diff options
author | Gordon Bergling <gbe@FreeBSD.org> | 2020-07-20 13:24:50 +0000 |
---|---|---|
committer | Gordon Bergling <gbe@FreeBSD.org> | 2020-07-20 13:24:50 +0000 |
commit | fcc9702f059c4d3cc75de91247580d5a1d7bdb43 (patch) | |
tree | 1f5dee4e98f335c7149d09687e28be0cdcfc2794 /lib | |
parent | cb65eb43ad0a60e97aa6c110c9ddd3354d7f5bcd (diff) | |
download | src-fcc9702f059c4d3cc75de91247580d5a1d7bdb43.tar.gz src-fcc9702f059c4d3cc75de91247580d5a1d7bdb43.zip |
geli(8): Add an example on how to use geli(8) with a file as encrypted storage
Reviewed by: bcr (mentor)
Approved by: bcr (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D25741
Notes
Notes:
svn path=/head/; revision=363363
Diffstat (limited to 'lib')
-rw-r--r-- | lib/geom/eli/geli.8 | 64 |
1 files changed, 62 insertions, 2 deletions
diff --git a/lib/geom/eli/geli.8 b/lib/geom/eli/geli.8 index 798c4ce5e2af..0d23c4e09a49 100644 --- a/lib/geom/eli/geli.8 +++ b/lib/geom/eli/geli.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 14, 2020 +.Dd July 20, 2020 .Dt GELI 8 .Os .Sh NAME @@ -1095,6 +1095,64 @@ resuming the laptop: # geli resume gpt/private Enter passphrase: .Ed +.Pp +To create a +.Nm +encrypted filesystem with a file as storage device follow this example. +First a file named private0 is created in +.Pa /usr +and attached as a memory disk like +.Pa /dev/md0 +for example. +.Bd -literal -offset indent +# dd if=/dev/zero of=/usr/private0 bs=1m count=256 +# chmod 0600 /usr/private0 +# mdconfig -t vnode -f /usr/private0 +.Ed +.Pp +It is recommended to place the following line in +.Xr rc.conf 5 +to have the memory disk automatically created during boot. +.Bd -literal -offset indent +mdconfig_md0="-t vnode -f /usr/private0" +.Ed +.Pp +After +.Pa /dev/md0 +is created a random key has to be generated and stored in a secure location, +like +.Pa /root +for example. +This key should be protected by a passphrase, which +is requested when geli init is called. +.Bd -literal -offset indent +# dd if=/dev/random of=/root/private0.key bs=64 count=1 +# geli init -K /root/private0.key -s 4096 /dev/md0 +Enter new passphrase: +Reenter new passphrase: +# dd if=/dev/random of=/dev/md0.eli bs=1m +.Ed +.Pp +Once the initialization of the +.Pa /dev/md0.eli +device is ready create a UFS filesystem and mount it for example in +.Pa /private . +.Bd -literal -offset indent +# newfs /dev/md0.eli +# mount /dev/md0.eli /private +.Ed +.Pp +After a system reboot the +.Nm +device can be mounted again with the following commands. +The call of geli attach will ask for the passphrase. +It is recommended to do this procedure after the boot, because otherwise +the boot process would be waiting for the passphrase input. +.Bd -literal -offset indent +# geli attach -k /root/private0.key /dev/md0 +Enter new passphrase: +# mount /dev/md0.eli /private +.Ed .Sh ENCRYPTION MODES .Nm supports two encryption modes: @@ -1157,7 +1215,9 @@ block cipher was implemented by Yoshisato Yanagisawa in .Pp Highest .Nm GELI -metadata version supported by the given FreeBSD version: +metadata version supported by the given +.Fx +version: .Bl -column -offset indent ".Sy FreeBSD" ".Sy version" .It Sy FreeBSD Ta Sy GELI .It Sy version Ta Sy version |