mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-16 06:52:27 +00:00
geli(8): Add an example on how to use geli(8) with a file as encrypted storage
Reviewed by: bcr (mentor) Approved by: bcr (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25741
This commit is contained in:
parent
cb65eb43ad
commit
fcc9702f05
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=363363
|
@ -24,7 +24,7 @@
|
||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd April 14, 2020
|
.Dd July 20, 2020
|
||||||
.Dt GELI 8
|
.Dt GELI 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -1095,6 +1095,64 @@ resuming the laptop:
|
||||||
# geli resume gpt/private
|
# geli resume gpt/private
|
||||||
Enter passphrase:
|
Enter passphrase:
|
||||||
.Ed
|
.Ed
|
||||||
|
.Pp
|
||||||
|
To create a
|
||||||
|
.Nm
|
||||||
|
encrypted filesystem with a file as storage device follow this example.
|
||||||
|
First a file named private0 is created in
|
||||||
|
.Pa /usr
|
||||||
|
and attached as a memory disk like
|
||||||
|
.Pa /dev/md0
|
||||||
|
for example.
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
# dd if=/dev/zero of=/usr/private0 bs=1m count=256
|
||||||
|
# chmod 0600 /usr/private0
|
||||||
|
# mdconfig -t vnode -f /usr/private0
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
It is recommended to place the following line in
|
||||||
|
.Xr rc.conf 5
|
||||||
|
to have the memory disk automatically created during boot.
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
mdconfig_md0="-t vnode -f /usr/private0"
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
After
|
||||||
|
.Pa /dev/md0
|
||||||
|
is created a random key has to be generated and stored in a secure location,
|
||||||
|
like
|
||||||
|
.Pa /root
|
||||||
|
for example.
|
||||||
|
This key should be protected by a passphrase, which
|
||||||
|
is requested when geli init is called.
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
# dd if=/dev/random of=/root/private0.key bs=64 count=1
|
||||||
|
# geli init -K /root/private0.key -s 4096 /dev/md0
|
||||||
|
Enter new passphrase:
|
||||||
|
Reenter new passphrase:
|
||||||
|
# dd if=/dev/random of=/dev/md0.eli bs=1m
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
Once the initialization of the
|
||||||
|
.Pa /dev/md0.eli
|
||||||
|
device is ready create a UFS filesystem and mount it for example in
|
||||||
|
.Pa /private .
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
# newfs /dev/md0.eli
|
||||||
|
# mount /dev/md0.eli /private
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
After a system reboot the
|
||||||
|
.Nm
|
||||||
|
device can be mounted again with the following commands.
|
||||||
|
The call of geli attach will ask for the passphrase.
|
||||||
|
It is recommended to do this procedure after the boot, because otherwise
|
||||||
|
the boot process would be waiting for the passphrase input.
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
# geli attach -k /root/private0.key /dev/md0
|
||||||
|
Enter new passphrase:
|
||||||
|
# mount /dev/md0.eli /private
|
||||||
|
.Ed
|
||||||
.Sh ENCRYPTION MODES
|
.Sh ENCRYPTION MODES
|
||||||
.Nm
|
.Nm
|
||||||
supports two encryption modes:
|
supports two encryption modes:
|
||||||
|
@ -1157,7 +1215,9 @@ block cipher was implemented by Yoshisato Yanagisawa in
|
||||||
.Pp
|
.Pp
|
||||||
Highest
|
Highest
|
||||||
.Nm GELI
|
.Nm GELI
|
||||||
metadata version supported by the given FreeBSD version:
|
metadata version supported by the given
|
||||||
|
.Fx
|
||||||
|
version:
|
||||||
.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
|
.Bl -column -offset indent ".Sy FreeBSD" ".Sy version"
|
||||||
.It Sy FreeBSD Ta Sy GELI
|
.It Sy FreeBSD Ta Sy GELI
|
||||||
.It Sy version Ta Sy version
|
.It Sy version Ta Sy version
|
||||||
|
|
Loading…
Reference in a new issue