svn commit: r44697 - head/en_US.ISO8859-1/books/handbook/disks
Dru Lavigne
dru at FreeBSD.org
Tue Apr 29 16:58:42 UTC 2014
Author: dru
Date: Tue Apr 29 16:58:41 2014
New Revision: 44697
URL: http://svnweb.freebsd.org/changeset/doc/44697
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/disks/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:06:44 2014 (r44696)
+++ head/en_US.ISO8859-1/books/handbook/disks/chapter.xml Tue Apr 29 16:58:41 2014 (r44697)
@@ -2413,19 +2413,20 @@ Quotas for user test:
analyze the data.</para>
<para>Regardless of how an attacker may have come into possession
- of a hard drive or powered-down computer, the <acronym>GEOM</acronym>-based
- cryptographic subsystems built into &os; are
- able to protect the data on the computer's file systems against
- even highly-motivated attackers with significant resources.
- Unlike encryption methods that encrypt individual files, the built-in
- <command>gbde</command> and <command>geli</command> utilities can be used to
- transparently encrypt entire file systems. No cleartext ever
- touches the hard drive's platter.</para>
-
- <para>This chapter demonstrates how to create an encrypted file
- system on &os;. It first demonstrates the process using
- <command>gbde</command> and then demonstrates the same example
- using <command>geli</command>.</para>
+ of a hard drive or powered-down computer, the
+ <acronym>GEOM</acronym>-based cryptographic subsystems built
+ into &os; are able to protect the data on the computer's file
+ systems against even highly-motivated attackers with significant
+ resources. Unlike encryption methods that encrypt individual
+ files, the built-in <command>gbde</command> and
+ <command>geli</command> utilities can be used to transparently
+ encrypt entire file systems. No cleartext ever touches the hard
+ drive's platter.</para>
+
+ <para>This chapter demonstrates how to create an encrypted file
+ system on &os;. It first demonstrates the process using
+ <command>gbde</command> and then demonstrates the same example
+ using <command>geli</command>.</para>
<sect2>
<title>Disk Encryption with
@@ -2622,10 +2623,10 @@ gbde_devices="<replaceable>ad4s1c</repla
gbde_lockdir="/etc/gbde"</programlisting>
<para>This requires that the passphrase be entered at the
- console at boot time. After typing the correct passphrase, the
- encrypted partition will be mounted automatically. Additional
- <application>gbde</application> boot options are available and
- listed in &man.rc.conf.5;.</para>
+ console at boot time. After typing the correct passphrase,
+ the encrypted partition will be mounted automatically.
+ Additional <application>gbde</application> boot options are
+ available and listed in &man.rc.conf.5;.</para>
<!--
What about bsdinstall?
@@ -2658,21 +2659,23 @@ What about bsdinstall?
</authorgroup>
</info>
- <para>An alternative cryptographic <acronym>GEOM</acronym> class is available
- using <command>geli</command>. This control utility adds
- some features and uses
- a different scheme for doing cryptographic work. It provides
- the following features:</para>
+ <para>An alternative cryptographic <acronym>GEOM</acronym> class
+ is available using <command>geli</command>. This control
+ utility adds some features and uses a different scheme for
+ doing cryptographic work. It provides the following
+ features:</para>
<itemizedlist>
<listitem>
- <para>Utilizes the &man.crypto.9; framework and automatically uses
- cryptographic hardware when it is available.</para>
+ <para>Utilizes the &man.crypto.9; framework and
+ automatically uses cryptographic hardware when it is
+ available.</para>
</listitem>
<listitem>
<para>Supports multiple cryptographic algorithms such as
- <acronym>AES</acronym>, Blowfish, and <acronym>3DES</acronym>.</para>
+ <acronym>AES</acronym>, Blowfish, and
+ <acronym>3DES</acronym>.</para>
</listitem>
<listitem>
@@ -2686,14 +2689,14 @@ What about bsdinstall?
</listitem>
<listitem>
- <para>It is fast as it performs simple
- sector-to-sector encryption.</para>
+ <para>It is fast as it performs simple sector-to-sector
+ encryption.</para>
</listitem>
<listitem>
<para>Allows backup and restore of master keys. If a user
- destroys their keys, it is still possible to get access
- to the data by restoring keys from the backup.</para>
+ destroys their keys, it is still possible to get access to
+ the data by restoring keys from the backup.</para>
</listitem>
<listitem>
@@ -2706,17 +2709,15 @@ What about bsdinstall?
<para>More features and usage examples can be found in
&man.geli.8;.</para>
- <para>The following example describes how to generate a
- key file which will be used as part of the master key for
- the encrypted provider mounted under
- <filename>/private</filename>. The key
- file will provide some random data used to encrypt the
- master key. The master key will also be protected by a
- passphrase. The provider's sector size will be 4kB.
- The example describes how to attach to the
- <command>geli</command> provider, create a file system on
- it, mount it, work with it, and finally, how to detach
- it.</para>
+ <para>The following example describes how to generate a key file
+ which will be used as part of the master key for the encrypted
+ provider mounted under <filename>/private</filename>. The key
+ file will provide some random data used to encrypt the master
+ key. The master key will also be protected by a passphrase.
+ The provider's sector size will be 4kB. The example describes
+ how to attach to the <command>geli</command> provider, create
+ a file system on it, mount it, work with it, and finally, how
+ to detach it.</para>
<procedure>
<title>Encrypting a Partition with
@@ -2748,12 +2749,11 @@ device crypto</programlisting>
<title>Generate the Master Key</title>
<para>The following commands generate a master key
- (<filename>/root/da2.key</filename>) that is protected with a passphrase.
- The data source for the key file is
+ (<filename>/root/da2.key</filename>) that is protected
+ with a passphrase. The data source for the key file is
<filename>/dev/random</filename> and the sector size of
- the provider (<filename>/dev/da2.eli</filename>) is
- 4kB as a bigger sector size provides
- better performance:</para>
+ the provider (<filename>/dev/da2.eli</filename>) is 4kB as
+ a bigger sector size provides better performance:</para>
<screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput>
&prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput>
@@ -2765,8 +2765,8 @@ Reenter new passphrase:</screen>
used in isolation.</para>
<para>If the key file is given as <quote>-</quote>, standard
- input will be used. For example, this command generates three
- key files:</para>
+ input will be used. For example, this command generates
+ three key files:</para>
<screen>&prompt.root; <userinput>cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2</userinput></screen>
</step>
@@ -2812,41 +2812,37 @@ Filesystem Size Used Avail Capaci
</step>
</procedure>
- <para>Once the work on the encrypted partition is done, and
- the <filename>/private</filename>
- partition is no longer needed, it is prudent to put the
- device into cold storage by
- unmounting and detaching the <command>geli</command>
- encrypted partition from the kernel:</para>
+ <para>Once the work on the encrypted partition is done, and the
+ <filename>/private</filename> partition is no longer needed,
+ it is prudent to put the device into cold storage by
+ unmounting and detaching the <command>geli</command> encrypted
+ partition from the kernel:</para>
- <screen>&prompt.root; <userinput>umount /private</userinput>
+ <screen>&prompt.root; <userinput>umount /private</userinput>
&prompt.root; <userinput>geli detach da2.eli</userinput></screen>
- <para>An
- <filename>rc.d</filename> script is provided to
- simplify the mounting of <command>geli</command>-encrypted
- devices at boot time. For this example, add these lines to
- <filename>/etc/rc.conf</filename>:</para>
+ <para>An <filename>rc.d</filename> script is provided to
+ simplify the mounting of <command>geli</command>-encrypted
+ devices at boot time. For this example, add these lines to
+ <filename>/etc/rc.conf</filename>:</para>
- <programlisting>geli_devices="<replaceable>da2</replaceable>"
+ <programlisting>geli_devices="<replaceable>da2</replaceable>"
geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
- <para>This configures <filename>/dev/da2</filename> as a
- <command>geli</command> provider with a master key
- of <filename>/root/da2.key</filename>.
- The system will automatically detach
- the provider from the kernel before
- the system shuts down. During the startup process, the script will prompt for the
- passphrase before attaching the
- provider. Other kernel messages might be shown before and
- after the password prompt. If the boot process seems to
- stall, look carefully for the password prompt among the
- other messages. Once the correct passphrase is entered, the provider is
- attached. The file system is then mounted,
- typically by an entry in
- <filename>/etc/fstab</filename>. Refer to <xref
- linkend="mount-unmount"/> for instructions on how to
- configure a file system to mount at boot time.</para>
+ <para>This configures <filename>/dev/da2</filename> as a
+ <command>geli</command> provider with a master key of
+ <filename>/root/da2.key</filename>. The system will
+ automatically detach the provider from the kernel before the
+ system shuts down. During the startup process, the script
+ will prompt for the passphrase before attaching the provider.
+ Other kernel messages might be shown before and after the
+ password prompt. If the boot process seems to stall, look
+ carefully for the password prompt among the other messages.
+ Once the correct passphrase is entered, the provider is
+ attached. The file system is then mounted, typically by an
+ entry in <filename>/etc/fstab</filename>. Refer to <xref
+ linkend="mount-unmount"/> for instructions on how to
+ configure a file system to mount at boot time.</para>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list