svn commit: r44503 - head/en_US.ISO8859-1/books/handbook/disks

Dru Lavigne dru at FreeBSD.org
Wed Apr 9 14:28:59 UTC 2014 

Author: dru
Date: Wed Apr  9 14:28:58 2014
New Revision: 44503
URL: http://svnweb.freebsd.org/changeset/doc/44503

Log:
  Editorial review of Encrypted Swap chapter.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/disks/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml	Wed Apr  9 14:06:19 2014	(r44502)
+++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml	Wed Apr  9 14:28:58 2014	(r44503)
@@ -3192,7 +3192,7 @@ geli_da2_flags="-p -k /root/da2.key"</pr
 
   <sect1 xml:id="swap-encrypting">
     <info>
-      <title>Encrypting Swap Space</title>
+      <title>Encrypting Swap</title>
 
       <authorgroup>
 	<author>
@@ -3213,23 +3213,21 @@ geli_da2_flags="-p -k /root/da2.key"</pr
     <para>Like the encryption of disk partitions, encryption of swap
       space is used to protect sensitive information.  Consider an
       application that deals with passwords.  As long as these
-      passwords stay in physical memory, these passwords will not be
-      written to disk and be cleared after a reboot.  If &os; starts
-      swapping out memory pages to free space for other applications,
-      the passwords may be written to the disk platters unencrypted.
+      passwords stay in physical memory, they are not
+      written to disk and will be cleared after a reboot.  However, if &os; starts
+      swapping out memory pages to free space,
+      the passwords may be written to the disk unencrypted.
       Encrypting swap space can be a solution for this
       scenario.</para>
 
-    <para>The &man.gbde.8; or &man.geli.8; encryption systems may be
-      used for swap encryption.  Both systems use the
-      <filename>encswap</filename>
-      <link linkend="configtuning-rcd">rc.d</link> script.</para>
-
-    <note>
-      <para>For the remainder of this section,
-	<filename>ad0s1b</filename> will be the swap
+      <para>This section demonstrates how to configure an encrypted
+	swap partition using &man.gbde.8; or &man.geli.8; encryption.
+	It assumes a <acronym>UFS</acronym> file system where
+	<filename>/dev/ad0s1b</filename> is the swap
 	partition.</para>
-    </note>
+
+    <sect2>
+      <title>Configuring Encrypted Swap</title>
 
     <para>Swap partitions are not encrypted by default and should
       be cleared of any sensitive data before continuing.  To
@@ -3238,42 +3236,32 @@ geli_da2_flags="-p -k /root/da2.key"</pr
 
     <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
 
-    <sect2>
-      <title>Swap Encryption with &man.gbde.8;</title>
-
-      <para>The <literal>.bde</literal> suffix should be added to the
-	device in the respective <filename>/etc/fstab</filename> swap
-	line:</para>
+    <para>To encrypt the swap partition using &man.gbde.8;, add the
+	<literal>.bde</literal> suffix to the swap line in
+	<filename>/etc/fstab</filename>:</para>
 
       <programlisting># Device		Mountpoint	FStype	Options		Dump	Pass#
 /dev/ad0s1b.bde		none		swap	sw		0	0</programlisting>
-    </sect2>
-
-    <sect2>
-      <title>Swap Encryption with &man.geli.8;</title>
 
-      <para>The procedure for instead using &man.geli.8; for swap
-	encryption is similar to that of using &man.gbde.8;.  The
-	<literal>.eli</literal> suffix should be added to the device
-	in the respective <filename>/etc/fstab</filename> swap
-	line:</para>
+      <para>To instead encrypt the swap partition using &man.geli.8;,
+	use the
+	<literal>.eli</literal> suffix:</para>
 
       <programlisting># Device		Mountpoint	FStype	Options		Dump	Pass#
 /dev/ad0s1b.eli		none		swap	sw		0	0</programlisting>
 
-      <para>&man.geli.8; uses the <acronym>AES</acronym> algorithm
-	with a key length of 128 bit by default.  These defaults can
+      <para>By default, &man.geli.8; uses the <acronym>AES</acronym> algorithm
+	with a key length of 128 bit.  These defaults can
 	be altered by using <literal>geli_swap_flags</literal> in
-	<filename>/etc/rc.conf</filename>.  The following line tells
-	the <filename>encswap</filename> rc.d script to create
-	&man.geli.8; swap partitions using the Blowfish algorithm with
+	<filename>/etc/rc.conf</filename>.  The following flags configure
+	encryption using the Blowfish algorithm with
 	a key length of 128 bits and a sectorsize of 4 kilobytes, and
 	sets <quote>detach on last close</quote>:</para>
 
       <programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting>
 
       <para>Refer to the description of
-	<command>onetime</command> in &man.geli.8; for a list of
+	<literal>onetime</literal> in &man.geli.8; for a list of
 	possible options.</para>
     </sect2>

More information about the svn-doc-head mailing list