1 .\" Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 .Dd September 16, 2006
32 .Nd "control utility for cryptographic GEOM class"
34 To compile GEOM_ELI into your kernel, place the following lines in your kernel
36 .Bd -ragged -offset indent
38 .Cd "options GEOM_ELI"
41 Alternately, to load the GEOM_ELI module at boot time, place the following line
44 .Bd -literal -offset indent
57 .Op Fl i Ar iterations
58 .Op Fl K Ar newkeyfile
60 .Op Fl s Ar sectorsize
63 .Cm label - an alias for
75 .Cm stop - an alias for
83 .Op Fl s Ar sectorsize
92 .Op Fl i Ar iterations
94 .Op Fl K Ar newkeyfile
135 utility is used to configure encryption on GEOM providers.
137 The following is a list of the most important features:
139 .Bl -bullet -offset indent -compact
143 framework, so when there is crypto hardware available,
145 will make use of it automatically.
147 Supports many cryptographic algorithms (currently
154 Can optionally perform data authentication (integrity verification) utilizing
155 one of the following algorithms:
164 Can create a key from a couple of components (user entered passphrase, random
165 bits from a file, etc.).
167 Allows to encrypt the root partition - the user will be asked for the
168 passphrase before the root file system is mounted.
170 The passphrase of the user is strengthened with:
173 .%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
178 Allows to use two independent keys (e.g.
181 .Qq "company key" ) .
185 performs simple sector-to-sector encryption.
187 Allows to backup/restore Master Keys, so when a user has to quickly
189 it is possible to get the data back by restoring keys from the backup.
191 Providers can be configured to automatically detach on last close
192 (so users do not have to remember to detach providers after unmounting
195 Allows to attach a provider with a random, one-time key - useful for swap
196 partitions and temporary file systems.
198 Allows to verify data integrity (data authentication).
201 The first argument to
203 indicates an action to be performed:
204 .Bl -tag -width ".Cm configure"
206 Initialize provider which needs to be encrypted.
207 Here you can set up the cryptographic algorithm to use, key length, etc.
208 The last provider's sector is used to store metadata.
210 Additional options include:
211 .Bl -tag -width ".Fl a Ar aalgo"
213 Enable data integrity verification (authentication) using the given algorithm.
214 This will reduce size of available storage and also reduce speed.
215 For example, when using 4096 bytes sector and
217 algorithm, 89% of the original provider storage will be available for use.
218 Currently supported algorithms are:
226 If the option is not given, there will be no authentication, only encryption.
228 Encryption algorithm to use.
229 Currently supported algorithms are:
238 Ask for the passphrase on boot, before the root partition is mounted.
239 This makes it possible to use an encrypted root partition.
240 One will still need bootable unencrypted storage with a
242 directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
244 .It Fl i Ar iterations
245 Number of iterations to use with PKCS#5v2.
246 If this option is not specified,
248 will find the number of iterations which is equal to 2 seconds of crypto work.
249 If 0 is given, PKCS#5v2 will not be used.
250 .It Fl K Ar newkeyfile
251 Specifies a file which contains part of the key.
254 is given as -, standard input will be used.
255 Here is how more than one file with a key component can be used:
256 .Bd -literal -offset indent
257 # cat key1 key2 key3 | geli init -K - /dev/da0
260 Key length to use with the given cryptographic algorithm.
261 If not given, the default key length for the given algorithm is used, which is:
270 .It Fl s Ar sectorsize
271 Change decrypted provider's sector size.
272 Increasing sector size allows to increase performance, because we need to
273 generate an IV and do encrypt/decrypt for every single sector - less number
274 of sectors means less work to do.
276 Do not use passphrase as the key component.
279 Attach the given provider.
280 The master key will be decrypted using the given
281 passphrase/keyfile and a new GEOM provider will be created using the given
282 provider's name with an
286 Additional options include:
287 .Bl -tag -width ".Fl a Ar algo"
289 If specified, a decrypted provider will be detached automatically on last close.
290 This can help with short memory - user does not have to remember to detach the
291 provider after unmounting the file system.
292 It only works when the provider was opened for writing, so it will not work if
293 the file system on the provider is mounted read-only.
294 Probably a better choice is the
300 Attach read-only provider.
301 It will not be opened for writing.
303 Specifies a file which contains part of the key.
304 For more information see the description of the
310 Do not use passphrase as the key component.
313 Detach the given providers, which means remove the devfs entry
314 and clear the keys from memory.
316 Additional options include:
317 .Bl -tag -width ".Fl a Ar algo"
319 Force detach - detach even if the provider is open.
321 Mark provider to detach on last close.
322 If this option is specified, the provider will not be detached
323 until it is open, but when it will be closed last time, it will
324 be automatically detached (even
325 if it was only opened for reading).
328 Attach the given providers with random, one-time keys.
329 The command can be used to encrypt swap partitions or temporary file systems.
331 Additional options include:
332 .Bl -tag -width ".Fl a Ar aalgo"
334 Enable data integrity verification (authentication).
335 For more information, see the description of the
339 Encryption algorithm to use.
340 For more information, see the description of the
344 Detach on last close.
345 Note, the option is not usable for temporary file systems as the provider will
346 be detached after creating the file system on it.
347 It still can (and should be) used for swap partitions.
348 For more information, see the description of the
352 Key length to use with the given cryptographic algorithm.
353 For more information, see the description of the
356 .It Fl s Ar sectorsize
357 Change decrypted provider's sector size.
358 For more information, see the description of the
363 Change configuration of the given providers.
365 Additional options include:
366 .Bl -tag -width ".Fl b"
368 Set the BOOT flag on the given providers.
369 For more information, see the description of the
373 Remove the BOOT flag from the given providers.
376 Change or setup (if not yet initialized) selected key.
377 There is one master key, which can be encrypted with two independent user keys.
380 subcommand, only key number 0 is initialized.
381 The key can always be changed: for an attached provider,
382 for a detached provider or on the backup file.
383 When a provider is attached, the user does not have to provide
384 an old passphrase/keyfile.
386 Additional options include:
387 .Bl -tag -width ".Fl a Ar algo"
388 .It Fl i Ar iterations
389 Number of iterations to use with PKCS#5v2.
390 If 0 is given, PKCS#5v2 will not be used.
391 To be able to use this option with
393 subcommand, only one key have to be defined and this key has to be changed.
395 Specifies a file which contains part of the old key.
396 .It Fl K Ar newkeyfile
397 Specifies a file which contains part of the new key.
399 Specifies the number of the key to change (could be 0 or 1).
400 If the provider is attached and no key number is given, the key
401 used for attaching the provider will be changed.
402 If the provider is detached (or we are operating on a backup file)
403 and no key number is given, the key decrypted with the passphrase/keyfile
406 Do not use passphrase as the old key component.
408 Do not use passphrase as the new key component.
411 Destroy (overwrite with random data) the selected key.
412 If one is destroying keys for an attached provider, the provider
413 will not be detached even if all keys will be destroyed.
414 It can be even rescued with the
417 .Bl -tag -width ".Fl a Ar algo"
419 Destroy all keys (does not need
423 Force key destruction.
424 This option is needed to destroy the last key.
426 Specifies the key number.
427 If the provider is attached and no key number is given, the key
428 used for attaching the provider will be destroyed.
429 If provider is detached (or we are operating on a backup file) the key number
433 This command should be used in emergency situations.
434 It will destroy all keys on the given provider and will detach it forcibly
436 This is absolutely a one-way command - if you do not have a metadata
437 backup, your data is gone for good.
438 In case the provider was attached with the
440 flag, the keys will not be destroyed, only the provider will be detached.
441 .Bl -tag -width ".Fl a Ar algo"
443 If specified, all currently attached providers will be killed.
446 Backup metadata from the given provider to the given file.
448 Restore metadata from the given file to the given provider.
450 Clear metadata from the given providers.
452 Dump metadata stored on the given providers.
467 Additional options include:
468 .Bl -tag -width ".Fl v"
475 variables can be used to control the behavior of the
478 The default value is shown next to each variable.
479 All variables can also be set in
480 .Pa /boot/loader.conf .
481 .Bl -tag -width indent
482 .It Va kern.geom.eli.debug : No 0
486 This can be set to a number between 0 and 3 inclusive.
487 If set to 0, minimal debug information is printed.
489 maximum amount of debug information is printed.
490 .It Va kern.geom.eli.tries : No 3
491 Number of times a user is asked for the passphrase.
492 This is only used for providers which should be attached on boot
493 (before the root file system is mounted).
494 If set to 0, attaching providers on boot will be disabled.
495 This variable should be set in
496 .Pa /boot/loader.conf .
497 .It Va kern.geom.eli.overwrites : No 5
498 Specifies how many times the Master-Key will be overwritten
499 with random values when it is destroyed.
500 After this operation it is filled with zeros.
501 .It Va kern.geom.eli.visible_passphrase : No 0
502 If set to 1, the passphrase entered on boot (before the root
503 file system is mounted) will be visible.
504 This possibility should be used with caution as the entered
505 passphrase can be logged and exposed via
507 This variable should be set in
508 .Pa /boot/loader.conf .
509 .It Va kern.geom.eli.threads : No 0
510 Specifies how many kernel threads should be used for doing software
512 Its purpose is to increase performance on SMP systems.
513 If hardware acceleration is available, only one thread will be started.
514 If set to 0, CPU-bound thread will be started for every active CPU.
515 .It Va kern.geom.eli.batch : No 0
516 When set to 1, can speed-up crypto operations by using batching.
517 Batching allows to reduce number of interrupts by responding on a group of
518 crypto requests with one interrupt.
519 The crypto card and the driver has to support this feature.
522 Exit status is 0 on success, and 1 if the command fails.
524 Initialize a provider which is going to be encrypted with a
525 passphrase and random data from a file on the user's pen drive.
527 Attach the provider, create a file system and mount it.
529 Unmount the provider and detach it:
530 .Bd -literal -offset indent
531 # dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
532 # geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
533 Enter new passphrase:
534 Reenter new passphrase:
535 # geli attach -k /mnt/pendrive/da2.key /dev/da2
537 # dd if=/dev/random of=/dev/da2.eli bs=1m
539 # mount /dev/da2.eli /mnt/secret
542 # geli detach da2.eli
545 Create an encrypted provider, but use two keys:
546 one for your girlfriend and one for
547 you (so there will be no tragedy if she forgets her passphrase):
548 .Bd -literal -offset indent
550 Enter new passphrase: (enter your passphrase)
551 Reenter new passphrase:
552 # geli setkey -n 1 /dev/da2
553 Enter passphrase: (enter your passphrase)
554 Enter new passphrase: (let your girlfriend enter her passphrase ...)
555 Reenter new passphrase: (... twice)
558 You are the security-person in your company.
559 Create an encrypted provider for use by the user, but remember that users
560 forget their passphrases, so back Master Key up with your own random key:
561 .Bd -literal -offset indent
562 # dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
563 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e
564 # geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname`
565 (use key number 0, so the encrypted Master Key by you will be overwritten)
566 # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e
567 (allow the user to enter his passphrase)
568 Enter new passphrase:
569 Reenter new passphrase:
572 Encrypted swap partition setup:
573 .Bd -literal -offset indent
574 # dd if=/dev/random of=/dev/ad0s1b bs=1m
575 # geli onetime -d -e 3des ad0s1b
576 # swapon /dev/ad0s1b.eli
579 The example below shows how to configure two providers which will be attached
580 on boot (before the root file system is mounted).
581 One of them is using passphrase and three keyfiles and the other is using only a
583 .Bd -literal -offset indent
584 # dd if=/dev/random of=/dev/da0 bs=1m
585 # dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
586 # dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
587 # dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
588 # cat /boot/keys/da0.key0 /boot/keys/da0.key1 /boot/keys/da0.key2 | geli init -b -K - da0
589 Enter new passphrase:
590 Reenter new passphrase:
591 # dd if=/dev/random of=/dev/da1s3a bs=1m
592 # dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
593 # geli init -b -P -K /boot/keys/da1s3a.key da1s3a
596 The providers are initialized, now we have to add those lines to
597 .Pa /boot/loader.conf :
598 .Bd -literal -offset indent
599 geli_da0_keyfile0_load="YES"
600 geli_da0_keyfile0_type="da0:geli_keyfile0"
601 geli_da0_keyfile0_name="/boot/keys/da0.key0"
602 geli_da0_keyfile1_load="YES"
603 geli_da0_keyfile1_type="da0:geli_keyfile1"
604 geli_da0_keyfile1_name="/boot/keys/da0.key1"
605 geli_da0_keyfile2_load="YES"
606 geli_da0_keyfile2_type="da0:geli_keyfile2"
607 geli_da0_keyfile2_name="/boot/keys/da0.key2"
609 geli_da1s3a_keyfile0_load="YES"
610 geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
611 geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
614 Not only configure encryption, but also data integrity verification using
616 .Bd -literal -offset indent
617 # geli init -a hmac/sha256 -s 4096 /dev/da0
618 Enter new passphrase:
619 Reenter new passphrase:
620 # geli attach /dev/da0
622 # dd if=/dev/random of=/dev/da0.eli bs=1m
624 # mount /dev/da0.eli /mnt/secret
626 .Sh DATA AUTHENTICATION
628 can verify data integrity when an authentication algorithm is specified.
629 When data corruption/modification is detected,
631 will not return any data, but instead will return an error
633 The offset and size of the corrupted data will be printed on the console.
634 It is important to know against which attacks
636 provides protection for your data.
637 If data is modified in-place or copied from one place on the disk
638 to another even without modification,
640 should be able to detect such a change.
641 If an attacker can remember the encrypted data, he can overwrite any future
642 changes with the data he owns without notice.
645 will not protect your data against replay attacks.
661 block cipher is implemented by Yoshisato Yanagisawa in
664 .An Pawel Jakub Dawidek Aq pjd@FreeBSD.org