- Copy stable/9 to releng/9.2 as part of the 9.2-RELEASE cycle.

[FreeBSD/releng/9.2.git] / sbin / geom / class / eli / geli.8

.\" Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd March 9, 2011
.Dt GELI 8
.Os
.Sh NAME
.Nm geli
.Nd "control utility for cryptographic GEOM class"
.Sh SYNOPSIS
To compile GEOM_ELI into your kernel, place the following lines in your kernel
configuration file:
.Bd -ragged -offset indent
.Cd "device crypto"
.Cd "options GEOM_ELI"
.Ed
.Pp
Alternately, to load the GEOM_ELI module at boot time, place the following line
in your
.Xr loader.conf 5 :
.Bd -literal -offset indent
geom_eli_load="YES"
.Ed
.Pp
Usage of the
.Xr geli 8
utility:
.Pp
.Nm
.Cm init
.Op Fl bPv
.Op Fl a Ar aalgo
.Op Fl B Ar backupfile
.Op Fl e Ar ealgo
.Op Fl i Ar iterations
.Op Fl J Ar newpassfile
.Op Fl K Ar newkeyfile
.Op Fl l Ar keylen
.Op Fl s Ar sectorsize
.Ar prov
.Nm
.Cm label - an alias for
.Cm init
.Nm
.Cm attach
.Op Fl dprv
.Op Fl j Ar passfile
.Op Fl k Ar keyfile
.Ar prov
.Nm
.Cm detach
.Op Fl fl
.Ar prov ...
.Nm
.Cm stop - an alias for
.Cm detach
.Nm
.Cm onetime
.Op Fl d
.Op Fl a Ar aalgo
.Op Fl e Ar ealgo
.Op Fl l Ar keylen
.Op Fl s Ar sectorsize
.Ar prov
.Nm
.Cm configure
.Op Fl bB
.Ar prov ...
.Nm
.Cm setkey
.Op Fl pPv
.Op Fl i Ar iterations
.Op Fl j Ar passfile
.Op Fl J Ar newpassfile
.Op Fl k Ar keyfile
.Op Fl K Ar newkeyfile
.Op Fl n Ar keyno
.Ar prov
.Nm
.Cm delkey
.Op Fl afv
.Op Fl n Ar keyno
.Ar prov
.Nm
.Cm kill
.Op Fl av
.Op Ar prov ...
.Nm
.Cm backup
.Op Fl v
.Ar prov
.Ar file
.Nm
.Cm restore
.Op Fl fv
.Ar file
.Ar prov
.Nm
.Cm suspend
.Op Fl v
.Fl a | Ar prov ...
.Nm
.Cm resume
.Op Fl pv
.Op Fl j Ar passfile
.Op Fl k Ar keyfile
.Ar prov
.Nm
.Cm resize
.Op Fl v
.Fl s Ar oldsize
.Ar prov
.Nm
.Cm clear
.Op Fl v
.Ar prov ...
.Nm
.Cm dump
.Op Fl v
.Ar prov ...
.Nm
.Cm list
.Nm
.Cm status
.Nm
.Cm load
.Nm
.Cm unload
.Sh DESCRIPTION
The
.Nm
utility is used to configure encryption on GEOM providers.
.Pp
The following is a list of the most important features:
.Pp
.Bl -bullet -offset indent -compact
.It
Utilizes the
.Xr crypto 9
framework, so when there is crypto hardware available,
.Nm
will make use of it automatically.
.It
Supports many cryptographic algorithms (currently
.Nm AES-XTS ,
.Nm AES-CBC ,
.Nm Blowfish-CBC ,
.Nm Camellia-CBC
and
.Nm 3DES-CBC ) .
.It
Can optionally perform data authentication (integrity verification) utilizing
one of the following algorithms:
.Nm HMAC/MD5 ,
.Nm HMAC/SHA1 ,
.Nm HMAC/RIPEMD160 ,
.Nm HMAC/SHA256 ,
.Nm HMAC/SHA384
or
.Nm HMAC/SHA512 .
.It
Can create a key from a couple of components (user entered passphrase, random
bits from a file, etc.).
.It
Allows to encrypt the root partition - the user will be asked for the
passphrase before the root file system is mounted.
.It
The passphrase of the user is strengthened with:
.Rs
.%A B. Kaliski
.%T "PKCS #5: Password-Based Cryptography Specification, Version 2.0."
.%R RFC
.%N 2898
.Re
.It
Allows to use two independent keys (e.g.
.Qq "user key"
and
.Qq "company key" ) .
.It
It is fast -
.Nm
performs simple sector-to-sector encryption.
.It
Allows to backup/restore Master Keys, so when a user has to quickly
destroy his keys,
it is possible to get the data back by restoring keys from the backup.
.It
Providers can be configured to automatically detach on last close
(so users do not have to remember to detach providers after unmounting
the file systems).
.It
Allows to attach a provider with a random, one-time key - useful for swap
partitions and temporary file systems.
.It
Allows to verify data integrity (data authentication).
.It
Allows to suspend and resume encrypted devices.
.El
.Pp
The first argument to
.Nm
indicates an action to be performed:
.Bl -tag -width ".Cm configure"
.It Cm init
Initialize provider which needs to be encrypted.
Here you can set up the cryptographic algorithm to use, key length, etc.
The last provider's sector is used to store metadata.
The
.Cm init
subcommand also automatically backups metadata in
.Pa /var/backups/<prov>.eli
file.
The metadata can be recovered with the
.Cm restore
subcommand described below.
.Pp
Additional options include:
.Bl -tag -width ".Fl J Ar newpassfile"
.It Fl a Ar aalgo
Enable data integrity verification (authentication) using the given algorithm.
This will reduce size of available storage and also reduce speed.
For example, when using 4096 bytes sector and
.Nm HMAC/SHA256
algorithm, 89% of the original provider storage will be available for use.
Currently supported algorithms are:
.Nm HMAC/MD5 ,
.Nm HMAC/SHA1 ,
.Nm HMAC/RIPEMD160 ,
.Nm HMAC/SHA256 ,
.Nm HMAC/SHA384
and
.Nm HMAC/SHA512 .
If the option is not given, there will be no authentication, only encryption.
The recommended algorithm is
.Nm HMAC/SHA256 .
.It Fl b
Ask for the passphrase on boot, before the root partition is mounted.
This makes it possible to use an encrypted root partition.
One will still need bootable unencrypted storage with a
.Pa /boot/
directory, which can be a CD-ROM disc or USB pen-drive, that can be removed
after boot.
.It Fl B Ar backupfile
File name to use for metadata backup instead of the default
.Pa /var/backups/<prov>.eli .
To inhibit backups, you can use
.Pa none
as the
.Ar backupfile .
.It Fl e Ar ealgo
Encryption algorithm to use.
Currently supported algorithms are:
.Nm AES-XTS ,
.Nm AES-CBC ,
.Nm Blowfish-CBC ,
.Nm Camellia-CBC
and
.Nm 3DES-CBC .
The default and recommended algorithm is
.Nm AES-XTS .
.It Fl i Ar iterations
Number of iterations to use with PKCS#5v2.
If this option is not specified,
.Nm
will find the number of iterations which is equal to 2 seconds of crypto work.
If 0 is given, PKCS#5v2 will not be used.
.It Fl J Ar newpassfile
Specifies a file which contains the passphrase or its part.
If
.Ar newpassfile
is given as -, standard input will be used.
Only the first line (excluding new-line character) is taken from the given file.
This argument can be specified multiple times.
.It Fl K Ar newkeyfile
Specifies a file which contains part of the key.
If
.Ar newkeyfile
is given as -, standard input will be used.
This argument can be specified multiple times.
.It Fl l Ar keylen
Key length to use with the given cryptographic algorithm.
If not given, the default key length for the given algorithm is used, which is:
128 for
.Nm AES-XTS ,
.Nm AES-CBC ,
.Nm Blowfish-CBC
and
.Nm Camellia-CBC
and 192 for
.Nm 3DES-CBC .
.It Fl P
Do not use passphrase as the key component.
.It Fl s Ar sectorsize
Change decrypted provider's sector size.
Increasing sector size allows to increase performance, because we need to
generate an IV and do encrypt/decrypt for every single sector - less number
of sectors means less work to do.
.El
.It Cm attach
Attach the given provider.
The master key will be decrypted using the given
passphrase/keyfile and a new GEOM provider will be created using the given
provider's name with an
.Qq .eli
suffix.
.Pp
Additional options include:
.Bl -tag -width ".Fl j Ar passfile"
.It Fl d
If specified, a decrypted provider will be detached automatically on last close.
This can help with short memory - user does not have to remember to detach the
provider after unmounting the file system.
It only works when the provider was opened for writing, so it will not work if
the file system on the provider is mounted read-only.
Probably a better choice is the
.Fl l
option for the
.Cm detach
subcommand.
.It Fl j Ar passfile
Specifies a file which contains the passphrase or its part.
For more information see the description of the
.Fl J
option for the
.Cm init
subcommand.
.It Fl k Ar keyfile
Specifies a file which contains part of the key.
For more information see the description of the
.Fl K
option for the
.Cm init
subcommand.
.It Fl p
Do not use passphrase as the key component.
.It Fl r
Attach read-only provider.
It will not be opened for writing.
.El
.It Cm detach
Detach the given providers, which means remove the devfs entry
and clear the keys from memory.
.Pp
Additional options include:
.Bl -tag -width ".Fl f"
.It Fl f
Force detach - detach even if the provider is open.
.It Fl l
Mark provider to detach on last close.
If this option is specified, the provider will not be detached
until it is open, but when it will be closed last time, it will
be automatically detached (even
if it was only opened for reading).
.El
.It Cm onetime
Attach the given providers with random, one-time keys.
The command can be used to encrypt swap partitions or temporary file systems.
.Pp
Additional options include:
.Bl -tag -width ".Fl a Ar sectorsize"
.It Fl a Ar aalgo
Enable data integrity verification (authentication).
For more information, see the description of the
.Cm init
subcommand.
.It Fl e Ar ealgo
Encryption algorithm to use.
For more information, see the description of the
.Cm init
subcommand.
.It Fl d
Detach on last close.
Note, the option is not usable for temporary file systems as the provider will
be detached after creating the file system on it.
It still can (and should be) used for swap partitions.
For more information, see the description of the
.Cm attach
subcommand.
.It Fl l Ar keylen
Key length to use with the given cryptographic algorithm.
For more information, see the description of the
.Cm init
subcommand.
.It Fl s Ar sectorsize
Change decrypted provider's sector size.
For more information, see the description of the
.Cm init
subcommand.
.El
.It Cm configure
Change configuration of the given providers.
.Pp
Additional options include:
.Bl -tag -width ".Fl b"
.It Fl b
Set the BOOT flag on the given providers.
For more information, see the description of the
.Cm init
subcommand.
.It Fl B
Remove the BOOT flag from the given providers.
.El
.It Cm setkey
Change or setup (if not yet initialized) selected key.
There is one master key, which can be encrypted with two independent user keys.
With the
.Cm init
subcommand, only key number 0 is initialized.
The key can always be changed: for an attached provider,
for a detached provider or on the backup file.
When a provider is attached, the user does not have to provide
an old passphrase/keyfile.
.Pp
Additional options include:
.Bl -tag -width ".Fl J Ar newpassfile"
.It Fl i Ar iterations
Number of iterations to use with PKCS#5v2.
If 0 is given, PKCS#5v2 will not be used.
To be able to use this option with
.Cm setkey
subcommand, only one key have to be defined and this key has to be changed.
.It Fl j Ar passfile
Specifies a file which contains the old passphrase or its part.
.It Fl J Ar newpassfile
Specifies a file which contains the new passphrase or its part.
.It Fl k Ar keyfile
Specifies a file which contains part of the old key.
.It Fl K Ar newkeyfile
Specifies a file which contains part of the new key.
.It Fl n Ar keyno
Specifies the number of the key to change (could be 0 or 1).
If the provider is attached and no key number is given, the key
used for attaching the provider will be changed.
If the provider is detached (or we are operating on a backup file)
and no key number is given, the key decrypted with the passphrase/keyfile
will be changed.
.It Fl p
Do not use passphrase as the old key component.
.It Fl P
Do not use passphrase as the new key component.
.El
.It Cm delkey
Destroy (overwrite with random data) the selected key.
If one is destroying keys for an attached provider, the provider
will not be detached even if all keys will be destroyed.
It can be even rescued with the
.Cm setkey
subcommand.
.Pp
Additional options include:
.Bl -tag -width ".Fl a Ar keyno"
.It Fl a
Destroy all keys (does not need
.Fl f
option).
.It Fl f
Force key destruction.
This option is needed to destroy the last key.
.It Fl n Ar keyno
Specifies the key number.
If the provider is attached and no key number is given, the key
used for attaching the provider will be destroyed.
If provider is detached (or we are operating on a backup file) the key number
has to be given.
.El
.It Cm kill
This command should be used in emergency situations.
It will destroy all keys on the given provider and will detach it forcibly
(if it is attached).
This is absolutely a one-way command - if you do not have a metadata
backup, your data is gone for good.
In case the provider was attached with the
.Fl r
flag, the keys will not be destroyed, only the provider will be detached.
.Pp
Additional options include:
.Bl -tag -width ".Fl a"
.It Fl a
If specified, all currently attached providers will be killed.
.El
.It Cm backup
Backup metadata from the given provider to the given file.
.It Cm restore
Restore metadata from the given file to the given provider.
.Pp
Additional options include:
.Bl -tag -width ".Fl f"
.It Fl f
Metadata contains the size of the provider to ensure that the correct
partition or slice is attached.
If an attempt is made to restore metadata to a provider that has a different
size,
.Nm
will refuse to restore the data unless the
.Fl f
switch is used.
If the partition or slice has been grown, the
.Cm resize
subcommand should be used rather than attempting to relocate the metadata
through
.Cm backup
and
.Cm restore .
.El
.It Cm suspend
Suspend device by waiting for all inflight request to finish, clearing all
sensitive informations (like keys) from the kernel memory and blocking all
further I/O requests until the
.Cm resume
subcommand is executed.
This functionality is useful for eg. laptops - when one wants to suspend a
laptop, one does not want to leave encrypted device attached.
Instead of closing all files and directories opened from a file system placed
on an encrypted device, unmounting the file system and detaching the device,
the
.Cm suspend
subcommand can be used.
Any access to the encrypted device will be blocked until the keys are
recovered through
.Cm resume
subcommand, thus there is no need to close nor unmount anything.
The
.Cm suspend
subcommand does not work with devices created with the
.Cm onetime
subcommand.
Please note that sensitive data might still be present in memory after
suspending encrypted device, because of file system cache, etc.
.Pp
Additional options include:
.Bl -tag -width ".Fl a"
.It Fl a
Suspend all
.Nm
devices.
.El
.It Cm resume
Resume previously suspended device.
The caller must ensure that executing this subcommand won't try to access
suspended device, which will lead to a deadlock.
For example suspending device, which contains file system where the
.Nm
utility is stored is bad idea.
.Pp
Additional options include:
.Bl -tag -width ".Fl j Ar passfile"
.It Fl j Ar passfile
Specifies a file which contains the passphrase or its part.
For more information see the description of the
.Fl J
option for the
.Cm init
subcommand.
.It Fl k Ar keyfile
Specifies a file which contains part of the key.
For more information see the description of the
.Fl K
option for the
.Cm init
subcommand.
.It Fl p
Do not use passphrase as the key component.
.El
.It Cm resize
Inform
.Nm
that the provider has been resized.
The old metadata block is relocated to the correct position at the end of the
provider and the provider size is updated.
.Pp
Additional options include:
.Bl -tag -width ".Fl s Ar oldsize"
.It Fl s Ar oldsize
The size of the provider before it was resized.
.El
.It Cm clear
Clear metadata from the given providers.
.It Cm dump
Dump metadata stored on the given providers.
.It Cm list
See
.Xr geom 8 .
.It Cm status
See
.Xr geom 8 .
.It Cm load
See
.Xr geom 8 .
.It Cm unload
See
.Xr geom 8 .
.El
.Pp
Additional options include:
.Bl -tag -width ".Fl v"
.It Fl v
Be more verbose.
.El
.Sh SYSCTL VARIABLES
The following
.Xr sysctl 8
variables can be used to control the behavior of the
.Nm ELI
GEOM class.
The default value is shown next to each variable.
Some variables can also be set in
.Pa /boot/loader.conf .
.Bl -tag -width indent
.It Va kern.geom.eli.version
Version number of the
.Nm ELI
GEOM class.
.It Va kern.geom.eli.debug : No 0
Debug level of the
.Nm ELI
GEOM class.
This can be set to a number between 0 and 3 inclusive.
If set to 0, minimal debug information is printed.
If set to 3, the
maximum amount of debug information is printed.
.It Va kern.geom.eli.tries : No 3
Number of times a user is asked for the passphrase.
This is only used for providers which should be attached on boot
(before the root file system is mounted).
If set to 0, attaching providers on boot will be disabled.
This variable should be set in
.Pa /boot/loader.conf .
.It Va kern.geom.eli.overwrites : No 5
Specifies how many times the Master-Key will be overwritten
with random values when it is destroyed.
After this operation it is filled with zeros.
.It Va kern.geom.eli.visible_passphrase : No 0
If set to 1, the passphrase entered on boot (before the root
file system is mounted) will be visible.
This possibility should be used with caution as the entered
passphrase can be logged and exposed via
.Xr dmesg 8 .
This variable should be set in
.Pa /boot/loader.conf .
.It Va kern.geom.eli.threads : No 0
Specifies how many kernel threads should be used for doing software
cryptography.
Its purpose is to increase performance on SMP systems.
If hardware acceleration is available, only one thread will be started.
If set to 0, CPU-bound thread will be started for every active CPU.
.It Va kern.geom.eli.batch : No 0
When set to 1, can speed-up crypto operations by using batching.
Batching allows to reduce number of interrupts by responding on a group of
crypto requests with one interrupt.
The crypto card and the driver has to support this feature.
.It Va kern.geom.eli.key_cache_limit : No 8192
Specifies how many encryption keys to cache.
The default limit
.No ( 8192
keys) will allow to cache all keys for 4TB provider with 512 bytes sectors and
will take around 1MB of memory.
.It Va kern.geom.eli.key_cache_hits
Reports how many times we were looking up a key and it was already in cache.
This sysctl is not updated for providers that need less keys than the limit
specified in
.Va kern.geom.eli.key_cache_limit .
.It Va kern.geom.eli.key_cache_misses
Reports how many times we were looking up a key and it was not in cache.
This sysctl is not updated for providers that need less keys than the limit
specified in
.Va kern.geom.eli.key_cache_limit .
.El
.Sh EXIT STATUS
Exit status is 0 on success, and 1 if the command fails.
.Sh EXAMPLES
Initialize a provider which is going to be encrypted with a
passphrase and random data from a file on the user's pen drive.
Use 4kB sector size.
Attach the provider, create a file system and mount it.
Do the work.
Unmount the provider and detach it:
.Bd -literal -offset indent
# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
Enter new passphrase:
Reenter new passphrase:
# geli attach -k /mnt/pendrive/da2.key /dev/da2
Enter passphrase:
# dd if=/dev/random of=/dev/da2.eli bs=1m
# newfs /dev/da2.eli
# mount /dev/da2.eli /mnt/secret
\&...
# umount /mnt/secret
# geli detach da2.eli
.Ed
.Pp
Create an encrypted provider, but use two keys:
one for your employee and one for you as company's security officer
(so there is no tragedy if the employee
.Qq accidentally
forgets his passphrase):
.Bd -literal -offset indent
# geli init /dev/da2
Enter new passphrase:   (enter security officer passphrase)
Reenter new passphrase:
# geli setkey -n 1 /dev/da2
Enter passphrase:       (enter security officer passphrase)
Enter new passphrase:   (let your employee enter his passphrase ...)
Reenter new passphrase: (... twice)
.Ed
.Pp
You are the security-person in your company.
Create an encrypted provider for use by the user, but remember that users
forget their passphrases, so back Master Key up with your own random key:
.Bd -literal -offset indent
# dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
# geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e
# geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname`
(use key number 0, so the encrypted Master Key by you will be overwritten)
# geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e
(allow the user to enter his passphrase)
Enter new passphrase:
Reenter new passphrase:
.Ed
.Pp
Encrypted swap partition setup:
.Bd -literal -offset indent
# dd if=/dev/random of=/dev/ad0s1b bs=1m
# geli onetime -d -e 3des ad0s1b
# swapon /dev/ad0s1b.eli
.Ed
.Pp
The example below shows how to configure two providers which will be attached
on boot (before the root file system is mounted).
One of them is using passphrase and three keyfiles and the other is using only a
keyfile:
.Bd -literal -offset indent
# dd if=/dev/random of=/dev/da0 bs=1m
# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
# geli init -b -K /boot/keys/da0.key0 -K /boot/keys/da0.key1 -K /boot/keys/da0.key2 da0
Enter new passphrase:
Reenter new passphrase:
# dd if=/dev/random of=/dev/da1s3a bs=1m
# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
.Ed
.Pp
The providers are initialized, now we have to add those lines to
.Pa /boot/loader.conf :
.Bd -literal -offset indent
geli_da0_keyfile0_load="YES"
geli_da0_keyfile0_type="da0:geli_keyfile0"
geli_da0_keyfile0_name="/boot/keys/da0.key0"
geli_da0_keyfile1_load="YES"
geli_da0_keyfile1_type="da0:geli_keyfile1"
geli_da0_keyfile1_name="/boot/keys/da0.key1"
geli_da0_keyfile2_load="YES"
geli_da0_keyfile2_type="da0:geli_keyfile2"
geli_da0_keyfile2_name="/boot/keys/da0.key2"

geli_da1s3a_keyfile0_load="YES"
geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
.Ed
.Pp
Not only configure encryption, but also data integrity verification using
.Nm HMAC/SHA256 .
.Bd -literal -offset indent
# geli init -a hmac/sha256 -s 4096 /dev/da0
Enter new passphrase:
Reenter new passphrase:
# geli attach /dev/da0
Enter passphrase:
# dd if=/dev/random of=/dev/da0.eli bs=1m
# newfs /dev/da0.eli
# mount /dev/da0.eli /mnt/secret
.Ed
.Pp
.Cm geli
backups metadata by default to the
.Pa /var/backups/<prov>.eli
file.
If metadata is lost in any way (eg. by accidental overwrite), it can be restored.
Consider the following situation:
.Bd -literal -offset indent
# geli init /dev/da0
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /var/backups/da0.eli and
can be restored with the following command:

        # geli restore /var/backups/da0.eli /dev/da0

# geli clear /dev/da0
# geli attach /dev/da0
geli: Cannot read metadata from /dev/da0: Invalid argument.
# geli restore /var/backups/da0.eli /dev/da0
# geli attach /dev/da0
Enter passphrase:
.Ed
.Pp
If an encrypted filesystem is extended, it is necessary to relocate and
update the metadata:
.Bd -literal -offset indent
# gpart create -s GPT ada0
# gpart add -s 1g -t freebsd-ufs -i 1 ada0
# geli init -K keyfile -P ada0p1
# gpart resize -s 2g -i 1 ada0
# geli resize -s 1g ada0p1
# geli attach -k keyfile -p ada0p1
.Ed
.Pp
Initialize provider with passphrase split into two files.
The provider can be attached by giving those two files or by giving
.Dq foobar
passphrase on
.Nm
prompt:
.Bd -literal -offset indent
# echo foo > da0.pass0
# echo bar > da0.pass1
# geli init -J da0.pass0 -J da0.pass1 da0
# geli attach -j da0.pass0 -j da0.pass1 da0
# geli detach da0
# geli attach da0
Enter passphrase: foobar
.Ed
.Pp
Suspend all
.Nm
devices, suspend a laptop, then resume devices one by one after resuming a
laptop:
.Bd -literal -offset indent
# geli suspend -a
# zzz
<resume your laptop>
# geli resume -p -k keyfile gpt/secret
# geli resume gpt/private
Enter passphrase:
.Ed
.Sh ENCRYPTION MODES
.Nm
supports two encryption modes:
.Nm XTS ,
which was standardized as
.Nm IEE P1619
and
.Nm CBC
with unpredictable IV.
The
.Nm CBC
mode used by
.Nm
is very similar to the mode
.Nm ESSIV .
.Sh DATA AUTHENTICATION
.Nm
can verify data integrity when an authentication algorithm is specified.
When data corruption/modification is detected,
.Nm
will not return any data, but instead will return an error
.Pq Er EINVAL .
The offset and size of the corrupted data will be printed on the console.
It is important to know against which attacks
.Nm
provides protection for your data.
If data is modified in-place or copied from one place on the disk
to another even without modification,
.Nm
should be able to detect such a change.
If an attacker can remember the encrypted data, he can overwrite any future
changes with the data he owns without notice.
In other words
.Nm
will not protect your data against replay attacks.
.Pp
It is recommended to write the whole provider before the first use,
in order to make sure that all sectors and their corresponding
checksums are properly initialized into a consistent state.
One can safely ignore data authentication errors that occur immediately
after the first time a provider is attached and before it is
initialized in this way.
.Sh SEE ALSO
.Xr crypto 4 ,
.Xr gbde 4 ,
.Xr geom 4 ,
.Xr loader.conf 5 ,
.Xr gbde 8 ,
.Xr geom 8 ,
.Xr crypto 9
.Sh HISTORY
The
.Nm
utility appeared in
.Fx 6.0 .
Support for 
.Nm Camellia
block cipher is implemented by Yoshisato Yanagisawa in
.Fx 7.0 .
.Sh AUTHORS
.An Pawel Jakub Dawidek Aq pjd@FreeBSD.org