1 .\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd "control utility for the cryptographic GEOM class"
34 To compile GEOM_ELI into your kernel, add the following lines to your kernel
36 .Bd -ragged -offset indent
38 .Cd "options GEOM_ELI"
41 Alternatively, to load the GEOM_ELI module at boot time, add the following line
44 .Bd -literal -offset indent
56 .Op Fl B Ar backupfile
58 .Op Fl i Ar iterations
59 .Op Fl J Ar newpassfile
60 .Op Fl K Ar newkeyfile
62 .Op Fl s Ar sectorsize
66 .Cm label - an alias for
80 .Cm stop - an alias for
88 .Op Fl s Ar sectorsize
97 .Op Fl i Ar iterations
99 .Op Fl J Ar newpassfile
101 .Op Fl K Ar newkeyfile
160 utility is used to configure encryption on GEOM providers.
162 The following is a list of the most important features:
164 .Bl -bullet -offset indent -compact
168 framework, so when there is crypto hardware available,
170 will make use of it automatically.
172 Supports many cryptographic algorithms (currently
178 Can optionally perform data authentication (integrity verification) utilizing
179 one of the following algorithms:
187 Can create a User Key from up to two, piecewise components: a passphrase
188 entered via prompt or read from one or more passfiles; a keyfile read from
191 Allows encryption of the root partition.
192 The user is asked for the passphrase before the root filesystem is mounted.
194 Strengthens the passphrase component of the User Key with:
197 .%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
202 Allows the use of two independent User Keys (e.g., a
205 .Qq "company key" ) .
209 performs simple sector-to-sector encryption.
211 Allows the encrypted Master Key to be backed up and restored,
212 so that if a user has to quickly destroy key material,
213 it is possible to get the data back by restoring keys from
216 Providers can be configured to automatically detach on last close,
217 so users do not have to remember to detach providers after unmounting
220 Allows attaching a provider with a random, one-time Master Key,
221 which is useful for swap partitions and temporary filesystems.
223 Allows verification of data integrity (data authentication).
225 Allows suspending and resuming encrypted devices.
228 The first argument to
230 indicates an action to be performed:
231 .Bl -tag -width ".Cm configure"
233 Initialize providers which need to be encrypted.
234 If multiple providers are listed as arguments, they will all be initialized
235 with the same passphrase and/or User Key.
236 A unique salt will be randomly generated for each provider to ensure the
237 Master Key for each is unique.
238 Here you can set up the cryptographic algorithm to use, Data Key length,
240 The last sector of the providers is used to store metadata.
243 subcommand also automatically writes metadata backups to
244 .Pa /var/backups/<prov>.eli
246 The metadata can be recovered with the
248 subcommand described below.
250 Additional options include:
251 .Bl -tag -width ".Fl J Ar newpassfile"
253 Enable data integrity verification (authentication) using the given algorithm.
254 This will reduce the size of storage available and also reduce speed.
255 For example, when using 4096 bytes sector and
257 algorithm, 89% of the original provider storage will be available for use.
258 Currently supported algorithms are:
265 If the option is not given, there will be no authentication, only encryption.
266 The recommended algorithm is
269 Try to decrypt this partition during boot, before the root partition is mounted.
270 This makes it possible to use an encrypted root partition.
271 One will still need bootable unencrypted storage with a
273 directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
275 .It Fl B Ar backupfile
276 File name to use for metadata backup instead of the default
277 .Pa /var/backups/<prov>.eli .
278 To inhibit backups, you can use
282 If multiple providers were initialized in the one command, you can use
284 (all upper-case) in the file name, and it will be replaced with the provider
288 is not found in the file name and multiple providers were initialized in the
291 will be appended to the end of the file name specified.
293 When entering the passphrase to boot from this encrypted root filesystem, echo
296 This makes the length of the passphrase visible.
298 Encryption algorithm to use.
299 Currently supported algorithms are:
305 The default and recommended algorithm is
310 Enable booting from this encrypted root filesystem.
311 The boot loader prompts for the passphrase and loads
313 from the encrypted partition.
314 .It Fl i Ar iterations
315 Number of iterations to use with PKCS#5v2 when processing User Key
316 passphrase component.
317 If this option is not specified,
319 will find the number of iterations which is equal to 2 seconds of crypto work.
320 If 0 is given, PKCS#5v2 will not be used.
321 PKCS#5v2 processing is performed once, after all parts of the passphrase
322 component have been read.
323 .It Fl J Ar newpassfile
324 Specifies a file which contains the passphrase component of the User Key
328 is given as -, standard input will be used.
329 Only the first line (excluding new-line character) is taken from the given file.
330 This argument can be specified multiple times, which has the effect of
331 reassembling a single passphrase split across multiple files.
332 Cannot be combined with the
335 .It Fl K Ar newkeyfile
336 Specifies a file which contains the keyfile component of the User Key
340 is given as -, standard input will be used.
341 This argument can be specified multiple times, which has the effect of
342 reassembling a single keyfile split across multiple keyfile parts.
344 Data Key length to use with the given cryptographic algorithm.
345 If the length is not specified, the selected algorithm uses its
348 .Bl -ohang -offset indent
352 .It Nm AES-CBC , Nm Camellia-CBC
358 Do not use a passphrase as a component of the User Key.
359 Cannot be combined with the
362 .It Fl s Ar sectorsize
363 Change decrypted provider's sector size.
364 Increasing the sector size allows increased performance,
365 because encryption/decryption which requires an initialization vector
366 is done per sector; fewer sectors means less computational work.
368 Turn off automatic expansion.
369 By default, if the underlying provider grows, the encrypted provider will
370 grow automatically too.
371 The metadata will be moved to the new location.
372 If automatic expansion if turned off and the underlying provider changes
373 size, attaching encrypted provider will no longer be possible as the metadata
374 will no longer be located in the last sector.
377 will only log the previous size of the underlying provider, so metadata can
378 be found easier, if resize was done by mistake.
382 calls (i.e., TRIM/UNMAP).
383 This can prevent an attacker from knowing how much space you're actually
384 using and which sectors contain live data, but will also prevent the
385 backing store (SSD, etc) from reclaiming space you're not using, which
386 may degrade its performance and lifespan.
387 The underlying provider may or may not actually obliterate the deleted
388 sectors when TRIM is enabled, so it should not be considered to add any
391 Metadata version to use.
392 This option is helpful when creating a provider that may be used by older
397 section to find which metadata version is supported by which
400 Note that using an older version of metadata may limit the number of
404 Attach the given providers.
405 The encrypted Master Keys are loaded from the metadata and decrypted
406 using the given passphrase/keyfile and new GEOM providers are created
407 using the specified provider names.
410 suffix is added to the user specified provider names.
411 Multiple providers can only be attached with a single
413 command if they all have the same passphrase and keyfiles.
415 Additional options include:
416 .Bl -tag -width ".Fl j Ar passfile"
418 Do a dry-run decryption.
419 This is useful to verify passphrase and keyfile without decrypting the device.
421 If specified, the decrypted providers are detached automatically on last close,
422 so the user does not have to remember to detach
423 providers after unmounting the filesystems.
424 This only works when providers were opened for writing, and will not work if
425 the filesystems on the providers were mounted read-only.
426 Probably a better choice is the
432 Specifies the index number of the Master Key copy to use (could be 0 or 1).
433 If the index number is not provided all keys will be tested.
435 Specifies a file which contains the passphrase component of the User Key
437 For more information see the description of the
442 The same passfiles are used for all listed providers.
444 Specifies a file which contains the keyfile component of the User Key
446 For more information see the description of the
451 The same keyfiles are used for all listed providers.
453 Do not use a passphrase as a component of the User Keys.
454 Cannot be combined with the
458 Attach read-only providers.
459 They are not opened for writing.
462 Detach the given providers, which means remove the devfs entry
463 and clear the Master Key and Data Keys from memory.
465 Additional options include:
466 .Bl -tag -width ".Fl f"
468 Force detach - detach even if the provider is open.
470 Mark provider to detach on last close, after the last filesystem has been
472 If this option is specified, the provider will not be detached
473 while it is open, but will be automatically detached when it is closed for the
474 last time even if it was only opened for reading.
477 Attach the given providers with a random, one-time (ephemeral) Master Key.
478 The command can be used to encrypt swap partitions or temporary filesystems.
480 Additional options include:
481 .Bl -tag -width ".Fl a Ar sectorsize"
483 Enable data integrity verification (authentication).
484 For more information, see the description of the
488 Encryption algorithm to use.
489 For more information, see the description of the
493 Detach on last close, after the last filesystem has been unmounted.
494 Note: this option is not usable for temporary filesystems as the provider is
495 detached after the filesystem has been created.
496 It still can, and should, be used for swap partitions.
497 For more information, see the description of the
501 Data Key length to use with the given cryptographic algorithm.
502 For more information, see the description of the
505 .It Fl s Ar sectorsize
506 Change decrypted provider's sector size.
507 For more information, see the description of the
511 Turn off automatic expansion.
512 For more information, see the description of the
516 Disable TRIM/UNMAP passthru.
517 For more information, see the description of the
522 Change configuration of the given providers.
524 Additional options include:
525 .Bl -tag -width ".Fl b"
527 Set the BOOT flag on the given providers.
528 For more information, see the description of the
532 Remove the BOOT flag from the given providers.
534 When entering the passphrase to boot from this encrypted root filesystem, echo
537 This makes the length of the passphrase visible.
539 Disable echoing of any characters when a passphrase is entered to boot from this
540 encrypted root filesystem.
541 This hides the passphrase length.
543 Enable booting from this encrypted root filesystem.
544 The boot loader prompts for the passphrase and loads
546 from the encrypted partition.
548 Deactivate booting from this encrypted root partition.
550 Turn on automatic expansion.
551 For more information, see the description of the
555 Turn off automatic expansion.
557 Enable TRIM/UNMAP passthru.
558 For more information, see the description of the
562 Disable TRIM/UNMAP passthru.
565 Install a copy of the Master Key into the selected slot, encrypted with
567 If the selected slot is populated, replace the existing copy.
568 A provider has one Master Key, which can be stored in one or both slots,
569 each encrypted with an independent User Key.
572 subcommand, only key number 0 is initialized.
573 The User Key can be changed at any time: for an attached provider,
574 for a detached provider, or on the backup file.
575 When a provider is attached, the user does not have to provide
576 an existing passphrase/keyfile.
578 Additional options include:
579 .Bl -tag -width ".Fl J Ar newpassfile"
580 .It Fl i Ar iterations
581 Number of iterations to use with PKCS#5v2.
582 If 0 is given, PKCS#5v2 will not be used.
583 To be able to use this option with the
585 subcommand, only one key has to be defined and this key must be changed.
587 Specifies a file which contains the passphrase component of a current User Key
589 .It Fl J Ar newpassfile
590 Specifies a file which contains the passphrase component of the new User Key
593 Specifies a file which contains the keyfile component of a current User Key
595 .It Fl K Ar newkeyfile
596 Specifies a file which contains the keyfile component of the new User Key
599 Specifies the index number of the Master Key copy to change (could be 0 or 1).
600 If the provider is attached and no key number is given, the key
601 used for attaching the provider will be changed.
602 If the provider is detached (or we are operating on a backup file)
603 and no key number is given, the first Master Key copy to be successfully
604 decrypted with the provided User Key passphrase/keyfile will be changed.
606 Do not use a passphrase as a component of the current User Key.
607 Cannot be combined with the
611 Do not use a passphrase as a component of the new User Key.
612 Cannot be combined with the
617 Destroy (overwrite with random data) the selected Master Key copy.
618 If one is destroying keys for an attached provider, the provider
619 will not be detached even if all copies of the Master Key are destroyed.
620 It can even be rescued with the
622 subcommand because the Master Key is still in memory.
624 Additional options include:
625 .Bl -tag -width ".Fl a Ar keyno"
627 Destroy all copies of the Master Key (does not need
631 Force key destruction.
632 This option is needed to destroy the last copy of the Master Key.
634 Specifies the index number of the Master Key copy.
635 If the provider is attached and no key number is given, the key
636 used for attaching the provider will be destroyed.
637 If provider is detached (or we are operating on a backup file) the key number
641 This command should be used only in emergency situations.
642 It will destroy all copies of the Master Key on a given provider and will
643 detach it forcibly (if it is attached).
644 This is absolutely a one-way command - if you do not have a metadata
645 backup, your data is gone for good.
646 In case the provider was attached with the
648 flag, the keys will not be destroyed, only the provider will be detached.
650 Additional options include:
651 .Bl -tag -width ".Fl a"
653 If specified, all currently attached providers will be killed.
656 Backup metadata from the given provider to the given file.
658 Restore metadata from the given file to the given provider.
660 Additional options include:
661 .Bl -tag -width ".Fl f"
663 Metadata contains the size of the provider to ensure that the correct
664 partition or slice is attached.
665 If an attempt is made to restore metadata to a provider that has a different
668 will refuse to restore the data unless the
671 If the partition or slice has been grown, the
673 subcommand should be used rather than attempting to relocate the metadata
680 Suspend device by waiting for all inflight requests to finish, clearing all
681 sensitive information such as the Master Key and Data Keys from kernel memory,
682 and blocking all further I/O requests until the
684 subcommand is executed.
685 This functionality is useful for laptops.
686 Suspending a laptop should not leave an encrypted device attached.
689 subcommand can be used rather than closing all files and directories from
690 filesystems on the encrypted device, unmounting the filesystem, and
691 detaching the device.
692 Any access to the encrypted device will be blocked until the Master Key is
696 Thus there is no need to close nor unmount anything.
699 subcommand does not work with devices created with the
702 Please note that sensitive data might still be present in memory locations
703 such as the filesystem cache after suspending an encrypted device.
705 Additional options include:
706 .Bl -tag -width ".Fl a"
713 Resume previously suspended device.
714 The caller must ensure that executing this subcommand does not access the
715 suspended device, leading to a deadlock.
716 For example, suspending a device which contains the filesystem where the
718 utility is stored is a bad idea.
720 Additional options include:
721 .Bl -tag -width ".Fl j Ar passfile"
723 Specifies a file which contains the passphrase component of the User Key,
725 For more information see the description of the
731 Specifies a file which contains the keyfile component of the User Key,
733 For more information see the description of the
739 Do not use a passphrase as a component of the User Key.
740 Cannot be combined with the
747 that the provider has been resized.
748 The old metadata block is relocated to the correct position at the end of the
749 provider and the provider size is updated.
751 Additional options include:
752 .Bl -tag -width ".Fl s Ar oldsize"
754 The size of the provider before it was resized.
757 If no arguments are given, the
759 subcommand will print the version of
761 userland utility as well as the version of the
765 If GEOM providers are specified, the
767 subcommand will print metadata version used by each of them.
769 Clear metadata from the given providers.
771 This will erase with zeros the encrypted Master Key copies stored in the
774 Dump metadata stored on the given providers.
789 Additional options include:
790 .Bl -tag -width ".Fl v"
800 utility generates a random Master Key for the provider.
801 The Master Key never changes during the lifetime of the provider.
802 Each copy of the provider metadata, active or backed up to a file, can store
803 up to two, independently-encrypted copies of the Master Key.
805 Each stored copy of the Master Key is encrypted with a User Key, which
808 utility from a passphrase and/or a keyfile.
811 utility first reads all parts of the keyfile in the order specified on the
812 command line, then reads all parts of the stored passphrase in the order
813 specified on the command line.
814 If no passphrase parts are specified, the system prompts the user to enter
816 The passphrase is optionally strengthened by PKCS#5v2.
817 The User Key is a digest computed over the concatenated keyfile and passphrase.
819 During operation, one or more Data Keys are deterministically derived by
820 the kernel from the Master Key and cached in memory.
821 The number of Data Keys used by a given provider, and the way they are
822 derived, depend on the GELI version and whether the provider is configured to
823 use data authentication.
827 variables can be used to control the behavior of the
830 The default value is shown next to each variable.
831 Some variables can also be set in
832 .Pa /boot/loader.conf .
833 .Bl -tag -width indent
834 .It Va kern.geom.eli.version
835 Version number of the
838 .It Va kern.geom.eli.debug : No 0
842 This can be set to a number between 0 and 3 inclusive.
843 If set to 0, minimal debug information is printed.
845 maximum amount of debug information is printed.
846 .It Va kern.geom.eli.tries : No 3
847 Number of times a user is asked for the passphrase.
848 This is only used for providers which are attached on boot,
849 before the root filesystem is mounted.
850 If set to 0, attaching providers on boot will be disabled.
851 This variable should be set in
852 .Pa /boot/loader.conf .
853 .It Va kern.geom.eli.overwrites : No 5
854 Specifies how many times the Master Key is overwritten
855 with random values when it is destroyed.
856 After this operation it is filled with zeros.
857 .It Va kern.geom.eli.visible_passphrase : No 0
858 If set to 1, the passphrase entered on boot will be visible.
859 This alternative should be used with caution as the entered
860 passphrase can be logged and exposed via
862 This variable should be set in
863 .Pa /boot/loader.conf .
864 .It Va kern.geom.eli.threads : No 0
865 Specifies how many kernel threads should be used for doing software
867 Its purpose is to increase performance on SMP systems.
868 If set to 0, a CPU-pinned thread will be started for every active CPU.
869 .It Va kern.geom.eli.batch : No 0
870 When set to 1, can speed-up crypto operations by using batching.
871 Batching reduces the number of interrupts by responding to a group of
872 crypto requests with one interrupt.
873 The crypto card and the driver has to support this feature.
874 .It Va kern.geom.eli.key_cache_limit : No 8192
875 Specifies how many Data Keys to cache.
877 (8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
878 sectors and will take around 1MB of memory.
879 .It Va kern.geom.eli.key_cache_hits
880 Reports how many times we were looking up a Data Key and it was already in
882 This sysctl is not updated for providers that need fewer Data Keys than
883 the limit specified in
884 .Va kern.geom.eli.key_cache_limit .
885 .It Va kern.geom.eli.key_cache_misses
886 Reports how many times we were looking up a Data Key and it was not in cache.
887 This sysctl is not updated for providers that need fewer Data Keys than the limit
889 .Va kern.geom.eli.key_cache_limit .
892 Exit status is 0 on success, and 1 if the command fails.
894 Initialize a provider which is going to be encrypted with a
895 passphrase and random data from a file on the user's pen drive.
897 Attach the provider, create a filesystem, and mount it.
899 Unmount the provider and detach it:
900 .Bd -literal -offset indent
901 # dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
902 # geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
903 Enter new passphrase:
904 Reenter new passphrase:
905 # geli attach -k /mnt/pendrive/da2.key /dev/da2
907 # dd if=/dev/random of=/dev/da2.eli bs=1m
909 # mount /dev/da2.eli /mnt/secret
912 # geli detach da2.eli
915 Create an encrypted provider, but use two User Keys:
916 one for your employee and one for you as the company's security officer
917 (so it is not a tragedy if the employee
919 forgets his passphrase):
920 .Bd -literal -offset indent
922 Enter new passphrase: (enter security officer's passphrase)
923 Reenter new passphrase:
924 # geli setkey -n 1 /dev/da2
925 Enter passphrase: (enter security officer's passphrase)
926 Enter new passphrase: (let your employee enter his passphrase ...)
927 Reenter new passphrase: (... twice)
930 You are the security officer in your company.
931 Create an encrypted provider for use by the user, but remember that users
932 forget their passphrases, so backup the Master Key with your own random key:
933 .Bd -literal -offset indent
934 # dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
935 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
936 # geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
937 (use key number 0, so the encrypted Master Key will be re-encrypted by this)
938 # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
939 (allow the user to enter his passphrase)
940 Enter new passphrase:
941 Reenter new passphrase:
944 Encrypted swap partition setup:
945 .Bd -literal -offset indent
946 # dd if=/dev/random of=/dev/ada0s1b bs=1m
947 # geli onetime -d ada0s1b
948 # swapon /dev/ada0s1b.eli
951 The example below shows how to configure two providers which will be attached
952 on boot, before the root filesystem is mounted.
953 One of them is using passphrase and three keyfile parts and the other is
954 using only a keyfile in one part:
955 .Bd -literal -offset indent
956 # dd if=/dev/random of=/dev/da0 bs=1m
957 # dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
958 # dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
959 # dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
960 # geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
961 Enter new passphrase:
962 Reenter new passphrase:
963 # dd if=/dev/random of=/dev/da1s3a bs=1m
964 # dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
965 # geli init -b -P -K /boot/keys/da1s3a.key da1s3a
968 The providers are initialized, now we have to add these lines to
969 .Pa /boot/loader.conf :
970 .Bd -literal -offset indent
971 geli_da0_keyfile0_load="YES"
972 geli_da0_keyfile0_type="da0:geli_keyfile0"
973 geli_da0_keyfile0_name="/boot/keys/da0.key0"
974 geli_da0_keyfile1_load="YES"
975 geli_da0_keyfile1_type="da0:geli_keyfile1"
976 geli_da0_keyfile1_name="/boot/keys/da0.key1"
977 geli_da0_keyfile2_load="YES"
978 geli_da0_keyfile2_type="da0:geli_keyfile2"
979 geli_da0_keyfile2_name="/boot/keys/da0.key2"
981 geli_da1s3a_keyfile0_load="YES"
982 geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
983 geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
986 If there is only one keyfile, the index might be omitted:
987 .Bd -literal -offset indent
988 geli_da1s3a_keyfile_load="YES"
989 geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
990 geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
993 By convention, these loader variables are called
995 .Va geli_ No < Ar device No > Va _load .
997 However, the actual name prefix before
1004 module searches through all
1006 .No < Va prefix No > Va _type No -like
1008 variables that have a value of
1010 .Dq < Ar device No > :geli_keyfile .
1012 The paths to keyfiles are then extracted from
1014 .No < Ar prefix No > Va _name
1017 In the example above,
1020 .Dq Li geli_da1s3a_keyfile .
1022 Not only configure encryption, but also data integrity verification using
1024 .Bd -literal -offset indent
1025 # geli init -a hmac/sha256 -s 4096 /dev/da0
1026 Enter new passphrase:
1027 Reenter new passphrase:
1028 # geli attach /dev/da0
1030 # dd if=/dev/random of=/dev/da0.eli bs=1m
1031 # newfs /dev/da0.eli
1032 # mount /dev/da0.eli /mnt/secret
1036 writes the metadata backup by default to the
1037 .Pa /var/backups/<prov>.eli
1039 If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1040 Consider the following situation:
1041 .Bd -literal -offset indent
1042 # geli init /dev/da0
1043 Enter new passphrase:
1044 Reenter new passphrase:
1046 Metadata backup can be found in /var/backups/da0.eli and
1047 can be restored with the following command:
1049 # geli restore /var/backups/da0.eli /dev/da0
1051 # geli clear /dev/da0
1052 # geli attach /dev/da0
1053 geli: Cannot read metadata from /dev/da0: Invalid argument.
1054 # geli restore /var/backups/da0.eli /dev/da0
1055 # geli attach /dev/da0
1059 If an encrypted filesystem is extended, it is necessary to relocate and
1060 update the metadata:
1061 .Bd -literal -offset indent
1062 # gpart create -s GPT ada0
1063 # gpart add -s 1g -t freebsd-ufs -i 1 ada0
1064 # geli init -K keyfile -P ada0p1
1065 # gpart resize -s 2g -i 1 ada0
1066 # geli resize -s 1g ada0p1
1067 # geli attach -k keyfile -p ada0p1
1070 Initialize provider with the passphrase split into two files.
1071 The provider can be attached using those two files or by entering
1073 as the passphrase at the
1076 .Bd -literal -offset indent
1077 # echo foo > da0.pass0
1078 # echo bar > da0.pass1
1079 # geli init -J da0.pass0 -J da0.pass1 da0
1080 # geli attach -j da0.pass0 -j da0.pass1 da0
1083 Enter passphrase: foobar
1088 devices on a laptop, suspend the laptop, then resume devices one by one after
1089 resuming the laptop:
1090 .Bd -literal -offset indent
1093 <resume your laptop>
1094 # geli resume -p -k keyfile gpt/secret
1095 # geli resume gpt/private
1101 encrypted filesystem with a file as storage device follow this example.
1102 First a file named private0 is created in
1104 and attached as a memory disk like
1107 .Bd -literal -offset indent
1108 # dd if=/dev/zero of=/usr/private0 bs=1m count=256
1109 # chmod 0600 /usr/private0
1110 # mdconfig -t vnode -f /usr/private0
1113 It is recommended to place the following line in
1115 to have the memory disk automatically created during boot.
1116 .Bd -literal -offset indent
1117 mdconfig_md0="-t vnode -f /usr/private0"
1122 is created a random key has to be generated and stored in a secure location,
1126 This key should be protected by a passphrase, which
1127 is requested when geli init is called.
1128 .Bd -literal -offset indent
1129 # dd if=/dev/random of=/root/private0.key bs=64 count=1
1130 # geli init -K /root/private0.key -s 4096 /dev/md0
1131 Enter new passphrase:
1132 Reenter new passphrase:
1133 # geli attach -k /root/private0.key /dev/md0
1135 # dd if=/dev/random of=/dev/md0.eli bs=1m
1138 Once the initialization of the
1140 device is ready create a UFS filesystem and mount it for example in
1142 .Bd -literal -offset indent
1143 # newfs /dev/md0.eli
1144 # mount /dev/md0.eli /private
1147 After a system reboot the
1149 device can be mounted again with the following commands.
1150 The call of geli attach will ask for the passphrase.
1151 It is recommended to do this procedure after the boot, because otherwise
1152 the boot process would be waiting for the passphrase input.
1153 .Bd -literal -offset indent
1154 # geli attach -k /root/private0.key /dev/md0
1156 # mount /dev/md0.eli /private
1158 .Sh ENCRYPTION MODES
1160 supports two encryption modes:
1162 which was standardized as
1166 with unpredictable IV.
1171 is very similar to the mode
1173 .Sh DATA AUTHENTICATION
1175 can verify data integrity when an authentication algorithm is specified.
1176 When data corruption/modification is detected,
1178 will not return any data, but instead will return an error
1180 The offset and size of the corrupted data will be printed on the console.
1181 It is important to know against which attacks
1183 provides protection for your data.
1184 If data is modified in-place or copied from one place on the disk
1185 to another even without modification,
1187 should be able to detect such a change.
1188 If an attacker can remember the encrypted data, he can overwrite any future
1189 changes with the data he owns without it being noticed.
1192 will not protect your data against replay attacks.
1194 It is recommended to write to the whole provider before first use,
1195 in order to make sure that all sectors and their corresponding
1196 checksums are properly initialized into a consistent state.
1197 One can safely ignore data authentication errors that occur immediately
1198 after the first time a provider is attached and before it is
1199 initialized in this way.
1215 block cipher was implemented by Yoshisato Yanagisawa in
1220 metadata version supported by the given
1223 .Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1224 .It Sy FreeBSD Ta Sy GELI
1225 .It Sy version Ta Sy version
1248 .An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org