From owner-svn-doc-all@FreeBSD.ORG Mon Apr 28 20:30:15 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8C0EABE4; Mon, 28 Apr 2014 20:30:15 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 765BC1D76; Mon, 28 Apr 2014 20:30:15 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3SKUFro025227; Mon, 28 Apr 2014 20:30:15 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3SKUFW8025226; Mon, 28 Apr 2014 20:30:15 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404282030.s3SKUFW8025226@svn.freebsd.org> From: Dru Lavigne Date: Mon, 28 Apr 2014 20:30:15 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44686 - head/en_US.ISO8859-1/books/handbook/disks X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 20:30:15 -0000 Author: dru Date: Mon Apr 28 20:30:14 2014 New Revision: 44686 URL: http://svnweb.freebsd.org/changeset/doc/44686 Log: Editorial review of gbde section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:29:02 2014 (r44685) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:30:14 2014 (r44686) @@ -2524,7 +2524,7 @@ Quotas for user test: geli cryptographic subsystems in &os; are able to protect the data on the computer's file systems against even highly-motivated attackers with significant resources. - Unlike cumbersome encryption methods that encrypt only + Unlike encryption methods that encrypt individual files, gbde and geli transparently encrypt entire file systems. No cleartext ever touches the hard drive's @@ -2534,25 +2534,26 @@ Quotas for user test: Disk Encryption with <application>gbde</application> - gbde encrypts the sector - payload using 128-bit AES in CBC mode. Each sector on the - disk is encrypted with a different AES key. For more + The objective of the &man.gbde.4; facility is to provide a + formidable challenge for an attacker to gain access to the + contents of a cold storage device. + However, if the computer is compromised while up and running + and the storage device is actively attached, or the attacker + has access to a valid passphrase, it offers no protection to + the contents of the storage device. Thus, it is important to + provide physical security while the system is running and to + protect the passphrase used by the encryption + mechanism. + + This facility provides several barriers to protect the data + stored in each disk sector. It encrypts the contents of a + disk sector using 128-bit AES in + CBC mode. Each sector on the + disk is encrypted with a different AES key. For more information on the cryptographic design, including how the sector keys are derived from the user-supplied passphrase, refer to &man.gbde.4;. - - &man.sysinstall.8; is incompatible with - gbde-encrypted devices. All - *.bde - devices must be detached from the kernel before starting - &man.sysinstall.8; or it will crash during its initial - probing for devices. To detach the encrypted device used in - the example, use the following command: - - &prompt.root; gbde detach /dev/ad4s1c - - &os; provides a kernel module for gbde which can be loaded with this command: @@ -2565,15 +2566,13 @@ Quotas for user test: options GEOM_BDE The following example demonstrates adding a new hard - drive to a system that will hold a single encrypted partition. - This partition will be mounted as - /private. - gbde can also be used to encrypt - /home and /var/mail, - but this requires more complex instructions which exceed the - scope of this introduction. + drive to a system that will hold a single encrypted partition + that will be mounted as + /private. + Encrypting a Partition with <application>gbde</application> + Add the New Hard Drive @@ -2612,15 +2611,12 @@ Quotas for user test: A gbde partition must be initialized before it can be used. This initialization - needs to be performed only once: - - &prompt.root; gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock - - &man.gbde.8; will open the default editor, in order to + needs to be performed only once. This command will open the default editor, in order to set various configuration options in a template. For use - with UFS1 or UFS2, set the sector_size to 2048: + with the UFS file system, set the + sector_size to 2048: - # $FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $ + &prompt.root; gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock# $FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $ # # Sector size is the smallest unit of data which can be read or written. # Making it too small decreases performance and decreases available space. @@ -2628,38 +2624,32 @@ Quotas for user test: # minimum and always safe. For UFS, use the fragment size # sector_size = 2048 -[...] +[...] - &man.gbde.8; will ask the user twice to type the + Once the edit is saved, the user will be asked twice to type the passphrase used to secure the data. The passphrase must be the same both times. The ability of gbde to protect data depends entirely on the quality of the passphrase. For tips on how to select a secure passphrase that is easy to - remember, see the Diceware - Passphrase website. + remember, see http://world.std.com/~reinhold/diceware.htm. - gbde initcreates a lock file for + This initialization creates a lock file for the gbde partition. In this example, it is stored as /etc/gbde/ad4s1c.lock. - gbde lock files must end in + Lock files must end in .lock in order to be correctly detected by the /etc/rc.d/gbde start up script. - gbde lock files + Lock files must be backed up together with - the contents of any encrypted partitions. While - deleting a lock file alone cannot prevent a determined - attacker from decrypting a - gbde partition, without the + the contents of any encrypted partitions. Without the lock file, the legitimate owner will be unable to - access the data on the encrypted partition without a - significant amount of work that is totally unsupported - by &man.gbde.8;. + access the data on the encrypted partition. @@ -2686,40 +2676,32 @@ sector_size = 2048 Device Once the encrypted device has been attached to the - kernel, a file system can be created on the device using - &man.newfs.8;. This example creates a UFS2 file - system with soft updates enabled. + kernel, a file system can be created on the device. + This example creates a UFS file + system with soft updates enabled. Be sure to specify the + partition which has a + *.bde + extension: &prompt.root; newfs -U /dev/ad4s1c.bde - - - &man.newfs.8; must be performed on an attached - gbde partition which is - identified by a - *.bde - extension to the device name. - Mount the Encrypted Partition - Create a mount point for the encrypted file + Create a mount point and mount the encrypted file system: - &prompt.root; mkdir /private - - Mount the encrypted file system: - - &prompt.root; mount /dev/ad4s1c.bde /private + &prompt.root; mkdir /private +&prompt.root; mount /dev/ad4s1c.bde /private Verify That the Encrypted File System is Available - The encrypted file system should now be visible to - &man.df.1; and be available for use. + The encrypted file system should now be visible + and available for use: &prompt.user; df -H Filesystem Size Used Avail Capacity Mounted on @@ -2732,70 +2714,37 @@ Filesystem Size Used Avail Cap - - Mounting Existing Encrypted File Systems - After each boot, any encrypted file systems must be - re-attached to the kernel, checked for errors, and mounted, - before the file systems can be used. The required commands - must be executed as - root. - - - - Attach the <command>gbde</command> Partition to the - Kernel - - &prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock - - This command will prompt for the passphrase that was - selected during initialization of the encrypted - gbde partition. - - - - Check the File System for Errors - - Since encrypted file systems cannot yet be listed in - /etc/fstab for automatic mounting, - the file systems must be checked for errors by running - &man.fsck.8; manually before mounting: - - &prompt.root; fsck -p -t ffs /dev/ad4s1c.bde - - - - Mount the Encrypted File System - - &prompt.root; mount /dev/ad4s1c.bde /private - - The encrypted file system is now available for - use. - - - - It is possible to create a script to automatically - attach, check, and mount an encrypted partition, but for - security reasons the script should not contain the - &man.gbde.8; password. Instead, it is recommended that - such scripts be run manually while providing the password - via the console or &man.ssh.1;. - - As an alternative, an rc.d script - is provided. Arguments for this script can be passed via - &man.rc.conf.5;: + manually re-attached to the kernel, checked for errors, and mounted, + before the file systems can be used. To configure these + steps, add the following lines to /etc/rc.conf: gbde_autoattach_all="YES" -gbde_devices="ad4s1c" +gbde_devices="ad4s1c" gbde_lockdir="/etc/gbde" This requires that the - gbde passphrase be entered at + passphrase be entered at the console boot time. After typing the correct passphrase, the - gbde encrypted partition will be - mounted automatically. This can be useful when using - gbde on laptops. - + encrypted partition will be + mounted automatically. Additional + gbde boot options are available + and listed in &man.rc.conf.5;. + + + + sysinstall is incompatible with + gbde-encrypted devices. All + *.bde + devices must be detached from the kernel before starting + sysinstall or it will crash during its initial + probing for devices. To detach the encrypted device used in + the example, use the following command: + + &prompt.root; gbde detach /dev/ad4s1c +