svn commit: r44686 - head/en_US.ISO8859-1/books/handbook/disks
Dru Lavigne
dru at FreeBSD.org
Mon Apr 28 20:30:15 UTC 2014
Author: dru
Date: Mon Apr 28 20:30:14 2014
New Revision: 44686
URL: http://svnweb.freebsd.org/changeset/doc/44686
Log:
Editorial review of gbde section.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:29:02 2014 (r44685)
+++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:30:14 2014 (r44686)
@@ -2524,7 +2524,7 @@ Quotas for user test:
<command>geli</command> cryptographic subsystems in &os; are
able to protect the data on the computer's file systems against
even highly-motivated attackers with significant resources.
- Unlike cumbersome encryption methods that encrypt only
+ Unlike encryption methods that encrypt
individual files, <command>gbde</command> and
<command>geli</command> transparently encrypt entire file
systems. No cleartext ever touches the hard drive's
@@ -2534,25 +2534,26 @@ Quotas for user test:
<title>Disk Encryption with
<application>gbde</application></title>
- <para><application>gbde</application> encrypts the sector
- payload using 128-bit AES in CBC mode. Each sector on the
- disk is encrypted with a different AES key. For more
+ <para>The objective of the &man.gbde.4; facility is to provide a
+ formidable challenge for an attacker to gain access to the
+ contents of a <emphasis>cold</emphasis> storage device.
+ However, if the computer is compromised while up and running
+ and the storage device is actively attached, or the attacker
+ has access to a valid passphrase, it offers no protection to
+ the contents of the storage device. Thus, it is important to
+ provide physical security while the system is running and to
+ protect the passphrase used by the encryption
+ mechanism.</para>
+
+ <para>This facility provides several barriers to protect the data
+ stored in each disk sector. It encrypts the contents of a
+ disk sector using 128-bit <acronym>AES</acronym> in
+ <acronym>CBC</acronym> mode. Each sector on the
+ disk is encrypted with a different <acronym>AES</acronym> key. For more
information on the cryptographic design, including how the
sector keys are derived from the user-supplied passphrase,
refer to &man.gbde.4;.</para>
- <note>
- <para>&man.sysinstall.8; is incompatible with
- <application>gbde</application>-encrypted devices. All
- <filename>*.bde</filename>
- devices must be detached from the kernel before starting
- &man.sysinstall.8; or it will crash during its initial
- probing for devices. To detach the encrypted device used in
- the example, use the following command:</para>
-
- <screen>&prompt.root; <userinput>gbde detach /dev/ad4s1c</userinput></screen>
- </note>
-
<para>&os; provides a kernel module for
<application>gbde</application> which can be loaded with this
command:</para>
@@ -2565,15 +2566,13 @@ Quotas for user test:
<para><literal>options GEOM_BDE</literal></para>
<para>The following example demonstrates adding a new hard
- drive to a system that will hold a single encrypted partition.
- This partition will be mounted as
- <filename>/private</filename>.
- <application>gbde</application> can also be used to encrypt
- <filename>/home</filename> and <filename>/var/mail</filename>,
- but this requires more complex instructions which exceed the
- scope of this introduction.</para>
+ drive to a system that will hold a single encrypted partition
+ that will be mounted as
+ <filename>/private</filename>.</para>
<procedure>
+ <title>Encrypting a Partition with <application>gbde</application></title>
+
<step>
<title>Add the New Hard Drive</title>
@@ -2612,15 +2611,12 @@ Quotas for user test:
<para>A <application>gbde</application> partition must be
initialized before it can be used. This initialization
- needs to be performed only once:</para>
-
- <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput></screen>
-
- <para>&man.gbde.8; will open the default editor, in order to
+ needs to be performed only once. This command will open the default editor, in order to
set various configuration options in a template. For use
- with UFS1 or UFS2, set the sector_size to 2048:</para>
+ with the <acronym>UFS</acronym> file system, set the
+ sector_size to 2048:</para>
- <programlisting># $FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $
+ <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput># $FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
@@ -2628,38 +2624,32 @@ Quotas for user test:
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
-[...]</programlisting>
+[...]</screen>
- <para>&man.gbde.8; will ask the user twice to type the
+ <para>Once the edit is saved, the user will be asked twice to type the
passphrase used to secure the data. The passphrase must
be the same both times. The ability of
<application>gbde</application> to protect data depends
entirely on the quality of the passphrase. For tips on
how to select a secure passphrase that is easy to
- remember, see the <link
- xlink:href="http://world.std.com/~reinhold/diceware.html">Diceware
- Passphrase</link> website.</para>
+ remember, see <link
+ xlink:href="http://world.std.com/~reinhold/diceware.html">http://world.std.com/~reinhold/diceware.htm</link>.</para>
- <para><command>gbde init</command>creates a lock file for
+ <para>This initialization creates a lock file for
the <application>gbde</application> partition. In this
example, it is stored as
<filename>/etc/gbde/ad4s1c.lock</filename>.
- <application>gbde</application> lock files must end in
+ Lock files must end in
<quote>.lock</quote> in order to be correctly detected by
the <filename>/etc/rc.d/gbde</filename> start up
script.</para>
<caution>
- <para><application>gbde</application> lock files
+ <para>Lock files
<emphasis>must</emphasis> be backed up together with
- the contents of any encrypted partitions. While
- deleting a lock file alone cannot prevent a determined
- attacker from decrypting a
- <application>gbde</application> partition, without the
+ the contents of any encrypted partitions. Without the
lock file, the legitimate owner will be unable to
- access the data on the encrypted partition without a
- significant amount of work that is totally unsupported
- by &man.gbde.8;.</para>
+ access the data on the encrypted partition.</para>
</caution>
</step>
@@ -2686,40 +2676,32 @@ sector_size = 2048
Device</title>
<para>Once the encrypted device has been attached to the
- kernel, a file system can be created on the device using
- &man.newfs.8;. This example creates a UFS2 file
- system with soft updates enabled.</para>
+ kernel, a file system can be created on the device.
+ This example creates a <acronym>UFS</acronym> file
+ system with soft updates enabled. Be sure to specify the
+ partition which has a
+ <filename><replaceable>*</replaceable>.bde</filename>
+ extension:</para>
<screen>&prompt.root; <userinput>newfs -U /dev/ad4s1c.bde</userinput></screen>
-
- <note>
- <para>&man.newfs.8; must be performed on an attached
- <application>gbde</application> partition which is
- identified by a
- <filename><replaceable>*</replaceable>.bde</filename>
- extension to the device name.</para>
- </note>
</step>
<step>
<title>Mount the Encrypted Partition</title>
- <para>Create a mount point for the encrypted file
+ <para>Create a mount point and mount the encrypted file
system:</para>
- <screen>&prompt.root; <userinput>mkdir /private</userinput></screen>
-
- <para>Mount the encrypted file system:</para>
-
- <screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
+ <screen>&prompt.root; <userinput>mkdir /private</userinput>
+&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
</step>
<step>
<title>Verify That the Encrypted File System is
Available</title>
- <para>The encrypted file system should now be visible to
- &man.df.1; and be available for use.</para>
+ <para>The encrypted file system should now be visible
+ and available for use:</para>
<screen>&prompt.user; <userinput>df -H</userinput>
Filesystem Size Used Avail Capacity Mounted on
@@ -2732,70 +2714,37 @@ Filesystem Size Used Avail Cap
</step>
</procedure>
- <sect3>
- <title>Mounting Existing Encrypted File Systems</title>
-
<para>After each boot, any encrypted file systems must be
- re-attached to the kernel, checked for errors, and mounted,
- before the file systems can be used. The required commands
- must be executed as
- <systemitem class="username">root</systemitem>.</para>
-
- <procedure>
- <step>
- <title>Attach the <command>gbde</command> Partition to the
- Kernel</title>
-
- <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock</userinput></screen>
-
- <para>This command will prompt for the passphrase that was
- selected during initialization of the encrypted
- <application>gbde</application> partition.</para>
- </step>
-
- <step>
- <title>Check the File System for Errors</title>
-
- <para>Since encrypted file systems cannot yet be listed in
- <filename>/etc/fstab</filename> for automatic mounting,
- the file systems must be checked for errors by running
- &man.fsck.8; manually before mounting:</para>
-
- <screen>&prompt.root; <userinput>fsck -p -t ffs /dev/ad4s1c.bde</userinput></screen>
- </step>
-
- <step>
- <title>Mount the Encrypted File System</title>
-
- <screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
-
- <para>The encrypted file system is now available for
- use.</para>
- </step>
- </procedure>
-
- <para>It is possible to create a script to automatically
- attach, check, and mount an encrypted partition, but for
- security reasons the script should not contain the
- &man.gbde.8; password. Instead, it is recommended that
- such scripts be run manually while providing the password
- via the console or &man.ssh.1;.</para>
-
- <para>As an alternative, an <filename>rc.d</filename> script
- is provided. Arguments for this script can be passed via
- &man.rc.conf.5;:</para>
+ manually re-attached to the kernel, checked for errors, and mounted,
+ before the file systems can be used. To configure these
+ steps, add the following lines to <filename>/etc/rc.conf</filename>:</para>
<programlisting>gbde_autoattach_all="YES"
-gbde_devices="ad4s1c"
+gbde_devices="<replaceable>ad4s1c</replaceable>"
gbde_lockdir="/etc/gbde"</programlisting>
<para>This requires that the
- <application>gbde</application> passphrase be entered at
+ passphrase be entered at the console
boot time. After typing the correct passphrase, the
- <application>gbde</application> encrypted partition will be
- mounted automatically. This can be useful when using
- <application>gbde</application> on laptops.</para>
- </sect3>
+ encrypted partition will be
+ mounted automatically. Additional
+ <application>gbde</application> boot options are available
+ and listed in &man.rc.conf.5;.</para>
+
+<!--
+What about bsdinstall?
+-->
+ <note>
+ <para><application>sysinstall</application> is incompatible with
+ <application>gbde</application>-encrypted devices. All
+ <filename>*.bde</filename>
+ devices must be detached from the kernel before starting
+ <application>sysinstall</application> or it will crash during its initial
+ probing for devices. To detach the encrypted device used in
+ the example, use the following command:</para>
+
+ <screen>&prompt.root; <userinput>gbde detach /dev/<replaceable>ad4s1c</replaceable></userinput></screen>
+ </note>
</sect2>
<sect2 xml:id="disks-encrypting-geli">
More information about the svn-doc-all
mailing list