Attachment #125469 for bug #169089

View | Details | Raw Unified | Return to bug 169089 | Differences between
Collapse All | Expand All




.\"
.\" $FreeBSD$
.\"
.Dd June 18, 2012
.Dt GELI 8
.Os
.Sh NAME

or
.Nm HMAC/SHA512 .
.It
Can create a User Key from up to two, piecewise components: a passphrase
entered via prompt or read from one or more passfiles; a keyfile read from
one or more files.
.It
Allows encryption of the root partition.
The user will be asked for the
passphrase before the root file system is mounted.
.It
Strengthens the passphrase component of the User Key with:
.Rs
.%A B. Kaliski
.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."

.%N 2898
.Re
.It
Allows the use of two independent User Keys (e.g., a
.Qq "user key"
and a
.Qq "company key" ) .

.Nm
performs simple sector-to-sector encryption.
.It
Allows the encrypted Master Key to be backed up and restored,
so that if a user has to quickly destroy key material,
it is possible to get the data back by restoring keys from
backup.
.It

(so users do not have to remember to detach providers after unmounting
the file systems).
.It
Allows attaching a provider with a random, one-time Master Key -
useful for swap partitions and temporary file systems.
.It
Allows verification of data integrity (data authentication).
.It

.Bl -tag -width ".Cm configure"
.It Cm init
Initialize the provider which needs to be encrypted.
Here you can set up the cryptographic algorithm to use, Data Key length,
etc.
The last sector of the provider is used to store metadata.
The
.Cm init

The default and recommended algorithm is
.Nm AES-XTS .
.It Fl i Ar iterations
Number of iterations to use with PKCS#5v2 when processing User Key
passphrase component.
If this option is not specified,
.Nm
will find the number of iterations which is equal to 2 seconds of crypto work.
If 0 is given, PKCS#5v2 will not be used.
PKCS#5v2 processing is performed once, after all parts of the passphrase
component have been read.
.It Fl J Ar newpassfile
Specifies a file which contains the passphrase component of the User Key
(or part of it).
If
.Ar newpassfile
is given as -, standard input will be used.
Only the first line (excluding new-line character) is taken from the given file.
This argument can be specified multiple times, which has the effect of
reassembling a single passphrase split across multiple files.
Cannot be combined with the
.Fl P
option.
.It Fl K Ar newkeyfile
Specifies a file which contains the keyfile component of the User Key
(or part of it).
If
.Ar newkeyfile
is given as -, standard input will be used.
This argument can be specified multiple times, which has the effect of
reassembling a single keyfile split across multiple keyfile parts.
.It Fl l Ar keylen
Data Key length to use with the given cryptographic algorithm.
If the length is not specified, the selected algorithm uses its
.Em default
key length.
.Bl -ohang -offset indent
.It Nm AES-XTS
.Em 128 ,
256
.It Nm AES-CBC , Nm Camilla-CBC
.Em 128 ,
192,
256
.It Nm Blowfish-CBC
.Em 128
+ n * 32, for n=[0..10]
.It Nm 3DES-CBC
.Em 192
.El
.It Fl P
Do not use a passphrase as a component of the User Key.
Cannot be combined with the
.Fl J
option.
.It Fl s Ar sectorsize
Change decrypted provider's sector size.
Increasing the sector size allows increased performance,

.El
.It Cm attach
Attach the given provider.
The encrypted Master Key will be loaded from the metadata and decrypted
using the given passphrase/keyfile and a new GEOM provider will be created
using the given provider's name with an
.Qq .eli
suffix.
.Pp

.Cm detach
subcommand.
.It Fl j Ar passfile
Specifies a file which contains the passphrase component of the User Key
(or part of it).
For more information see the description of the
.Fl J
option for the
.Cm init
subcommand.
.It Fl k Ar keyfile
Specifies a file which contains the keyfile component of the User Key
(or part of it).
For more information see the description of the
.Fl K
option for the
.Cm init
subcommand.
.It Fl p
Do not use a passphrase as a component of the User Key.
Cannot be combined with the
.Fl j
option.
.It Fl r
Attach read-only provider.
It will not be opened for writing.
.El
.It Cm detach
Detach the given providers, which means remove the devfs entry
and clear the Master Key and Data Keys from memory.
.Pp
Additional options include:
.Bl -tag -width ".Fl f"

last time even if it was only opened for reading.
.El
.It Cm onetime
Attach the given providers with a random, one-time (ephemeral) Master Key.
The command can be used to encrypt swap partitions or temporary file systems.
.Pp
Additional options include:

.Cm attach
subcommand.
.It Fl l Ar keylen
Data Key length to use with the given cryptographic algorithm.
For more information, see the description of the
.Cm init
subcommand.

Remove the BOOT flag from the given providers.
.El
.It Cm setkey
Install a copy of the Master Key into the selected slot, encrypted with
a new User Key.
If the selected slot is populated, replace the existing copy.
A provider has one Master Key, which can be stored in one or both slots,
each encrypted with an independent User Key.
With the
.Cm init
subcommand, only key number 0 is initialized.
The User Key can be changed at any time: for an attached provider,
for a detached provider, or on the backup file.
When a provider is attached, the user does not have to provide
an existing passphrase/keyfile.
.Pp
Additional options include:
.Bl -tag -width ".Fl J Ar newpassfile"

.Cm setkey
subcommand, only one key has to be defined and this key must be changed.
.It Fl j Ar passfile
Specifies a file which contains the passphrase component of a current User Key
(or part of it).
.It Fl J Ar newpassfile
Specifies a file which contains the passphrase component of the new User Key
(or part of it).
.It Fl k Ar keyfile
Specifies a file which contains the keyfile component of a current User Key
(or part of it).
.It Fl K Ar newkeyfile
Specifies a file which contains the keyfile component of the new User Key
(or part of it).
.It Fl n Ar keyno
Specifies the index number of the Master Key copy to change (could be 0 or 1).
If the provider is attached and no key number is given, the key
used for attaching the provider will be changed.
If the provider is detached (or we are operating on a backup file)
and no key number is given, the first Master Key copy to be successfully
decrypted with the provided User Key passphrase/keyfile will be changed.
.It Fl p
Do not use a passphrase as a component of the current User Key.
Cannot be combined with the
.Fl j
option.
.It Fl P
Do not use a passphrase as a component of the new User Key.
Cannot be combined with the
.Fl J
option.
.El
.It Cm delkey
Destroy (overwrite with random data) the selected Master Key copy.
If one is destroying keys for an attached provider, the provider
will not be detached even if all copies of the Master Key are destroyed.
It can even be rescued with the
.Cm setkey
subcommand because the Master Key is still in memory.
.Pp
Additional options include:
.Bl -tag -width ".Fl a Ar keyno"
.It Fl a
Destroy all copies of the Master Key (does not need
.Fl f
option).
.It Fl f
Force key destruction.
This option is needed to destroy the last copy of the Master Key.
.It Fl n Ar keyno
Specifies the index number of the Master Key copy.
If the provider is attached and no key number is given, the key
used for attaching the provider will be destroyed.
If provider is detached (or we are operating on a backup file) the key number

.El
.It Cm kill
This command should be used only in emergency situations.
It will destroy all copies of the Master Key on a given provider and will
detach it forcibly (if it is attached).
This is absolutely a one-way command - if you do not have a metadata
backup, your data is gone for good.
In case the provider was attached with the

.El
.It Cm suspend
Suspend device by waiting for all inflight requests to finish, clearing all
sensitive information (like the Master Key and Data Keys) from kernel memory,
and blocking all further I/O requests until the
.Cm resume
subcommand is executed.
This functionality is useful for laptops: when one wants to suspend a

the
.Cm suspend
subcommand can be used.
Any access to the encrypted device will be blocked until the Master Key is
reloaded through the
.Cm resume
subcommand.
Thus there is no need to close nor unmount anything.

Additional options include:
.Bl -tag -width ".Fl j Ar passfile"
.It Fl j Ar passfile
Specifies a file which contains the passphrase component of the User Key
(or part of it).
For more information see the description of the
.Fl J
option for the
.Cm init
subcommand.
.It Fl k Ar keyfile
Specifies a file which contains the keyfile component of the User Key
(or part of it).
For more information see the description of the
.Fl K
option for the
.Cm init
subcommand.
.It Fl p
Do not use a passphrase as a component of the User Key.
Cannot be combined with the
.Fl j
option.
.El
.It Cm resize
Inform

subcommand will print metadata version used by each of them.
.It Cm clear
Clear metadata from the given providers.
.Em WARNING :
This will erase with zeros the encrypted Master Key copies stored in the
metadata.
.It Cm dump
Dump metadata stored on the given providers.
.It Cm list

.It Fl v
Be more verbose.
.El
.Sh KEY SUMMARY
.Ss Master Key
Upon
.Cm init ,
the
.Nm
utility generates a random Master Key for the provider.
The Master Key never changes during the lifetime of the provider.
Each copy of the provider metadata, active or backed up to a file, can store
up to two, independently-encrypted copies of the Master Key.
.Ss User Key
Each stored copy of the Master Key is encrypted with a User Key, which
is generated by the
.Nm
utility from a passphrase and/or a keyfile.
The
.Nm
utility first reads all parts of the keyfile in the order specified on the
command line, then reads all parts of the stored passphrase in the order
specified on the command line.
If no passphrase parts are specified, the system prompts the user to enter
the passphrase.
The passphrase is optionally strengthened by PKCS#5v2.
The User Key is a digest computed over the concatenated keyfile and passphrase.
.Ss Data Key
During operation, one or more Data Keys are deterministically derived by
the kernel from the Master Key and cached in memory.
The number of Data Keys used by a given provider, and the way they are
derived, depend on the GELI version and whether the provider is configured to
use data authentication.
.Sh SYSCTL VARIABLES
The following
.Xr sysctl 8

This variable should be set in
.Pa /boot/loader.conf .
.It Va kern.geom.eli.overwrites : No 5
Specifies how many times the Master Key will be overwritten
with random values when it is destroyed.
After this operation it is filled with zeros.
.It Va kern.geom.eli.visible_passphrase : No 0

crypto requests with one interrupt.
The crypto card and the driver has to support this feature.
.It Va kern.geom.eli.key_cache_limit : No 8192
Specifies how many Data Keys to cache.
The default limit
(8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
sectors and will take around 1MB of memory.
.It Va kern.geom.eli.key_cache_hits
Reports how many times we were looking up a Data Key and it was already in
cache.
This sysctl is not updated for providers that need fewer Data Keys than
the limit specified in
.Va kern.geom.eli.key_cache_limit .
.It Va kern.geom.eli.key_cache_misses
Reports how many times we were looking up a Data Key and it was not in cache.
This sysctl is not updated for providers that need fewer Data Keys than the limit
specified in
.Va kern.geom.eli.key_cache_limit .
.El

# geli detach da2.eli
.Ed
.Pp
Create an encrypted provider, but use two User Keys:
one for your employee and one for you as the company's security officer
(so it's not a tragedy if the employee
.Qq accidentally

# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e
# geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname`
(use key number 0, so the encrypted Master Key will be re-encrypted by this)
# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e
(allow the user to enter his passphrase)
Enter new passphrase:

.Pp
The example below shows how to configure two providers which will be attached
on boot (before the root file system is mounted).
One of them is using passphrase and three keyfile parts and the other is
using only a keyfile in one part:
.Bd -literal -offset indent
# dd if=/dev/random of=/dev/da0 bs=1m
# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1

Return to bug 169089