disks-encrypting.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ls /dev/ad*</kbd>
/dev/ad0        /dev/ad0s1b     /dev/ad0s1e     /dev/ad4s1
/dev/ad0s1      /dev/ad0s1c     /dev/ad0s1f     /dev/ad4s1c
/dev/ad0s1a     /dev/ad0s1d     /dev/ad4        /dev/ad4s1c.bde
</pre>
</li>

<li>
<p><b>Create a File System on the Encrypted Device</b></p>

<p>Once the encrypted device has been attached to the kernel, you can create a file
system on the device. To create a file system on the encrypted device, use <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">newfs</span>(8)</span>. Since it is much
faster to initialize a new UFS2 file system than it is to initialize the old UFS1 file
system, using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">newfs</span>(8)</span> with the <var class="OPTION">-O2</var>
option is recommended.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <var class="OPTION">-O2</var> option is the default with
FreeBSD&nbsp;5.1-RELEASE and later.</p>
</blockquote>
</div>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">newfs -U -O2 /dev/ad4s1c.bde</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">newfs</span>(8)</span> command must be performed on an attached <b
class="APPLICATION">gbde</b> partition which is identified by a <tt class="FILENAME"><var
class="REPLACEABLE">*</var>.bde</tt> extension to the device name.</p>
</blockquote>
</div>
</li>

<li>
<p><b>Mount the Encrypted Partition</b></p>

<p>Create a mount point for the encrypted file system.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mkdir /private</kbd>
</pre>

<p>Mount the encrypted file system.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mount /dev/ad4s1c.bde /private</kbd>
</pre>
</li>

<li>
<p><b>Verify That the Encrypted File System is Available</b></p>

<p>The encrypted file system should now be visible to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">df</span>(1)</span> and be available for use.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">df -H</kbd>
Filesystem        Size   Used  Avail Capacity  Mounted on
/dev/ad0s1a      1037M    72M   883M     8%    /
/devfs            1.0K   1.0K     0B   100%    /dev
/dev/ad0s1f       8.1G    55K   7.5G     0%    /home
/dev/ad0s1e      1037M   1.1M   953M     0%    /tmp
/dev/ad0s1d       6.1G   1.9G   3.7G    35%    /usr
/dev/ad4s1c.bde   150G   4.1K   138G     0%    /private
</pre>
</li>
</ol>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18704" name="AEN18704">12.13.3. Mounting Existing Encrypted
File Systems</a></h2>

<p>After each boot, any encrypted file systems must be re-attached to the kernel, checked
for errors, and mounted, before the file systems can be used. The required commands must
be executed as user <tt class="USERNAME">root</tt>.</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p><b>Attach the gbde Partition to the Kernel</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</kbd>
</pre>

<p>You will be asked to provide the passphrase that you selected during initialization of
the encrypted gbde partition.</p>
</li>

<li>
<p><b>Check the File System for Errors</b></p>

<p>Since encrypted file systems cannot yet be listed in <tt
class="FILENAME">/etc/fstab</tt> for automatic mounting, the file systems must be checked
for errors by running <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">fsck</span>(8)</span> manually before mounting.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">fsck -p -t ffs /dev/ad4s1c.bde</kbd>
</pre>
</li>

<li>
<p><b>Mount the Encrypted File System</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mount /dev/ad4s1c.bde /private</kbd>
</pre>

<p>The encrypted file system is now available for use.</p>
</li>
</ol>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN18731" name="AEN18731">12.13.3.1. Automatically Mounting
Encrypted Partitions</a></h3>

<p>It is possible to create a script to automatically attach, check, and mount an
encrypted partition, but for security reasons the script should not contain the <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span> password. Instead,
it is recommended that such scripts be run manually while providing the password via the
console or <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ssh</span>(1)</span>.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18740" name="AEN18740">12.13.4. Cryptographic Protections
Employed by gbde</a></h2>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span> encrypts
the sector payload using 128-bit AES in CBC mode. Each sector on the disk is encrypted
with a different AES key. For more information on <b class="APPLICATION">gbde</b>'s
cryptographic design, including how the sector keys are derived from the user-supplied
passphrase, see <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">gbde</span>(4)</span>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18750" name="AEN18750">12.13.5. Compatibility Issues</a></h2>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">sysinstall</span>(8)</span> is
incompatible with <b class="APPLICATION">gbde</b>-encrypted devices. All <tt
class="DEVICENAME"><var class="REPLACEABLE">*</var>.bde</tt> devices must be detached
from the kernel before starting <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">sysinstall</span>(8)</span> or it will crash during its initial
probing for devices. To detach the encrypted device used in our example, use the
following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">gbde detach /dev/ad4s1c</kbd>
</pre>

<p>Also note that, as <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">vinum</span>(4)</span> does not use the <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">geom</span>(4)</span> subsystem, you
cannot use <b class="APPLICATION">gbde</b> with <b class="APPLICATION">vinum</b>
volumes.</p>
</div>
</div>

<h3 class="FOOTNOTES">Notes</h3>

<table border="0" class="FOOTNOTES" width="100%">
<tr>
<td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN18635" name="FTN.AEN18635"
href="disks-encrypting.html#AEN18635"><span class="footnote">[1]</span></a></td>
<td align="LEFT" valign="TOP" width="95%">
<p>For tips on how to select a secure passphrase that is easy to remember, see the <a
href="http://world.std.com/~reinhold/diceware.html" target="_top">Diceware Passphrase</a>
website.</p>
</td>
</tr>
</table>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="quotas.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="vinum-vinum.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">File System Quotas</td>
<td width="34%" align="center" valign="top"><a href="disks.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The Vinum Volume Manager</td>
</tr>
</table>
</div>
</body>
</html>