From owner-svn-doc-all@FreeBSD.ORG Wed Apr 9 14:28:58 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0CAF9C8; Wed, 9 Apr 2014 14:28:58 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D0D1A1DED; Wed, 9 Apr 2014 14:28:58 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s39ESwgA071921; Wed, 9 Apr 2014 14:28:58 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s39ESwJv071920; Wed, 9 Apr 2014 14:28:58 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404091428.s39ESwJv071920@svn.freebsd.org> From: Dru Lavigne Date: Wed, 9 Apr 2014 14:28:58 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44503 - head/en_US.ISO8859-1/books/handbook/disks X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 14:28:59 -0000 Author: dru Date: Wed Apr 9 14:28:58 2014 New Revision: 44503 URL: http://svnweb.freebsd.org/changeset/doc/44503 Log: Editorial review of Encrypted Swap chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:06:19 2014 (r44502) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:28:58 2014 (r44503) @@ -3192,7 +3192,7 @@ geli_da2_flags="-p -k /root/da2.key" - Encrypting Swap Space + Encrypting Swap @@ -3213,23 +3213,21 @@ geli_da2_flags="-p -k /root/da2.key"Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these - passwords stay in physical memory, these passwords will not be - written to disk and be cleared after a reboot. If &os; starts - swapping out memory pages to free space for other applications, - the passwords may be written to the disk platters unencrypted. + passwords stay in physical memory, they are not + written to disk and will be cleared after a reboot. However, if &os; starts + swapping out memory pages to free space, + the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario. - The &man.gbde.8; or &man.geli.8; encryption systems may be - used for swap encryption. Both systems use the - encswap - rc.d script. - - - For the remainder of this section, - ad0s1b will be the swap + This section demonstrates how to configure an encrypted + swap partition using &man.gbde.8; or &man.geli.8; encryption. + It assumes a UFS file system where + /dev/ad0s1b is the swap partition. - + + + Configuring Encrypted Swap Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To @@ -3238,42 +3236,32 @@ geli_da2_flags="-p -k /root/da2.key"&prompt.root; dd if=/dev/random of=/dev/ad0s1b bs=1m - - Swap Encryption with &man.gbde.8; - - The .bde suffix should be added to the - device in the respective /etc/fstab swap - line: + To encrypt the swap partition using &man.gbde.8;, add the + .bde suffix to the swap line in + /etc/fstab: # Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.bde none swap sw 0 0 - - - - Swap Encryption with &man.geli.8; - The procedure for instead using &man.geli.8; for swap - encryption is similar to that of using &man.gbde.8;. The - .eli suffix should be added to the device - in the respective /etc/fstab swap - line: + To instead encrypt the swap partition using &man.geli.8;, + use the + .eli suffix: # Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.eli none swap sw 0 0 - &man.geli.8; uses the AES algorithm - with a key length of 128 bit by default. These defaults can + By default, &man.geli.8; uses the AES algorithm + with a key length of 128 bit. These defaults can be altered by using geli_swap_flags in - /etc/rc.conf. The following line tells - the encswap rc.d script to create - &man.geli.8; swap partitions using the Blowfish algorithm with + /etc/rc.conf. The following flags configure + encryption using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes, and sets detach on last close: geli_swap_flags="-e blowfish -l 128 -s 4096 -d" Refer to the description of - onetime in &man.geli.8; for a list of + onetime in &man.geli.8; for a list of possible options.