Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/disks/chapter.xml
| Show First 20 Lines • Show All 2,872 Lines • ▼ Show 20 Lines | <para>Like the encryption of disk partitions, encryption of swap | ||||
| and will be cleared after a reboot. However, if &os; starts | and will be cleared after a reboot. However, if &os; starts | ||||
| swapping out memory pages to free space, the passwords may be | swapping out memory pages to free space, the passwords may be | ||||
| written to the disk unencrypted. Encrypting swap space can be a | written to the disk unencrypted. Encrypting swap space can be a | ||||
| solution for this scenario.</para> | solution for this scenario.</para> | ||||
| <para>This section demonstrates how to configure an encrypted | <para>This section demonstrates how to configure an encrypted | ||||
| swap partition using &man.gbde.8; or &man.geli.8; encryption. | swap partition using &man.gbde.8; or &man.geli.8; encryption. | ||||
| It assumes a <acronym>UFS</acronym> file system where | It assumes a <acronym>UFS</acronym> file system where | ||||
| <filename>/dev/ad0s1b</filename> is the swap partition.</para> | <filename>/dev/ada0s1b</filename> is the swap partition.</para> | ||||
| <sect2> | <sect2> | ||||
| <title>Configuring Encrypted Swap</title> | <title>Configuring Encrypted Swap</title> | ||||
| <para>Swap partitions are not encrypted by default and should be | <para>Swap partitions are not encrypted by default and should be | ||||
| cleared of any sensitive data before continuing. To overwrite | cleared of any sensitive data before continuing. To overwrite | ||||
| the current swap partition with random garbage, execute the | the current swap partition with random garbage, execute the | ||||
| following command:</para> | following command:</para> | ||||
| <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen> | <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ada0s1b</replaceable> bs=1m</userinput></screen> | ||||
| <para>To encrypt the swap partition using &man.gbde.8;, add the | <para>To encrypt the swap partition using &man.gbde.8;, add the | ||||
| <literal>.bde</literal> suffix to the swap line in | <literal>.bde</literal> suffix to the swap line in | ||||
| <filename>/etc/fstab</filename>:</para> | <filename>/etc/fstab</filename>:</para> | ||||
| <programlisting># Device Mountpoint FStype Options Dump Pass# | <programlisting># Device Mountpoint FStype Options Dump Pass# | ||||
| /dev/ad0s1b.bde none swap sw 0 0</programlisting> | /dev/ada0s1b.bde none swap sw 0 0</programlisting> | ||||
| <para>To instead encrypt the swap partition using &man.geli.8;, | <para>To instead encrypt the swap partition using &man.geli.8;, | ||||
| use the | use the | ||||
| <literal>.eli</literal> suffix:</para> | <literal>.eli</literal> suffix:</para> | ||||
| <programlisting># Device Mountpoint FStype Options Dump Pass# | <programlisting># Device Mountpoint FStype Options Dump Pass# | ||||
| /dev/ad0s1b.eli none swap sw 0 0</programlisting> | /dev/ada0s1b.eli none swap sw 0 0</programlisting> | ||||
| <para>By default, &man.geli.8; uses the <acronym>AES</acronym> | <para>By default, &man.geli.8; uses the <acronym>AES</acronym> | ||||
| algorithm with a key length of 128 bit. These defaults can be | algorithm with a key length of 256 bits. These defaults can | ||||
| altered by using <literal>geli_swap_flags</literal> in | be altered in the options field in | ||||
wblock: s/by using/in/ | |||||
| <filename>/etc/rc.conf</filename>. The following flags | <filename>/etc/fstab</filename>. The possible flags | ||||
| configure encryption using the Blowfish algorithm with a key | are:</para> | ||||
| length of 128 bits and a sectorsize of 4 kilobytes, and sets | |||||
| <quote>detach on last close</quote>:</para> | |||||
| <programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting> | <variablelist> | ||||
| <varlistentry> | |||||
Not Done Inline Actions<para> should be on a new line after <listitem> Terms need to be in <literal></literal>. Do we have other places that use this term, space, dash, space, sentence format? This might work better with a <variablelist>, although I don't know about using <literal> for the term. wblock: <para> should be on a new line after <listitem>
Terms need to be in <literal></literal>.
Do… | |||||
| <term>aalgo</term> | |||||
| <listitem> | |||||
| <para>Data integrity verification algorithm used to ensure | |||||
| that the encrypted data has not been tampered with. See | |||||
| &man.geli.8; for a list of supported algorithms.</para> | |||||
| </listitem> | |||||
| </varlistentry> | |||||
| <para>Refer to the description of <literal>onetime</literal> in | <varlistentry> | ||||
| &man.geli.8; for a list of possible options.</para> | <term>ealgo</term> | ||||
Not Done Inline Actionss/a list of/the/ wblock: s/a list of/the/ | |||||
| <listitem> | |||||
Not Done Inline ActionsSimplify: key lengths that are supported by each encryption algorithm. wblock: Simplify:
key lengths that are supported by each encryption algorithm. | |||||
| <para>Encryption algorithm used to protect the data. See | |||||
| &man.geli.8; for a list of supported algorithms.</para> | |||||
| </listitem> | |||||
| </varlistentry> | |||||
Not Done Inline Actions"The size of the sectors used for encryption." does not really help. A reader could take that to mean something to do with the encryption algorithm or number of passes instead of the amount of data to encrypt at a time. s/as/at/ wblock: "The size of the sectors used for encryption." does not really help. A reader could take that… | |||||
| <varlistentry> | |||||
Not Done Inline Actions</listitem> on a new line. wblock: </listitem> on a new line. | |||||
| <term>keylen</term> | |||||
| <listitem> | |||||
| <para>The length of the key used for the encryption | |||||
| algorithm. See &man.geli.8; for the key lengths that | |||||
Not Done Inline Actionss/encryption/an encrypted swap device/ wblock: s/encryption/an encrypted swap device/ | |||||
| are supported by each encryption algorithm.</para> | |||||
| </listitem> | |||||
| </varlistentry> | |||||
| <varlistentry> | |||||
| <term>sectorsize</term> | |||||
| <listitem> | |||||
| <para>The size of the blocks data is broken into before | |||||
| it is encrypted. Larger sector sizes increase | |||||
| performance at the cost of higher storage | |||||
| overhead. The recommended size is 4096 bytes.</para> | |||||
| </listitem> | |||||
| </varlistentry> | |||||
| </variablelist> | |||||
| <para>This example configures an encryped swap partition using | |||||
| the Blowfish algorithm with a key length of 128 bits and a | |||||
Not Done Inline ActionsI still think that just "encryption" here is too vague. The example shows how to configure an an encrypted swap device, not just encryption in general. wblock: I still think that just "encryption" here is too vague. The example shows how to configure an… | |||||
| sectorsize of 4 kilobytes:</para> | |||||
Not Done Inline Actionss/bit/bits/ wblock: s/bit/bits/ | |||||
| <programlisting># Device Mountpoint FStype Options Dump Pass# | |||||
| /dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0</programlisting> | |||||
| </sect2> | </sect2> | ||||
| <sect2> | <sect2> | ||||
| <title>Encrypted Swap Verification</title> | <title>Encrypted Swap Verification</title> | ||||
| <para>Once the system has rebooted, proper operation of the | <para>Once the system has rebooted, proper operation of the | ||||
| encrypted swap can be verified using | encrypted swap can be verified using | ||||
| <command>swapinfo</command>.</para> | <command>swapinfo</command>.</para> | ||||
| <para>If &man.gbde.8; is being used:</para> | <para>If &man.gbde.8; is being used:</para> | ||||
| <screen>&prompt.user; <userinput>swapinfo</userinput> | <screen>&prompt.user; <userinput>swapinfo</userinput> | ||||
| Device 1K-blocks Used Avail Capacity | Device 1K-blocks Used Avail Capacity | ||||
| /dev/ad0s1b.bde 542720 0 542720 0%</screen> | /dev/ada0s1b.bde 542720 0 542720 0%</screen> | ||||
| <para>If &man.geli.8; is being used:</para> | <para>If &man.geli.8; is being used:</para> | ||||
| <screen>&prompt.user; <userinput>swapinfo</userinput> | <screen>&prompt.user; <userinput>swapinfo</userinput> | ||||
| Device 1K-blocks Used Avail Capacity | Device 1K-blocks Used Avail Capacity | ||||
| /dev/ad0s1b.eli 542720 0 542720 0%</screen> | /dev/ada0s1b.eli 542720 0 542720 0%</screen> | ||||
| </sect2> | </sect2> | ||||
| </sect1> | </sect1> | ||||
| <sect1 xml:id="disks-hast"> | <sect1 xml:id="disks-hast"> | ||||
| <info> | <info> | ||||
| <title>Highly Available Storage | <title>Highly Available Storage | ||||
| (<acronym>HAST</acronym>)</title> | (<acronym>HAST</acronym>)</title> | ||||
| ▲ Show 20 Lines • Show All 629 Lines • Show Last 20 Lines | |||||
s/by using/in/