Date: Wed, 9 Apr 2014 14:28:58 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44503 - head/en_US.ISO8859-1/books/handbook/disks Message-ID: <201404091428.s39ESwJv071920@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Apr 9 14:28:58 2014 New Revision: 44503 URL: http://svnweb.freebsd.org/changeset/doc/44503 Log: Editorial review of Encrypted Swap chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:06:19 2014 (r44502) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:28:58 2014 (r44503) @@ -3192,7 +3192,7 @@ geli_da2_flags="-p -k /root/da2.key"</pr <sect1 xml:id="swap-encrypting"> <info> - <title>Encrypting Swap Space</title> + <title>Encrypting Swap</title> <authorgroup> <author> @@ -3213,23 +3213,21 @@ geli_da2_flags="-p -k /root/da2.key"</pr <para>Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these - passwords stay in physical memory, these passwords will not be - written to disk and be cleared after a reboot. If &os; starts - swapping out memory pages to free space for other applications, - the passwords may be written to the disk platters unencrypted. + passwords stay in physical memory, they are not + written to disk and will be cleared after a reboot. However, if &os; starts + swapping out memory pages to free space, + the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario.</para> - <para>The &man.gbde.8; or &man.geli.8; encryption systems may be - used for swap encryption. Both systems use the - <filename>encswap</filename> - <link linkend="configtuning-rcd">rc.d</link> script.</para> - - <note> - <para>For the remainder of this section, - <filename>ad0s1b</filename> will be the swap + <para>This section demonstrates how to configure an encrypted + swap partition using &man.gbde.8; or &man.geli.8; encryption. + It assumes a <acronym>UFS</acronym> file system where + <filename>/dev/ad0s1b</filename> is the swap partition.</para> - </note> + + <sect2> + <title>Configuring Encrypted Swap</title> <para>Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To @@ -3238,42 +3236,32 @@ geli_da2_flags="-p -k /root/da2.key"</pr <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen> - <sect2> - <title>Swap Encryption with &man.gbde.8;</title> - - <para>The <literal>.bde</literal> suffix should be added to the - device in the respective <filename>/etc/fstab</filename> swap - line:</para> + <para>To encrypt the swap partition using &man.gbde.8;, add the + <literal>.bde</literal> suffix to the swap line in + <filename>/etc/fstab</filename>:</para> <programlisting># Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.bde none swap sw 0 0</programlisting> - </sect2> - - <sect2> - <title>Swap Encryption with &man.geli.8;</title> - <para>The procedure for instead using &man.geli.8; for swap - encryption is similar to that of using &man.gbde.8;. The - <literal>.eli</literal> suffix should be added to the device - in the respective <filename>/etc/fstab</filename> swap - line:</para> + <para>To instead encrypt the swap partition using &man.geli.8;, + use the + <literal>.eli</literal> suffix:</para> <programlisting># Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.eli none swap sw 0 0</programlisting> - <para>&man.geli.8; uses the <acronym>AES</acronym> algorithm - with a key length of 128 bit by default. These defaults can + <para>By default, &man.geli.8; uses the <acronym>AES</acronym> algorithm + with a key length of 128 bit. These defaults can be altered by using <literal>geli_swap_flags</literal> in - <filename>/etc/rc.conf</filename>. The following line tells - the <filename>encswap</filename> rc.d script to create - &man.geli.8; swap partitions using the Blowfish algorithm with + <filename>/etc/rc.conf</filename>. The following flags configure + encryption using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes, and sets <quote>detach on last close</quote>:</para> <programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting> <para>Refer to the description of - <command>onetime</command> in &man.geli.8; for a list of + <literal>onetime</literal> in &man.geli.8; for a list of possible options.</para> </sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404091428.s39ESwJv071920>