Changeset View
Standalone View
en_US.ISO8859-1/books/handbook/disks/chapter.xml
Show First 20 Lines • Show All 2,872 Lines • ▼ Show 20 Lines | <para>Like the encryption of disk partitions, encryption of swap | ||||
and will be cleared after a reboot. However, if &os; starts | and will be cleared after a reboot. However, if &os; starts | ||||
swapping out memory pages to free space, the passwords may be | swapping out memory pages to free space, the passwords may be | ||||
written to the disk unencrypted. Encrypting swap space can be a | written to the disk unencrypted. Encrypting swap space can be a | ||||
solution for this scenario.</para> | solution for this scenario.</para> | ||||
<para>This section demonstrates how to configure an encrypted | <para>This section demonstrates how to configure an encrypted | ||||
swap partition using &man.gbde.8; or &man.geli.8; encryption. | swap partition using &man.gbde.8; or &man.geli.8; encryption. | ||||
It assumes a <acronym>UFS</acronym> file system where | It assumes a <acronym>UFS</acronym> file system where | ||||
<filename>/dev/ad0s1b</filename> is the swap partition.</para> | <filename>/dev/ada0s1b</filename> is the swap partition.</para> | ||||
<sect2> | <sect2> | ||||
<title>Configuring Encrypted Swap</title> | <title>Configuring Encrypted Swap</title> | ||||
<para>Swap partitions are not encrypted by default and should be | <para>Swap partitions are not encrypted by default and should be | ||||
cleared of any sensitive data before continuing. To overwrite | cleared of any sensitive data before continuing. To overwrite | ||||
the current swap partition with random garbage, execute the | the current swap partition with random garbage, execute the | ||||
following command:</para> | following command:</para> | ||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen> | <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ada0s1b</replaceable> bs=1m</userinput></screen> | ||||
<para>To encrypt the swap partition using &man.gbde.8;, add the | <para>To encrypt the swap partition using &man.gbde.8;, add the | ||||
<literal>.bde</literal> suffix to the swap line in | <literal>.bde</literal> suffix to the swap line in | ||||
<filename>/etc/fstab</filename>:</para> | <filename>/etc/fstab</filename>:</para> | ||||
<programlisting># Device Mountpoint FStype Options Dump Pass# | <programlisting># Device Mountpoint FStype Options Dump Pass# | ||||
/dev/ad0s1b.bde none swap sw 0 0</programlisting> | /dev/ada0s1b.bde none swap sw 0 0</programlisting> | ||||
<para>To instead encrypt the swap partition using &man.geli.8;, | <para>To instead encrypt the swap partition using &man.geli.8;, | ||||
use the | use the | ||||
<literal>.eli</literal> suffix:</para> | <literal>.eli</literal> suffix:</para> | ||||
<programlisting># Device Mountpoint FStype Options Dump Pass# | <programlisting># Device Mountpoint FStype Options Dump Pass# | ||||
/dev/ad0s1b.eli none swap sw 0 0</programlisting> | /dev/ada0s1b.eli none swap sw 0 0</programlisting> | ||||
<para>By default, &man.geli.8; uses the <acronym>AES</acronym> | <para>By default, &man.geli.8; uses the <acronym>AES</acronym> | ||||
algorithm with a key length of 128 bit. These defaults can be | algorithm with a key length of 256 bits. These defaults can | ||||
altered by using <literal>geli_swap_flags</literal> in | be altered in the options field in | ||||
wblock: s/by using/in/ | |||||
<filename>/etc/rc.conf</filename>. The following flags | <filename>/etc/fstab</filename>. The possible flags | ||||
configure encryption using the Blowfish algorithm with a key | are:</para> | ||||
length of 128 bits and a sectorsize of 4 kilobytes, and sets | |||||
<quote>detach on last close</quote>:</para> | |||||
<programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting> | <variablelist> | ||||
<varlistentry> | |||||
Not Done Inline Actions<para> should be on a new line after <listitem> Terms need to be in <literal></literal>. Do we have other places that use this term, space, dash, space, sentence format? This might work better with a <variablelist>, although I don't know about using <literal> for the term. wblock: <para> should be on a new line after <listitem>
Terms need to be in <literal></literal>.
Do… | |||||
<term>aalgo</term> | |||||
<listitem> | |||||
<para>Data integrity verification algorithm used to ensure | |||||
that the encrypted data has not been tampered with. See | |||||
&man.geli.8; for a list of supported algorithms.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<para>Refer to the description of <literal>onetime</literal> in | <varlistentry> | ||||
&man.geli.8; for a list of possible options.</para> | <term>ealgo</term> | ||||
Not Done Inline Actionss/a list of/the/ wblock: s/a list of/the/ | |||||
<listitem> | |||||
Not Done Inline ActionsSimplify: key lengths that are supported by each encryption algorithm. wblock: Simplify:
key lengths that are supported by each encryption algorithm. | |||||
<para>Encryption algorithm used to protect the data. See | |||||
&man.geli.8; for a list of supported algorithms.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
Not Done Inline Actions"The size of the sectors used for encryption." does not really help. A reader could take that to mean something to do with the encryption algorithm or number of passes instead of the amount of data to encrypt at a time. s/as/at/ wblock: "The size of the sectors used for encryption." does not really help. A reader could take that… | |||||
<varlistentry> | |||||
Not Done Inline Actions</listitem> on a new line. wblock: </listitem> on a new line. | |||||
<term>keylen</term> | |||||
<listitem> | |||||
<para>The length of the key used for the encryption | |||||
algorithm. See &man.geli.8; for the key lengths that | |||||
Not Done Inline Actionss/encryption/an encrypted swap device/ wblock: s/encryption/an encrypted swap device/ | |||||
are supported by each encryption algorithm.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
<varlistentry> | |||||
<term>sectorsize</term> | |||||
<listitem> | |||||
<para>The size of the blocks data is broken into before | |||||
it is encrypted. Larger sector sizes increase | |||||
performance at the cost of higher storage | |||||
overhead. The recommended size is 4096 bytes.</para> | |||||
</listitem> | |||||
</varlistentry> | |||||
</variablelist> | |||||
<para>This example configures an encryped swap partition using | |||||
the Blowfish algorithm with a key length of 128 bits and a | |||||
Not Done Inline ActionsI still think that just "encryption" here is too vague. The example shows how to configure an an encrypted swap device, not just encryption in general. wblock: I still think that just "encryption" here is too vague. The example shows how to configure an… | |||||
sectorsize of 4 kilobytes:</para> | |||||
Not Done Inline Actionss/bit/bits/ wblock: s/bit/bits/ | |||||
<programlisting># Device Mountpoint FStype Options Dump Pass# | |||||
/dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0</programlisting> | |||||
</sect2> | </sect2> | ||||
<sect2> | <sect2> | ||||
<title>Encrypted Swap Verification</title> | <title>Encrypted Swap Verification</title> | ||||
<para>Once the system has rebooted, proper operation of the | <para>Once the system has rebooted, proper operation of the | ||||
encrypted swap can be verified using | encrypted swap can be verified using | ||||
<command>swapinfo</command>.</para> | <command>swapinfo</command>.</para> | ||||
<para>If &man.gbde.8; is being used:</para> | <para>If &man.gbde.8; is being used:</para> | ||||
<screen>&prompt.user; <userinput>swapinfo</userinput> | <screen>&prompt.user; <userinput>swapinfo</userinput> | ||||
Device 1K-blocks Used Avail Capacity | Device 1K-blocks Used Avail Capacity | ||||
/dev/ad0s1b.bde 542720 0 542720 0%</screen> | /dev/ada0s1b.bde 542720 0 542720 0%</screen> | ||||
<para>If &man.geli.8; is being used:</para> | <para>If &man.geli.8; is being used:</para> | ||||
<screen>&prompt.user; <userinput>swapinfo</userinput> | <screen>&prompt.user; <userinput>swapinfo</userinput> | ||||
Device 1K-blocks Used Avail Capacity | Device 1K-blocks Used Avail Capacity | ||||
/dev/ad0s1b.eli 542720 0 542720 0%</screen> | /dev/ada0s1b.eli 542720 0 542720 0%</screen> | ||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
<sect1 xml:id="disks-hast"> | <sect1 xml:id="disks-hast"> | ||||
<info> | <info> | ||||
<title>Highly Available Storage | <title>Highly Available Storage | ||||
(<acronym>HAST</acronym>)</title> | (<acronym>HAST</acronym>)</title> | ||||
▲ Show 20 Lines • Show All 629 Lines • Show Last 20 Lines |
s/by using/in/