Date: Tue, 29 Apr 2014 16:58:42 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44697 - head/en_US.ISO8859-1/books/handbook/disks Message-ID: <201404291658.s3TGwg6o034843@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Apr 29 16:58:41 2014 New Revision: 44697 URL: http://svnweb.freebsd.org/changeset/doc/44697 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:06:44 2014 (r44696) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:58:41 2014 (r44697) @@ -2413,19 +2413,20 @@ Quotas for user test: analyze the data.</para> <para>Regardless of how an attacker may have come into possession - of a hard drive or powered-down computer, the <acronym>GEOM</acronym>-based - cryptographic subsystems built into &os; are - able to protect the data on the computer's file systems against - even highly-motivated attackers with significant resources. - Unlike encryption methods that encrypt individual files, the built-in - <command>gbde</command> and <command>geli</command> utilities can be used to - transparently encrypt entire file systems. No cleartext ever - touches the hard drive's platter.</para> - - <para>This chapter demonstrates how to create an encrypted file - system on &os;. It first demonstrates the process using - <command>gbde</command> and then demonstrates the same example - using <command>geli</command>.</para> + of a hard drive or powered-down computer, the + <acronym>GEOM</acronym>-based cryptographic subsystems built + into &os; are able to protect the data on the computer's file + systems against even highly-motivated attackers with significant + resources. Unlike encryption methods that encrypt individual + files, the built-in <command>gbde</command> and + <command>geli</command> utilities can be used to transparently + encrypt entire file systems. No cleartext ever touches the hard + drive's platter.</para> + + <para>This chapter demonstrates how to create an encrypted file + system on &os;. It first demonstrates the process using + <command>gbde</command> and then demonstrates the same example + using <command>geli</command>.</para> <sect2> <title>Disk Encryption with @@ -2622,10 +2623,10 @@ gbde_devices="<replaceable>ad4s1c</repla gbde_lockdir="/etc/gbde"</programlisting> <para>This requires that the passphrase be entered at the - console at boot time. After typing the correct passphrase, the - encrypted partition will be mounted automatically. Additional - <application>gbde</application> boot options are available and - listed in &man.rc.conf.5;.</para> + console at boot time. After typing the correct passphrase, + the encrypted partition will be mounted automatically. + Additional <application>gbde</application> boot options are + available and listed in &man.rc.conf.5;.</para> <!-- What about bsdinstall? @@ -2658,21 +2659,23 @@ What about bsdinstall? </authorgroup> </info> - <para>An alternative cryptographic <acronym>GEOM</acronym> class is available - using <command>geli</command>. This control utility adds - some features and uses - a different scheme for doing cryptographic work. It provides - the following features:</para> + <para>An alternative cryptographic <acronym>GEOM</acronym> class + is available using <command>geli</command>. This control + utility adds some features and uses a different scheme for + doing cryptographic work. It provides the following + features:</para> <itemizedlist> <listitem> - <para>Utilizes the &man.crypto.9; framework and automatically uses - cryptographic hardware when it is available.</para> + <para>Utilizes the &man.crypto.9; framework and + automatically uses cryptographic hardware when it is + available.</para> </listitem> <listitem> <para>Supports multiple cryptographic algorithms such as - <acronym>AES</acronym>, Blowfish, and <acronym>3DES</acronym>.</para> + <acronym>AES</acronym>, Blowfish, and + <acronym>3DES</acronym>.</para> </listitem> <listitem> @@ -2686,14 +2689,14 @@ What about bsdinstall? </listitem> <listitem> - <para>It is fast as it performs simple - sector-to-sector encryption.</para> + <para>It is fast as it performs simple sector-to-sector + encryption.</para> </listitem> <listitem> <para>Allows backup and restore of master keys. If a user - destroys their keys, it is still possible to get access - to the data by restoring keys from the backup.</para> + destroys their keys, it is still possible to get access to + the data by restoring keys from the backup.</para> </listitem> <listitem> @@ -2706,17 +2709,15 @@ What about bsdinstall? <para>More features and usage examples can be found in &man.geli.8;.</para> - <para>The following example describes how to generate a - key file which will be used as part of the master key for - the encrypted provider mounted under - <filename>/private</filename>. The key - file will provide some random data used to encrypt the - master key. The master key will also be protected by a - passphrase. The provider's sector size will be 4kB. - The example describes how to attach to the - <command>geli</command> provider, create a file system on - it, mount it, work with it, and finally, how to detach - it.</para> + <para>The following example describes how to generate a key file + which will be used as part of the master key for the encrypted + provider mounted under <filename>/private</filename>. The key + file will provide some random data used to encrypt the master + key. The master key will also be protected by a passphrase. + The provider's sector size will be 4kB. The example describes + how to attach to the <command>geli</command> provider, create + a file system on it, mount it, work with it, and finally, how + to detach it.</para> <procedure> <title>Encrypting a Partition with @@ -2748,12 +2749,11 @@ device crypto</programlisting> <title>Generate the Master Key</title> <para>The following commands generate a master key - (<filename>/root/da2.key</filename>) that is protected with a passphrase. - The data source for the key file is + (<filename>/root/da2.key</filename>) that is protected + with a passphrase. The data source for the key file is <filename>/dev/random</filename> and the sector size of - the provider (<filename>/dev/da2.eli</filename>) is - 4kB as a bigger sector size provides - better performance:</para> + the provider (<filename>/dev/da2.eli</filename>) is 4kB as + a bigger sector size provides better performance:</para> <screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput> &prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput> @@ -2765,8 +2765,8 @@ Reenter new passphrase:</screen> used in isolation.</para> <para>If the key file is given as <quote>-</quote>, standard - input will be used. For example, this command generates three - key files:</para> + input will be used. For example, this command generates + three key files:</para> <screen>&prompt.root; <userinput>cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2</userinput></screen> </step> @@ -2812,41 +2812,37 @@ Filesystem Size Used Avail Capaci </step> </procedure> - <para>Once the work on the encrypted partition is done, and - the <filename>/private</filename> - partition is no longer needed, it is prudent to put the - device into cold storage by - unmounting and detaching the <command>geli</command> - encrypted partition from the kernel:</para> + <para>Once the work on the encrypted partition is done, and the + <filename>/private</filename> partition is no longer needed, + it is prudent to put the device into cold storage by + unmounting and detaching the <command>geli</command> encrypted + partition from the kernel:</para> - <screen>&prompt.root; <userinput>umount /private</userinput> + <screen>&prompt.root; <userinput>umount /private</userinput> &prompt.root; <userinput>geli detach da2.eli</userinput></screen> - <para>An - <filename>rc.d</filename> script is provided to - simplify the mounting of <command>geli</command>-encrypted - devices at boot time. For this example, add these lines to - <filename>/etc/rc.conf</filename>:</para> + <para>An <filename>rc.d</filename> script is provided to + simplify the mounting of <command>geli</command>-encrypted + devices at boot time. For this example, add these lines to + <filename>/etc/rc.conf</filename>:</para> - <programlisting>geli_devices="<replaceable>da2</replaceable>" + <programlisting>geli_devices="<replaceable>da2</replaceable>" geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting> - <para>This configures <filename>/dev/da2</filename> as a - <command>geli</command> provider with a master key - of <filename>/root/da2.key</filename>. - The system will automatically detach - the provider from the kernel before - the system shuts down. During the startup process, the script will prompt for the - passphrase before attaching the - provider. Other kernel messages might be shown before and - after the password prompt. If the boot process seems to - stall, look carefully for the password prompt among the - other messages. Once the correct passphrase is entered, the provider is - attached. The file system is then mounted, - typically by an entry in - <filename>/etc/fstab</filename>. Refer to <xref - linkend="mount-unmount"/> for instructions on how to - configure a file system to mount at boot time.</para> + <para>This configures <filename>/dev/da2</filename> as a + <command>geli</command> provider with a master key of + <filename>/root/da2.key</filename>. The system will + automatically detach the provider from the kernel before the + system shuts down. During the startup process, the script + will prompt for the passphrase before attaching the provider. + Other kernel messages might be shown before and after the + password prompt. If the boot process seems to stall, look + carefully for the password prompt among the other messages. + Once the correct passphrase is entered, the provider is + attached. The file system is then mounted, typically by an + entry in <filename>/etc/fstab</filename>. Refer to <xref + linkend="mount-unmount"/> for instructions on how to + configure a file system to mount at boot time.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404291658.s3TGwg6o034843>