disks-encrypting.html

这是很好的学习嵌入式LINUX的文章

system on the device. To create a file system on the encrypted device, use <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=newfs&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">newfs</span>(8)</span></a>. Since it is
much faster to initialize a new UFS2 file system than it is to initialize the old UFS1
file system, using <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=newfs&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">newfs</span>(8)</span></a> with the <var
class="OPTION">-O2</var> option is recommended.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <var class="OPTION">-O2</var> option is the default with
FreeBSD&nbsp;5.1-RELEASE and later.</p>
</blockquote>
</div>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">newfs -U -O2 /dev/ad4s1c.bde</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=newfs&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">newfs</span>(8)</span></a> command must
be performed on an attached <b class="APPLICATION">gbde</b> partition which is identified
by a <tt class="FILENAME"><var class="REPLACEABLE">*</var>.bde</tt> extension to the
device name.</p>
</blockquote>
</div>
</li>

<li>
<p><b>Mount the Encrypted Partition</b></p>

<p>Create a mount point for the encrypted file system.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mkdir /private</kbd>
</pre>

<p>Mount the encrypted file system.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mount /dev/ad4s1c.bde /private</kbd>
</pre>
</li>

<li>
<p><b>Verify That the Encrypted File System is Available</b></p>

<p>The encrypted file system should now be visible to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=df&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">df</span>(1)</span></a> and be available
for use.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">df -H</kbd>
Filesystem        Size   Used  Avail Capacity  Mounted on
/dev/ad0s1a      1037M    72M   883M     8%    /
/devfs            1.0K   1.0K     0B   100%    /dev
/dev/ad0s1f       8.1G    55K   7.5G     0%    /home
/dev/ad0s1e      1037M   1.1M   953M     0%    /tmp
/dev/ad0s1d       6.1G   1.9G   3.7G    35%    /usr
/dev/ad4s1c.bde   150G   4.1K   138G     0%    /private
</pre>
</li>
</ol>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN25883" name="AEN25883">16.15.3 Mounting Existing Encrypted
File Systems</a></h2>

<p>After each boot, any encrypted file systems must be re-attached to the kernel, checked
for errors, and mounted, before the file systems can be used. The required commands must
be executed as user <tt class="USERNAME">root</tt>.</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p><b>Attach the gbde Partition to the Kernel</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</kbd>
</pre>

<p>You will be asked to provide the passphrase that you selected during initialization of
the encrypted gbde partition.</p>
</li>

<li>
<p><b>Check the File System for Errors</b></p>

<p>Since encrypted file systems cannot yet be listed in <tt
class="FILENAME">/etc/fstab</tt> for automatic mounting, the file systems must be checked
for errors by running <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=fsck&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">fsck</span>(8)</span></a> manually
before mounting.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">fsck -p -t ffs /dev/ad4s1c.bde</kbd>
</pre>
</li>

<li>
<p><b>Mount the Encrypted File System</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mount /dev/ad4s1c.bde /private</kbd>
</pre>

<p>The encrypted file system is now available for use.</p>
</li>
</ol>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN25910" name="AEN25910">16.15.3.1 Automatically Mounting
Encrypted Partitions</a></h3>

<p>It is possible to create a script to automatically attach, check, and mount an
encrypted partition, but for security reasons the script should not contain the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=gbde&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span></a> password.
Instead, it is recommended that such scripts be run manually while providing the password
via the console or <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a>.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN25919" name="AEN25919">16.15.4 Cryptographic Protections
Employed by gbde</a></h2>

<p><a href="http://www.FreeBSD.org/cgi/man.cgi?query=gbde&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span></a> encrypts the
sector payload using 128-bit AES in CBC mode. Each sector on the disk is encrypted with a
different AES key. For more information on <b class="APPLICATION">gbde</b>'s
cryptographic design, including how the sector keys are derived from the user-supplied
passphrase, see <a href="http://www.FreeBSD.org/cgi/man.cgi?query=gbde&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(4)</span></a>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN25929" name="AEN25929">16.15.5 Compatibility Issues</a></h2>

<p><a href="http://www.FreeBSD.org/cgi/man.cgi?query=sysinstall&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sysinstall</span>(8)</span></a> is
incompatible with <b class="APPLICATION">gbde</b>-encrypted devices. All <tt
class="DEVICENAME"><var class="REPLACEABLE">*</var>.bde</tt> devices must be detached
from the kernel before starting <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sysinstall&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sysinstall</span>(8)</span></a> or it
will crash during its initial probing for devices. To detach the encrypted device used in
our example, use the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">gbde detach /dev/ad4s1c</kbd>
</pre>

<p>Also note that, as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=vinum&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">vinum</span>(4)</span></a> does not use
the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=geom&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">geom</span>(4)</span></a> subsystem, you
cannot use <b class="APPLICATION">gbde</b> with <b class="APPLICATION">vinum</b>
volumes.</p>
</div>
</div>

<h3 class="FOOTNOTES">Notes</h3>

<table border="0" class="FOOTNOTES" width="100%">
<tr>
<td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN25814" name="FTN.AEN25814"
href="disks-encrypting.html#AEN25814"><span class="footnote">[1]</span></a></td>
<td align="LEFT" valign="TOP" width="95%">
<p>For tips on how to select a secure passphrase that is easy to remember, see the <a
href="http://world.std.com/~reinhold/diceware.html" target="_top">Diceware Passphrase</a>
website.</p>
</td>
</tr>
</table>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="quotas.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="vinum-vinum.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">File System Quotas</td>
<td width="34%" align="center" valign="top"><a href="disks.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The Vinum Volume Manager</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>