Date: Mon, 28 Apr 2014 20:42:28 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44688 - head/en_US.ISO8859-1/books/handbook/disks Message-ID: <201404282042.s3SKgSth032706@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Apr 28 20:42:28 2014 New Revision: 44688 URL: http://svnweb.freebsd.org/changeset/doc/44688 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:30:28 2014 (r44687) +++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Mon Apr 28 20:42:28 2014 (r44688) @@ -2509,8 +2509,8 @@ Quotas for user test: </indexterm> <para>&os; offers excellent online protections against - unauthorized data access. File permissions and - <link linkend="mac">Mandatory Access Control</link> (MAC) help + unauthorized data access. File permissions and <link + linkend="mac">Mandatory Access Control</link> (MAC) help prevent unauthorized users from accessing data while the operating system is active and the computer is powered up. However, the permissions enforced by the operating system are @@ -2524,11 +2524,10 @@ Quotas for user test: <command>geli</command> cryptographic subsystems in &os; are able to protect the data on the computer's file systems against even highly-motivated attackers with significant resources. - Unlike encryption methods that encrypt - individual files, <command>gbde</command> and - <command>geli</command> transparently encrypt entire file - systems. No cleartext ever touches the hard drive's - platter.</para> + Unlike encryption methods that encrypt individual files, + <command>gbde</command> and <command>geli</command> + transparently encrypt entire file systems. No cleartext ever + touches the hard drive's platter.</para> <sect2> <title>Disk Encryption with @@ -2545,13 +2544,13 @@ Quotas for user test: protect the passphrase used by the encryption mechanism.</para> - <para>This facility provides several barriers to protect the data - stored in each disk sector. It encrypts the contents of a - disk sector using 128-bit <acronym>AES</acronym> in - <acronym>CBC</acronym> mode. Each sector on the - disk is encrypted with a different <acronym>AES</acronym> key. For more - information on the cryptographic design, including how the - sector keys are derived from the user-supplied passphrase, + <para>This facility provides several barriers to protect the + data stored in each disk sector. It encrypts the contents of + a disk sector using 128-bit <acronym>AES</acronym> in + <acronym>CBC</acronym> mode. Each sector on the disk is + encrypted with a different <acronym>AES</acronym> key. For + more information on the cryptographic design, including how + the sector keys are derived from the user-supplied passphrase, refer to &man.gbde.4;.</para> <para>&os; provides a kernel module for @@ -2565,13 +2564,13 @@ Quotas for user test: <para><literal>options GEOM_BDE</literal></para> - <para>The following example demonstrates adding a new hard - drive to a system that will hold a single encrypted partition - that will be mounted as - <filename>/private</filename>.</para> + <para>The following example demonstrates adding a new hard drive + to a system that will hold a single encrypted partition that + will be mounted as <filename>/private</filename>.</para> <procedure> - <title>Encrypting a Partition with <application>gbde</application></title> + <title>Encrypting a Partition with + <application>gbde</application></title> <step> <title>Add the New Hard Drive</title> @@ -2611,10 +2610,11 @@ Quotas for user test: <para>A <application>gbde</application> partition must be initialized before it can be used. This initialization - needs to be performed only once. This command will open the default editor, in order to - set various configuration options in a template. For use - with the <acronym>UFS</acronym> file system, set the - sector_size to 2048:</para> + needs to be performed only once. This command will open + the default editor, in order to set various configuration + options in a template. For use with the + <acronym>UFS</acronym> file system, set the sector_size to + 2048:</para> <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput># $FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $ # @@ -2626,30 +2626,29 @@ Quotas for user test: sector_size = 2048 [...]</screen> - <para>Once the edit is saved, the user will be asked twice to type the - passphrase used to secure the data. The passphrase must - be the same both times. The ability of + <para>Once the edit is saved, the user will be asked twice + to type the passphrase used to secure the data. The + passphrase must be the same both times. The ability of <application>gbde</application> to protect data depends entirely on the quality of the passphrase. For tips on how to select a secure passphrase that is easy to remember, see <link xlink:href="http://world.std.com/~reinhold/diceware.html">http://world.std.com/~reinhold/diceware.htm</link>.</para>; - <para>This initialization creates a lock file for - the <application>gbde</application> partition. In this + <para>This initialization creates a lock file for the + <application>gbde</application> partition. In this example, it is stored as - <filename>/etc/gbde/ad4s1c.lock</filename>. - Lock files must end in - <quote>.lock</quote> in order to be correctly detected by - the <filename>/etc/rc.d/gbde</filename> start up - script.</para> + <filename>/etc/gbde/ad4s1c.lock</filename>. Lock files + must end in <quote>.lock</quote> in order to be correctly + detected by the <filename>/etc/rc.d/gbde</filename> start + up script.</para> <caution> - <para>Lock files - <emphasis>must</emphasis> be backed up together with - the contents of any encrypted partitions. Without the - lock file, the legitimate owner will be unable to - access the data on the encrypted partition.</para> + <para>Lock files <emphasis>must</emphasis> be backed up + together with the contents of any encrypted partitions. + Without the lock file, the legitimate owner will be + unable to access the data on the encrypted + partition.</para> </caution> </step> @@ -2659,10 +2658,10 @@ sector_size = 2048 <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock</userinput></screen> - <para>This command will prompt to input the passphrase - that was selected during the initialization of the - encrypted partition. The new encrypted device will - appear in <filename>/dev</filename> as + <para>This command will prompt to input the passphrase that + was selected during the initialization of the encrypted + partition. The new encrypted device will appear in + <filename>/dev</filename> as <filename>/dev/device_name.bde</filename>:</para> <screen>&prompt.root; <userinput>ls /dev/ad*</userinput> @@ -2676,10 +2675,10 @@ sector_size = 2048 Device</title> <para>Once the encrypted device has been attached to the - kernel, a file system can be created on the device. - This example creates a <acronym>UFS</acronym> file - system with soft updates enabled. Be sure to specify the - partition which has a + kernel, a file system can be created on the device. This + example creates a <acronym>UFS</acronym> file system with + soft updates enabled. Be sure to specify the partition + which has a <filename><replaceable>*</replaceable>.bde</filename> extension:</para> @@ -2700,8 +2699,8 @@ sector_size = 2048 <title>Verify That the Encrypted File System is Available</title> - <para>The encrypted file system should now be visible - and available for use:</para> + <para>The encrypted file system should now be visible and + available for use:</para> <screen>&prompt.user; <userinput>df -H</userinput> Filesystem Size Used Avail Capacity Mounted on @@ -2714,34 +2713,33 @@ Filesystem Size Used Avail Cap </step> </procedure> - <para>After each boot, any encrypted file systems must be - manually re-attached to the kernel, checked for errors, and mounted, - before the file systems can be used. To configure these - steps, add the following lines to <filename>/etc/rc.conf</filename>:</para> + <para>After each boot, any encrypted file systems must be + manually re-attached to the kernel, checked for errors, and + mounted, before the file systems can be used. To configure + these steps, add the following lines to + <filename>/etc/rc.conf</filename>:</para> - <programlisting>gbde_autoattach_all="YES" + <programlisting>gbde_autoattach_all="YES" gbde_devices="<replaceable>ad4s1c</replaceable>" gbde_lockdir="/etc/gbde"</programlisting> - <para>This requires that the - passphrase be entered at the console - boot time. After typing the correct passphrase, the - encrypted partition will be - mounted automatically. Additional - <application>gbde</application> boot options are available - and listed in &man.rc.conf.5;.</para> + <para>This requires that the passphrase be entered at the + console boot time. After typing the correct passphrase, the + encrypted partition will be mounted automatically. Additional + <application>gbde</application> boot options are available and + listed in &man.rc.conf.5;.</para> <!-- What about bsdinstall? --> - <note> - <para><application>sysinstall</application> is incompatible with - <application>gbde</application>-encrypted devices. All - <filename>*.bde</filename> - devices must be detached from the kernel before starting - <application>sysinstall</application> or it will crash during its initial - probing for devices. To detach the encrypted device used in - the example, use the following command:</para> + <note> + <para><application>sysinstall</application> is incompatible + with <application>gbde</application>-encrypted devices. All + <filename>*.bde</filename> devices must be detached from the + kernel before starting <application>sysinstall</application> + or it will crash during its initial probing for devices. To + detach the encrypted device used in the example, use the + following command:</para> <screen>&prompt.root; <userinput>gbde detach /dev/<replaceable>ad4s1c</replaceable></userinput></screen> </note>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404282042.s3SKgSth032706>