1 .\" Copyright (c) 2005-2019 Pawel Jakub Dawidek <pawel@dawidek.net>
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd "control utility for the cryptographic GEOM class"
34 To compile GEOM_ELI into your kernel, add the following lines to your kernel
36 .Bd -ragged -offset indent
38 .Cd "options GEOM_ELI"
41 Alternatively, to load the GEOM_ELI module at boot time, add the following line
44 .Bd -literal -offset indent
55 .Op Fl B Ar backupfile
57 .Op Fl i Ar iterations
58 .Op Fl J Ar newpassfile
59 .Op Fl K Ar newkeyfile
61 .Op Fl s Ar sectorsize
65 .Cm label - an alias for
79 .Cm stop - an alias for
87 .Op Fl s Ar sectorsize
96 .Op Fl i Ar iterations
98 .Op Fl J Ar newpassfile
100 .Op Fl K Ar newkeyfile
159 utility is used to configure encryption on GEOM providers.
161 The following is a list of the most important features:
163 .Bl -bullet -offset indent -compact
167 framework, so when there is crypto hardware available,
169 will make use of it automatically.
171 Supports many cryptographic algorithms (currently
177 Can optionally perform data authentication (integrity verification) utilizing
178 one of the following algorithms:
186 Can create a User Key from up to two, piecewise components: a passphrase
187 entered via prompt or read from one or more passfiles; a keyfile read from
190 Allows encryption of the root partition.
191 The user is asked for the passphrase before the root filesystem is mounted.
193 Strengthens the passphrase component of the User Key with:
196 .%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
201 Allows the use of two independent User Keys (e.g., a
204 .Qq "company key" ) .
208 performs simple sector-to-sector encryption.
210 Allows the encrypted Master Key to be backed up and restored,
211 so that if a user has to quickly destroy key material,
212 it is possible to get the data back by restoring keys from
215 Providers can be configured to automatically detach on last close,
216 so users do not have to remember to detach providers after unmounting
219 Allows attaching a provider with a random, one-time Master Key,
220 which is useful for swap partitions and temporary filesystems.
222 Allows verification of data integrity (data authentication).
224 Allows suspending and resuming encrypted devices.
227 The first argument to
229 indicates an action to be performed:
230 .Bl -tag -width ".Cm configure"
232 Initialize providers which need to be encrypted.
233 If multiple providers are listed as arguments, they will all be initialized
234 with the same passphrase and/or User Key.
235 A unique salt will be randomly generated for each provider to ensure the
236 Master Key for each is unique.
237 Here you can set up the cryptographic algorithm to use, Data Key length,
239 The last sector of the providers is used to store metadata.
242 subcommand also automatically writes metadata backups to
243 .Pa /var/backups/<prov>.eli
245 The metadata can be recovered with the
247 subcommand described below.
249 Additional options include:
250 .Bl -tag -width ".Fl J Ar newpassfile"
252 Enable data integrity verification (authentication) using the given algorithm.
253 This will reduce the size of storage available and also reduce speed.
254 For example, when using 4096 bytes sector and
256 algorithm, 89% of the original provider storage will be available for use.
257 Currently supported algorithms are:
264 If the option is not given, there will be no authentication, only encryption.
265 The recommended algorithm is
268 Try to decrypt this partition during boot, before the root partition is mounted.
269 This makes it possible to use an encrypted root partition.
270 One will still need bootable unencrypted storage with a
272 directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
274 .It Fl B Ar backupfile
275 File name to use for metadata backup instead of the default
276 .Pa /var/backups/<prov>.eli .
277 To inhibit backups, you can use
281 If multiple providers were initialized in the one command, you can use
283 (all upper-case) in the file name, and it will be replaced with the provider
287 is not found in the file name and multiple providers were initialized in the
290 will be appended to the end of the file name specified.
292 When entering the passphrase to boot from this encrypted root filesystem, echo
295 This makes the length of the passphrase visible.
297 Encryption algorithm to use.
298 Currently supported algorithms are:
304 The default and recommended algorithm is
309 Enable booting from this encrypted root filesystem.
310 The boot loader prompts for the passphrase and loads
312 from the encrypted partition.
313 .It Fl i Ar iterations
314 Number of iterations to use with PKCS#5v2 when processing User Key
315 passphrase component.
316 If this option is not specified,
318 will find the number of iterations which is equal to 2 seconds of crypto work.
319 If 0 is given, PKCS#5v2 will not be used.
320 PKCS#5v2 processing is performed once, after all parts of the passphrase
321 component have been read.
322 .It Fl J Ar newpassfile
323 Specifies a file which contains the passphrase component of the User Key
327 is given as -, standard input will be used.
328 Only the first line (excluding new-line character) is taken from the given file.
329 This argument can be specified multiple times, which has the effect of
330 reassembling a single passphrase split across multiple files.
331 Cannot be combined with the
334 .It Fl K Ar newkeyfile
335 Specifies a file which contains the keyfile component of the User Key
339 is given as -, standard input will be used.
340 This argument can be specified multiple times, which has the effect of
341 reassembling a single keyfile split across multiple keyfile parts.
343 Data Key length to use with the given cryptographic algorithm.
344 If the length is not specified, the selected algorithm uses its
347 .Bl -ohang -offset indent
351 .It Nm AES-CBC , Nm Camellia-CBC
357 Do not use a passphrase as a component of the User Key.
358 Cannot be combined with the
361 .It Fl s Ar sectorsize
362 Change decrypted provider's sector size.
363 Increasing the sector size allows increased performance,
364 because encryption/decryption which requires an initialization vector
365 is done per sector; fewer sectors means less computational work.
367 Turn off automatic expansion.
368 By default, if the underlying provider grows, the encrypted provider will
369 grow automatically too.
370 The metadata will be moved to the new location.
371 If automatic expansion if turned off and the underlying provider changes
372 size, attaching encrypted provider will no longer be possible as the metadata
373 will no longer be located in the last sector.
376 will only log the previous size of the underlying provider, so metadata can
377 be found easier, if resize was done by mistake.
381 calls (i.e., TRIM/UNMAP).
382 This can prevent an attacker from knowing how much space you're actually
383 using and which sectors contain live data, but will also prevent the
384 backing store (SSD, etc) from reclaiming space you're not using, which
385 may degrade its performance and lifespan.
386 The underlying provider may or may not actually obliterate the deleted
387 sectors when TRIM is enabled, so it should not be considered to add any
390 Metadata version to use.
391 This option is helpful when creating a provider that may be used by older
396 section to find which metadata version is supported by which
399 Note that using an older version of metadata may limit the number of
403 Attach the given providers.
404 The encrypted Master Keys are loaded from the metadata and decrypted
405 using the given passphrase/keyfile and new GEOM providers are created
406 using the specified provider names.
409 suffix is added to the user specified provider names.
410 Multiple providers can only be attached with a single
412 command if they all have the same passphrase and keyfiles.
414 Additional options include:
415 .Bl -tag -width ".Fl j Ar passfile"
417 Do a dry-run decryption.
418 This is useful to verify passphrase and keyfile without decrypting the device.
420 If specified, the decrypted providers are detached automatically on last close,
421 so the user does not have to remember to detach
422 providers after unmounting the filesystems.
423 This only works when providers were opened for writing, and will not work if
424 the filesystems on the providers were mounted read-only.
425 Probably a better choice is the
431 Specifies the index number of the Master Key copy to use (could be 0 or 1).
432 If the index number is not provided all keys will be tested.
434 Specifies a file which contains the passphrase component of the User Key
436 For more information see the description of the
441 The same passfiles are used for all listed providers.
443 Specifies a file which contains the keyfile component of the User Key
445 For more information see the description of the
450 The same keyfiles are used for all listed providers.
452 Do not use a passphrase as a component of the User Keys.
453 Cannot be combined with the
457 Attach read-only providers.
458 They are not opened for writing.
461 Detach the given providers, which means remove the devfs entry
462 and clear the Master Key and Data Keys from memory.
464 Additional options include:
465 .Bl -tag -width ".Fl f"
467 Force detach - detach even if the provider is open.
469 Mark provider to detach on last close, after the last filesystem has been
471 If this option is specified, the provider will not be detached
472 while it is open, but will be automatically detached when it is closed for the
473 last time even if it was only opened for reading.
476 Attach the given providers with a random, one-time (ephemeral) Master Key.
477 The command can be used to encrypt swap partitions or temporary filesystems.
479 Additional options include:
480 .Bl -tag -width ".Fl a Ar sectorsize"
482 Enable data integrity verification (authentication).
483 For more information, see the description of the
487 Encryption algorithm to use.
488 For more information, see the description of the
492 Detach on last close, after the last filesystem has been unmounted.
493 Note: this option is not usable for temporary filesystems as the provider is
494 detached after the filesystem has been created.
495 It still can, and should, be used for swap partitions.
496 For more information, see the description of the
500 Data Key length to use with the given cryptographic algorithm.
501 For more information, see the description of the
504 .It Fl s Ar sectorsize
505 Change decrypted provider's sector size.
506 For more information, see the description of the
510 Turn off automatic expansion.
511 For more information, see the description of the
515 Disable TRIM/UNMAP passthru.
516 For more information, see the description of the
521 Change configuration of the given providers.
523 Additional options include:
524 .Bl -tag -width ".Fl b"
526 Set the BOOT flag on the given providers.
527 For more information, see the description of the
531 Remove the BOOT flag from the given providers.
533 When entering the passphrase to boot from this encrypted root filesystem, echo
536 This makes the length of the passphrase visible.
538 Disable echoing of any characters when a passphrase is entered to boot from this
539 encrypted root filesystem.
540 This hides the passphrase length.
542 Enable booting from this encrypted root filesystem.
543 The boot loader prompts for the passphrase and loads
545 from the encrypted partition.
547 Deactivate booting from this encrypted root partition.
549 Turn on automatic expansion.
550 For more information, see the description of the
554 Turn off automatic expansion.
556 Enable TRIM/UNMAP passthru.
557 For more information, see the description of the
561 Disable TRIM/UNMAP passthru.
564 Install a copy of the Master Key into the selected slot, encrypted with
566 If the selected slot is populated, replace the existing copy.
567 A provider has one Master Key, which can be stored in one or both slots,
568 each encrypted with an independent User Key.
571 subcommand, only key number 0 is initialized.
572 The User Key can be changed at any time: for an attached provider,
573 for a detached provider, or on the backup file.
574 When a provider is attached, the user does not have to provide
575 an existing passphrase/keyfile.
577 Additional options include:
578 .Bl -tag -width ".Fl J Ar newpassfile"
579 .It Fl i Ar iterations
580 Number of iterations to use with PKCS#5v2.
581 If 0 is given, PKCS#5v2 will not be used.
582 To be able to use this option with the
584 subcommand, only one key has to be defined and this key must be changed.
586 Specifies a file which contains the passphrase component of a current User Key
588 .It Fl J Ar newpassfile
589 Specifies a file which contains the passphrase component of the new User Key
592 Specifies a file which contains the keyfile component of a current User Key
594 .It Fl K Ar newkeyfile
595 Specifies a file which contains the keyfile component of the new User Key
598 Specifies the index number of the Master Key copy to change (could be 0 or 1).
599 If the provider is attached and no key number is given, the key
600 used for attaching the provider will be changed.
601 If the provider is detached (or we are operating on a backup file)
602 and no key number is given, the first Master Key copy to be successfully
603 decrypted with the provided User Key passphrase/keyfile will be changed.
605 Do not use a passphrase as a component of the current User Key.
606 Cannot be combined with the
610 Do not use a passphrase as a component of the new User Key.
611 Cannot be combined with the
616 Destroy (overwrite with random data) the selected Master Key copy.
617 If one is destroying keys for an attached provider, the provider
618 will not be detached even if all copies of the Master Key are destroyed.
619 It can even be rescued with the
621 subcommand because the Master Key is still in memory.
623 Additional options include:
624 .Bl -tag -width ".Fl a Ar keyno"
626 Destroy all copies of the Master Key (does not need
630 Force key destruction.
631 This option is needed to destroy the last copy of the Master Key.
633 Specifies the index number of the Master Key copy.
634 If the provider is attached and no key number is given, the key
635 used for attaching the provider will be destroyed.
636 If provider is detached (or we are operating on a backup file) the key number
640 This command should be used only in emergency situations.
641 It will destroy all copies of the Master Key on a given provider and will
642 detach it forcibly (if it is attached).
643 This is absolutely a one-way command - if you do not have a metadata
644 backup, your data is gone for good.
645 In case the provider was attached with the
647 flag, the keys will not be destroyed, only the provider will be detached.
649 Additional options include:
650 .Bl -tag -width ".Fl a"
652 If specified, all currently attached providers will be killed.
655 Backup metadata from the given provider to the given file.
657 Restore metadata from the given file to the given provider.
659 Additional options include:
660 .Bl -tag -width ".Fl f"
662 Metadata contains the size of the provider to ensure that the correct
663 partition or slice is attached.
664 If an attempt is made to restore metadata to a provider that has a different
667 will refuse to restore the data unless the
670 If the partition or slice has been grown, the
672 subcommand should be used rather than attempting to relocate the metadata
679 Suspend device by waiting for all inflight requests to finish, clearing all
680 sensitive information such as the Master Key and Data Keys from kernel memory,
681 and blocking all further I/O requests until the
683 subcommand is executed.
684 This functionality is useful for laptops.
685 Suspending a laptop should not leave an encrypted device attached.
688 subcommand can be used rather than closing all files and directories from
689 filesystems on the encrypted device, unmounting the filesystem, and
690 detaching the device.
691 Any access to the encrypted device will be blocked until the Master Key is
695 Thus there is no need to close nor unmount anything.
698 subcommand does not work with devices created with the
701 Please note that sensitive data might still be present in memory locations
702 such as the filesystem cache after suspending an encrypted device.
704 Additional options include:
705 .Bl -tag -width ".Fl a"
712 Resume previously suspended device.
713 The caller must ensure that executing this subcommand does not access the
714 suspended device, leading to a deadlock.
715 For example, suspending a device which contains the filesystem where the
717 utility is stored is a bad idea.
719 Additional options include:
720 .Bl -tag -width ".Fl j Ar passfile"
722 Specifies a file which contains the passphrase component of the User Key,
724 For more information see the description of the
730 Specifies a file which contains the keyfile component of the User Key,
732 For more information see the description of the
738 Do not use a passphrase as a component of the User Key.
739 Cannot be combined with the
746 that the provider has been resized.
747 The old metadata block is relocated to the correct position at the end of the
748 provider and the provider size is updated.
750 Additional options include:
751 .Bl -tag -width ".Fl s Ar oldsize"
753 The size of the provider before it was resized.
756 If no arguments are given, the
758 subcommand will print the version of
760 userland utility as well as the version of the
764 If GEOM providers are specified, the
766 subcommand will print metadata version used by each of them.
768 Clear metadata from the given providers.
770 This will erase with zeros the encrypted Master Key copies stored in the
773 Dump metadata stored on the given providers.
788 Additional options include:
789 .Bl -tag -width ".Fl v"
799 utility generates a random Master Key for the provider.
800 The Master Key never changes during the lifetime of the provider.
801 Each copy of the provider metadata, active or backed up to a file, can store
802 up to two, independently-encrypted copies of the Master Key.
804 Each stored copy of the Master Key is encrypted with a User Key, which
807 utility from a passphrase and/or a keyfile.
810 utility first reads all parts of the keyfile in the order specified on the
811 command line, then reads all parts of the stored passphrase in the order
812 specified on the command line.
813 If no passphrase parts are specified, the system prompts the user to enter
815 The passphrase is optionally strengthened by PKCS#5v2.
816 The User Key is a digest computed over the concatenated keyfile and passphrase.
818 During operation, one or more Data Keys are deterministically derived by
819 the kernel from the Master Key and cached in memory.
820 The number of Data Keys used by a given provider, and the way they are
821 derived, depend on the GELI version and whether the provider is configured to
822 use data authentication.
826 variables can be used to control the behavior of the
829 The default value is shown next to each variable.
830 Some variables can also be set in
831 .Pa /boot/loader.conf .
832 .Bl -tag -width indent
833 .It Va kern.geom.eli.version
834 Version number of the
837 .It Va kern.geom.eli.debug : No 0
841 This can be set to a number between 0 and 3 inclusive.
842 If set to 0, minimal debug information is printed.
844 maximum amount of debug information is printed.
845 .It Va kern.geom.eli.tries : No 3
846 Number of times a user is asked for the passphrase.
847 This is only used for providers which are attached on boot,
848 before the root filesystem is mounted.
849 If set to 0, attaching providers on boot will be disabled.
850 This variable should be set in
851 .Pa /boot/loader.conf .
852 .It Va kern.geom.eli.overwrites : No 5
853 Specifies how many times the Master Key is overwritten
854 with random values when it is destroyed.
855 After this operation it is filled with zeros.
856 .It Va kern.geom.eli.visible_passphrase : No 0
857 If set to 1, the passphrase entered on boot will be visible.
858 This alternative should be used with caution as the entered
859 passphrase can be logged and exposed via
861 This variable should be set in
862 .Pa /boot/loader.conf .
863 .It Va kern.geom.eli.threads : No 0
864 Specifies how many kernel threads should be used for doing software
866 Its purpose is to increase performance on SMP systems.
867 If set to 0, a CPU-pinned thread will be started for every active CPU.
868 .It Va kern.geom.eli.batch : No 0
869 When set to 1, can speed-up crypto operations by using batching.
870 Batching reduces the number of interrupts by responding to a group of
871 crypto requests with one interrupt.
872 The crypto card and the driver has to support this feature.
873 .It Va kern.geom.eli.key_cache_limit : No 8192
874 Specifies how many Data Keys to cache.
876 (8192 keys) will allow caching of all keys for a 4TB provider with 512 byte
877 sectors and will take around 1MB of memory.
878 .It Va kern.geom.eli.key_cache_hits
879 Reports how many times we were looking up a Data Key and it was already in
881 This sysctl is not updated for providers that need fewer Data Keys than
882 the limit specified in
883 .Va kern.geom.eli.key_cache_limit .
884 .It Va kern.geom.eli.key_cache_misses
885 Reports how many times we were looking up a Data Key and it was not in cache.
886 This sysctl is not updated for providers that need fewer Data Keys than the limit
888 .Va kern.geom.eli.key_cache_limit .
891 Exit status is 0 on success, and 1 if the command fails.
893 Initialize a provider which is going to be encrypted with a
894 passphrase and random data from a file on the user's pen drive.
896 Attach the provider, create a filesystem, and mount it.
898 Unmount the provider and detach it:
899 .Bd -literal -offset indent
900 # dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
901 # geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
902 Enter new passphrase:
903 Reenter new passphrase:
904 # geli attach -k /mnt/pendrive/da2.key /dev/da2
906 # dd if=/dev/random of=/dev/da2.eli bs=1m
908 # mount /dev/da2.eli /mnt/secret
911 # geli detach da2.eli
914 Create an encrypted provider, but use two User Keys:
915 one for your employee and one for you as the company's security officer
916 (so it is not a tragedy if the employee
918 forgets his passphrase):
919 .Bd -literal -offset indent
921 Enter new passphrase: (enter security officer's passphrase)
922 Reenter new passphrase:
923 # geli setkey -n 1 /dev/da2
924 Enter passphrase: (enter security officer's passphrase)
925 Enter new passphrase: (let your employee enter his passphrase ...)
926 Reenter new passphrase: (... twice)
929 You are the security officer in your company.
930 Create an encrypted provider for use by the user, but remember that users
931 forget their passphrases, so backup the Master Key with your own random key:
932 .Bd -literal -offset indent
933 # dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
934 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ada0s1e
935 # geli backup /dev/ada0s1e /mnt/pendrive/backups/`hostname`
936 (use key number 0, so the encrypted Master Key will be re-encrypted by this)
937 # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ada0s1e
938 (allow the user to enter his passphrase)
939 Enter new passphrase:
940 Reenter new passphrase:
943 Encrypted swap partition setup:
944 .Bd -literal -offset indent
945 # dd if=/dev/random of=/dev/ada0s1b bs=1m
946 # geli onetime -d ada0s1b
947 # swapon /dev/ada0s1b.eli
950 The example below shows how to configure two providers which will be attached
951 on boot, before the root filesystem is mounted.
952 One of them is using passphrase and three keyfile parts and the other is
953 using only a keyfile in one part:
954 .Bd -literal -offset indent
955 # dd if=/dev/random of=/dev/da0 bs=1m
956 # dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
957 # dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
958 # dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
959 # geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
960 Enter new passphrase:
961 Reenter new passphrase:
962 # dd if=/dev/random of=/dev/da1s3a bs=1m
963 # dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
964 # geli init -b -P -K /boot/keys/da1s3a.key da1s3a
967 The providers are initialized, now we have to add these lines to
968 .Pa /boot/loader.conf :
969 .Bd -literal -offset indent
970 geli_da0_keyfile0_load="YES"
971 geli_da0_keyfile0_type="da0:geli_keyfile0"
972 geli_da0_keyfile0_name="/boot/keys/da0.key0"
973 geli_da0_keyfile1_load="YES"
974 geli_da0_keyfile1_type="da0:geli_keyfile1"
975 geli_da0_keyfile1_name="/boot/keys/da0.key1"
976 geli_da0_keyfile2_load="YES"
977 geli_da0_keyfile2_type="da0:geli_keyfile2"
978 geli_da0_keyfile2_name="/boot/keys/da0.key2"
980 geli_da1s3a_keyfile0_load="YES"
981 geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
982 geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
985 If there is only one keyfile, the index might be omitted:
986 .Bd -literal -offset indent
987 geli_da1s3a_keyfile_load="YES"
988 geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
989 geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
992 By convention, these loader variables are called
994 .Va geli_ No < Ar device No > Va _load .
996 However, the actual name prefix before
1003 module searches through all
1005 .No < Va prefix No > Va _type No -like
1007 variables that have a value of
1009 .Dq < Ar device No > :geli_keyfile .
1011 The paths to keyfiles are then extracted from
1013 .No < Ar prefix No > Va _name
1016 In the example above,
1019 .Dq Li geli_da1s3a_keyfile .
1021 Not only configure encryption, but also data integrity verification using
1023 .Bd -literal -offset indent
1024 # geli init -a hmac/sha256 -s 4096 /dev/da0
1025 Enter new passphrase:
1026 Reenter new passphrase:
1027 # geli attach /dev/da0
1029 # dd if=/dev/random of=/dev/da0.eli bs=1m
1030 # newfs /dev/da0.eli
1031 # mount /dev/da0.eli /mnt/secret
1035 writes the metadata backup by default to the
1036 .Pa /var/backups/<prov>.eli
1038 If the metadata is lost in any way (e.g., by accidental overwrite), it can be restored.
1039 Consider the following situation:
1040 .Bd -literal -offset indent
1041 # geli init /dev/da0
1042 Enter new passphrase:
1043 Reenter new passphrase:
1045 Metadata backup can be found in /var/backups/da0.eli and
1046 can be restored with the following command:
1048 # geli restore /var/backups/da0.eli /dev/da0
1050 # geli clear /dev/da0
1051 # geli attach /dev/da0
1052 geli: Cannot read metadata from /dev/da0: Invalid argument.
1053 # geli restore /var/backups/da0.eli /dev/da0
1054 # geli attach /dev/da0
1058 If an encrypted filesystem is extended, it is necessary to relocate and
1059 update the metadata:
1060 .Bd -literal -offset indent
1061 # gpart create -s GPT ada0
1062 # gpart add -s 1g -t freebsd-ufs -i 1 ada0
1063 # geli init -K keyfile -P ada0p1
1064 # gpart resize -s 2g -i 1 ada0
1065 # geli resize -s 1g ada0p1
1066 # geli attach -k keyfile -p ada0p1
1069 Initialize provider with the passphrase split into two files.
1070 The provider can be attached using those two files or by entering
1072 as the passphrase at the
1075 .Bd -literal -offset indent
1076 # echo foo > da0.pass0
1077 # echo bar > da0.pass1
1078 # geli init -J da0.pass0 -J da0.pass1 da0
1079 # geli attach -j da0.pass0 -j da0.pass1 da0
1082 Enter passphrase: foobar
1087 devices on a laptop, suspend the laptop, then resume devices one by one after
1088 resuming the laptop:
1089 .Bd -literal -offset indent
1092 <resume your laptop>
1093 # geli resume -p -k keyfile gpt/secret
1094 # geli resume gpt/private
1100 encrypted filesystem with a file as storage device follow this example.
1101 First a file named private0 is created in
1103 and attached as a memory disk like
1106 .Bd -literal -offset indent
1107 # dd if=/dev/zero of=/usr/private0 bs=1m count=256
1108 # chmod 0600 /usr/private0
1109 # mdconfig -t vnode -f /usr/private0
1112 It is recommended to place the following line in
1114 to have the memory disk automatically created during boot.
1115 .Bd -literal -offset indent
1116 mdconfig_md0="-t vnode -f /usr/private0"
1121 is created a random key has to be generated and stored in a secure location,
1125 This key should be protected by a passphrase, which
1126 is requested when geli init is called.
1127 .Bd -literal -offset indent
1128 # dd if=/dev/random of=/root/private0.key bs=64 count=1
1129 # geli init -K /root/private0.key -s 4096 /dev/md0
1130 Enter new passphrase:
1131 Reenter new passphrase:
1132 # geli attach -k /root/private0.key /dev/md0
1134 # dd if=/dev/random of=/dev/md0.eli bs=1m
1137 Once the initialization of the
1139 device is ready create a UFS filesystem and mount it for example in
1141 .Bd -literal -offset indent
1142 # newfs /dev/md0.eli
1143 # mount /dev/md0.eli /private
1146 After a system reboot the
1148 device can be mounted again with the following commands.
1149 The call of geli attach will ask for the passphrase.
1150 It is recommended to do this procedure after the boot, because otherwise
1151 the boot process would be waiting for the passphrase input.
1152 .Bd -literal -offset indent
1153 # geli attach -k /root/private0.key /dev/md0
1155 # mount /dev/md0.eli /private
1157 .Sh ENCRYPTION MODES
1159 supports two encryption modes:
1161 which was standardized as
1165 with unpredictable IV.
1170 is very similar to the mode
1172 .Sh DATA AUTHENTICATION
1174 can verify data integrity when an authentication algorithm is specified.
1175 When data corruption/modification is detected,
1177 will not return any data, but instead will return an error
1179 The offset and size of the corrupted data will be printed on the console.
1180 It is important to know against which attacks
1182 provides protection for your data.
1183 If data is modified in-place or copied from one place on the disk
1184 to another even without modification,
1186 should be able to detect such a change.
1187 If an attacker can remember the encrypted data, he can overwrite any future
1188 changes with the data he owns without it being noticed.
1191 will not protect your data against replay attacks.
1193 It is recommended to write to the whole provider before first use,
1194 in order to make sure that all sectors and their corresponding
1195 checksums are properly initialized into a consistent state.
1196 One can safely ignore data authentication errors that occur immediately
1197 after the first time a provider is attached and before it is
1198 initialized in this way.
1214 block cipher was implemented by Yoshisato Yanagisawa in
1219 metadata version supported by the given
1222 .Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
1223 .It Sy FreeBSD Ta Sy GELI
1224 .It Sy version Ta Sy version
1247 .An Pawel Jakub Dawidek Aq Mt pjd@FreeBSD.org