svn commit: r44503 - head/en_US.ISO8859-1/books/handbook/disks
Dru Lavigne
dru at FreeBSD.org
Wed Apr 9 14:28:59 UTC 2014
Author: dru
Date: Wed Apr 9 14:28:58 2014
New Revision: 44503
URL: http://svnweb.freebsd.org/changeset/doc/44503
Log:
Editorial review of Encrypted Swap chapter.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:06:19 2014 (r44502)
+++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Wed Apr 9 14:28:58 2014 (r44503)
@@ -3192,7 +3192,7 @@ geli_da2_flags="-p -k /root/da2.key"</pr
<sect1 xml:id="swap-encrypting">
<info>
- <title>Encrypting Swap Space</title>
+ <title>Encrypting Swap</title>
<authorgroup>
<author>
@@ -3213,23 +3213,21 @@ geli_da2_flags="-p -k /root/da2.key"</pr
<para>Like the encryption of disk partitions, encryption of swap
space is used to protect sensitive information. Consider an
application that deals with passwords. As long as these
- passwords stay in physical memory, these passwords will not be
- written to disk and be cleared after a reboot. If &os; starts
- swapping out memory pages to free space for other applications,
- the passwords may be written to the disk platters unencrypted.
+ passwords stay in physical memory, they are not
+ written to disk and will be cleared after a reboot. However, if &os; starts
+ swapping out memory pages to free space,
+ the passwords may be written to the disk unencrypted.
Encrypting swap space can be a solution for this
scenario.</para>
- <para>The &man.gbde.8; or &man.geli.8; encryption systems may be
- used for swap encryption. Both systems use the
- <filename>encswap</filename>
- <link linkend="configtuning-rcd">rc.d</link> script.</para>
-
- <note>
- <para>For the remainder of this section,
- <filename>ad0s1b</filename> will be the swap
+ <para>This section demonstrates how to configure an encrypted
+ swap partition using &man.gbde.8; or &man.geli.8; encryption.
+ It assumes a <acronym>UFS</acronym> file system where
+ <filename>/dev/ad0s1b</filename> is the swap
partition.</para>
- </note>
+
+ <sect2>
+ <title>Configuring Encrypted Swap</title>
<para>Swap partitions are not encrypted by default and should
be cleared of any sensitive data before continuing. To
@@ -3238,42 +3236,32 @@ geli_da2_flags="-p -k /root/da2.key"</pr
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
- <sect2>
- <title>Swap Encryption with &man.gbde.8;</title>
-
- <para>The <literal>.bde</literal> suffix should be added to the
- device in the respective <filename>/etc/fstab</filename> swap
- line:</para>
+ <para>To encrypt the swap partition using &man.gbde.8;, add the
+ <literal>.bde</literal> suffix to the swap line in
+ <filename>/etc/fstab</filename>:</para>
<programlisting># Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.bde none swap sw 0 0</programlisting>
- </sect2>
-
- <sect2>
- <title>Swap Encryption with &man.geli.8;</title>
- <para>The procedure for instead using &man.geli.8; for swap
- encryption is similar to that of using &man.gbde.8;. The
- <literal>.eli</literal> suffix should be added to the device
- in the respective <filename>/etc/fstab</filename> swap
- line:</para>
+ <para>To instead encrypt the swap partition using &man.geli.8;,
+ use the
+ <literal>.eli</literal> suffix:</para>
<programlisting># Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.eli none swap sw 0 0</programlisting>
- <para>&man.geli.8; uses the <acronym>AES</acronym> algorithm
- with a key length of 128 bit by default. These defaults can
+ <para>By default, &man.geli.8; uses the <acronym>AES</acronym> algorithm
+ with a key length of 128 bit. These defaults can
be altered by using <literal>geli_swap_flags</literal> in
- <filename>/etc/rc.conf</filename>. The following line tells
- the <filename>encswap</filename> rc.d script to create
- &man.geli.8; swap partitions using the Blowfish algorithm with
+ <filename>/etc/rc.conf</filename>. The following flags configure
+ encryption using the Blowfish algorithm with
a key length of 128 bits and a sectorsize of 4 kilobytes, and
sets <quote>detach on last close</quote>:</para>
<programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting>
<para>Refer to the description of
- <command>onetime</command> in &man.geli.8; for a list of
+ <literal>onetime</literal> in &man.geli.8; for a list of
possible options.</para>
</sect2>
More information about the svn-doc-head
mailing list