From owner-svn-doc-all@FreeBSD.ORG Tue Apr 29 16:58:42 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EB593DF; Tue, 29 Apr 2014 16:58:42 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F06F1D19; Tue, 29 Apr 2014 16:58:42 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3TGwgmY034844; Tue, 29 Apr 2014 16:58:42 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3TGwg6o034843; Tue, 29 Apr 2014 16:58:42 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404291658.s3TGwg6o034843@svn.freebsd.org> From: Dru Lavigne Date: Tue, 29 Apr 2014 16:58:42 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44697 - head/en_US.ISO8859-1/books/handbook/disks X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 16:58:42 -0000 Author: dru Date: Tue Apr 29 16:58:41 2014 New Revision: 44697 URL: http://svnweb.freebsd.org/changeset/doc/44697 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:06:44 2014 (r44696) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:58:41 2014 (r44697) @@ -2413,19 +2413,20 @@ Quotas for user test: analyze the data. Regardless of how an attacker may have come into possession - of a hard drive or powered-down computer, the GEOM-based - cryptographic subsystems built into &os; are - able to protect the data on the computer's file systems against - even highly-motivated attackers with significant resources. - Unlike encryption methods that encrypt individual files, the built-in - gbde and geli utilities can be used to - transparently encrypt entire file systems. No cleartext ever - touches the hard drive's platter. - - This chapter demonstrates how to create an encrypted file - system on &os;. It first demonstrates the process using - gbde and then demonstrates the same example - using geli. + of a hard drive or powered-down computer, the + GEOM-based cryptographic subsystems built + into &os; are able to protect the data on the computer's file + systems against even highly-motivated attackers with significant + resources. Unlike encryption methods that encrypt individual + files, the built-in gbde and + geli utilities can be used to transparently + encrypt entire file systems. No cleartext ever touches the hard + drive's platter. + + This chapter demonstrates how to create an encrypted file + system on &os;. It first demonstrates the process using + gbde and then demonstrates the same example + using geli. Disk Encryption with @@ -2622,10 +2623,10 @@ gbde_devices="<replaceable>ad4s1c</repla gbde_lockdir="/etc/gbde"</programlisting> <para>This requires that the passphrase be entered at the - console at boot time. After typing the correct passphrase, the - encrypted partition will be mounted automatically. Additional - <application>gbde</application> boot options are available and - listed in &man.rc.conf.5;.</para> + console at boot time. After typing the correct passphrase, + the encrypted partition will be mounted automatically. + Additional <application>gbde</application> boot options are + available and listed in &man.rc.conf.5;.</para> <!-- What about bsdinstall? @@ -2658,21 +2659,23 @@ What about bsdinstall? </authorgroup> </info> - <para>An alternative cryptographic <acronym>GEOM</acronym> class is available - using <command>geli</command>. This control utility adds - some features and uses - a different scheme for doing cryptographic work. It provides - the following features:</para> + <para>An alternative cryptographic <acronym>GEOM</acronym> class + is available using <command>geli</command>. This control + utility adds some features and uses a different scheme for + doing cryptographic work. It provides the following + features:</para> <itemizedlist> <listitem> - <para>Utilizes the &man.crypto.9; framework and automatically uses - cryptographic hardware when it is available.</para> + <para>Utilizes the &man.crypto.9; framework and + automatically uses cryptographic hardware when it is + available.</para> </listitem> <listitem> <para>Supports multiple cryptographic algorithms such as - <acronym>AES</acronym>, Blowfish, and <acronym>3DES</acronym>.</para> + <acronym>AES</acronym>, Blowfish, and + <acronym>3DES</acronym>.</para> </listitem> <listitem> @@ -2686,14 +2689,14 @@ What about bsdinstall? </listitem> <listitem> - <para>It is fast as it performs simple - sector-to-sector encryption.</para> + <para>It is fast as it performs simple sector-to-sector + encryption.</para> </listitem> <listitem> <para>Allows backup and restore of master keys. If a user - destroys their keys, it is still possible to get access - to the data by restoring keys from the backup.</para> + destroys their keys, it is still possible to get access to + the data by restoring keys from the backup.</para> </listitem> <listitem> @@ -2706,17 +2709,15 @@ What about bsdinstall? <para>More features and usage examples can be found in &man.geli.8;.</para> - <para>The following example describes how to generate a - key file which will be used as part of the master key for - the encrypted provider mounted under - <filename>/private</filename>. The key - file will provide some random data used to encrypt the - master key. The master key will also be protected by a - passphrase. The provider's sector size will be 4kB. - The example describes how to attach to the - <command>geli</command> provider, create a file system on - it, mount it, work with it, and finally, how to detach - it.</para> + <para>The following example describes how to generate a key file + which will be used as part of the master key for the encrypted + provider mounted under <filename>/private</filename>. The key + file will provide some random data used to encrypt the master + key. The master key will also be protected by a passphrase. + The provider's sector size will be 4kB. The example describes + how to attach to the <command>geli</command> provider, create + a file system on it, mount it, work with it, and finally, how + to detach it.</para> <procedure> <title>Encrypting a Partition with @@ -2748,12 +2749,11 @@ device crypto</programlisting> <title>Generate the Master Key The following commands generate a master key - (/root/da2.key) that is protected with a passphrase. - The data source for the key file is + (/root/da2.key) that is protected + with a passphrase. The data source for the key file is /dev/random and the sector size of - the provider (/dev/da2.eli) is - 4kB as a bigger sector size provides - better performance: + the provider (/dev/da2.eli) is 4kB as + a bigger sector size provides better performance: &prompt.root; dd if=/dev/random of=/root/da2.key bs=64 count=1 &prompt.root; geli init -s 4096 -K /root/da2.key /dev/da2 @@ -2765,8 +2765,8 @@ Reenter new passphrase: used in isolation. If the key file is given as -, standard - input will be used. For example, this command generates three - key files: + input will be used. For example, this command generates + three key files: &prompt.root; cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2 @@ -2812,41 +2812,37 @@ Filesystem Size Used Avail Capaci - Once the work on the encrypted partition is done, and - the /private - partition is no longer needed, it is prudent to put the - device into cold storage by - unmounting and detaching the geli - encrypted partition from the kernel: + Once the work on the encrypted partition is done, and the + /private partition is no longer needed, + it is prudent to put the device into cold storage by + unmounting and detaching the geli encrypted + partition from the kernel: - &prompt.root; umount /private + &prompt.root; umount /private &prompt.root; geli detach da2.eli - An - rc.d script is provided to - simplify the mounting of geli-encrypted - devices at boot time. For this example, add these lines to - /etc/rc.conf: + An rc.d script is provided to + simplify the mounting of geli-encrypted + devices at boot time. For this example, add these lines to + /etc/rc.conf: - geli_devices="da2" + geli_devices="da2" geli_da2_flags="-p -k /root/da2.key" - This configures /dev/da2 as a - geli provider with a master key - of /root/da2.key. - The system will automatically detach - the provider from the kernel before - the system shuts down. During the startup process, the script will prompt for the - passphrase before attaching the - provider. Other kernel messages might be shown before and - after the password prompt. If the boot process seems to - stall, look carefully for the password prompt among the - other messages. Once the correct passphrase is entered, the provider is - attached. The file system is then mounted, - typically by an entry in - /etc/fstab. Refer to for instructions on how to - configure a file system to mount at boot time. + This configures /dev/da2 as a + geli provider with a master key of + /root/da2.key. The system will + automatically detach the provider from the kernel before the + system shuts down. During the startup process, the script + will prompt for the passphrase before attaching the provider. + Other kernel messages might be shown before and after the + password prompt. If the boot process seems to stall, look + carefully for the password prompt among the other messages. + Once the correct passphrase is entered, the provider is + attached. The file system is then mounted, typically by an + entry in /etc/fstab. Refer to for instructions on how to + configure a file system to mount at boot time.