
subcommand, only one key has to be defined and this key must be changed.
.It Fl j Ar passfile
Specifies a file which contains the old passphrase or its part.
.It Fl J Ar newpassfile

.It Cm delkey
Destroy (overwrite with random data) the selected key.
If one is destroying keys for an attached provider, the provider
will not be detached even if all keys are destroyed.
It can even be rescued with the
.Cm setkey
subcommand.
.Pp

has to be given.
.El
.It Cm kill
This command should be used only in emergency situations.
It will destroy all the keys on a given provider and will detach it forcibly
(if it is attached).
This is absolutely a one-way command - if you do not have a metadata
backup, your data is gone for good.

.Cm restore .
.El
.It Cm suspend
Suspend device by waiting for all inflight requests to finish, clearing all
sensitive information (like keys) from the kernel memory, and blocking all
further I/O requests until the
.Cm resume
subcommand is executed.
This functionality is useful for laptops: when one wants to suspend a
laptop, one does not want to leave an encrypted device attached.
Instead of closing all files and directories opened from a file system located
on an encrypted device, unmounting the file system, and detaching the device,
the
.Cm suspend
subcommand can be used.
Any access to the encrypted device will be blocked until the keys are
recovered through the
.Cm resume
subcommand.
Thus there is no need to close nor unmount anything.
The
.Cm suspend
subcommand does not work with devices created with the
.Cm onetime
subcommand.
Please note that sensitive data might still be present in memory after
suspending an encrypted device due to the file system cache, etc.
.Pp
Additional options include:
.Bl -tag -width ".Fl a"

.El
.It Cm resume
Resume previously suspended device.
The caller must ensure that executing this subcommand doesn't access the
suspended device, leading to a deadlock.
For example suspending a device, which contains the file system where the
.Nm
utility is stored is bad idea.
.Pp

maximum amount of debug information is printed.
.It Va kern.geom.eli.tries : No 3
Number of times a user is asked for the passphrase.
This is only used for providers which are attached on boot
(before the root file system is mounted).
If set to 0, attaching providers on boot will be disabled.
This variable should be set in

.It Va kern.geom.eli.visible_passphrase : No 0
If set to 1, the passphrase entered on boot (before the root
file system is mounted) will be visible.
This alternative should be used with caution as the entered
passphrase can be logged and exposed via
.Xr dmesg 8 .
This variable should be set in

cryptography.
Its purpose is to increase performance on SMP systems.
If hardware acceleration is available, only one thread will be started.
If set to 0, a CPU-bound thread will be started for every active CPU.
.It Va kern.geom.eli.batch : No 0
When set to 1, can speed-up crypto operations by using batching.
Batching reduces the number of interrupts by responding to a group of
crypto requests with one interrupt.
The crypto card and the driver has to support this feature.
.It Va kern.geom.eli.key_cache_limit : No 8192
Specifies how many encryption keys to cache.
The default limit
.No ( 8192
keys) will allow caching of all keys for a 4TB provider with 512 byte
sectors and will take around 1MB of memory.
.It Va kern.geom.eli.key_cache_hits
Reports how many times we were looking up a key and it was already in cache.
This sysctl is not updated for providers that need less keys than the limit

.Va kern.geom.eli.key_cache_limit .
.It Va kern.geom.eli.key_cache_misses
Reports how many times we were looking up a key and it was not in cache.
This sysctl is not updated for providers that need fewer keys than the limit
specified in
.Va kern.geom.eli.key_cache_limit .
.El

Initialize a provider which is going to be encrypted with a
passphrase and random data from a file on the user's pen drive.
Use 4kB sector size.
Attach the provider, create a file system, and mount it.
Do the work.
Unmount the provider and detach it:
.Bd -literal -offset indent

.Ed
.Pp
Create an encrypted provider, but use two keys:
one for your employee and one for you as the company's security officer
(so it's not a tragedy if the employee
.Qq accidentally
forgets his passphrase):
.Bd -literal -offset indent
# geli init /dev/da2
Enter new passphrase:	(enter security officer's passphrase)
Reenter new passphrase:
# geli setkey -n 1 /dev/da2
Enter passphrase:	(enter security officer's passphrase)
Enter new passphrase:	(let your employee enter his passphrase ...)
Reenter new passphrase:	(... twice)
.Ed
.Pp
You are the security officer in your company.
Create an encrypted provider for use by the user, but remember that users
forget their passphrases, so backup the Master Key with your own random key:
.Bd -literal -offset indent
# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e
# geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname`
(use key number 0, so the encrypted Master Key will be overwritten by this)
# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e
(allow the user to enter his passphrase)
Enter new passphrase:

# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
.Ed
.Pp
The providers are initialized, now we have to add these lines to
.Pa /boot/loader.conf :
.Bd -literal -offset indent
geli_da0_keyfile0_load="YES"

.Ed
.Pp
.Cm geli
writes the metadata backup by default to the
.Pa /var/backups/<prov>.eli
file.
If the metadata is lost in any way (eg. by accidental overwrite), it can be restored.
Consider the following situation:
.Bd -literal -offset indent
# geli init /dev/da0

# geli attach -k keyfile -p ada0p1
.Ed
.Pp
Initialize provider with the passphrase split into two files.
The provider can be attached using those two files or by entering
.Dq foobar
as the passphrase at the
.Nm
prompt:
.Bd -literal -offset indent

.Pp
Suspend all
.Nm
devices on a laptop, suspend the laptop, then resume devices one by one after
resuming the laptop:
.Bd -literal -offset indent
# geli suspend -a
# zzz

.Nm
should be able to detect such a change.
If an attacker can remember the encrypted data, he can overwrite any future
changes with the data he owns without it being noticed.
In other words
.Nm
will not protect your data against replay attacks.
.Pp
It is recommended to write to the whole provider before first use,
in order to make sure that all sectors and their corresponding
checksums are properly initialized into a consistent state.
.Sh SEE ALSO

Return to bug 165668