diff options
| author | pjd <pjd@FreeBSD.org> | 2005-08-05 23:38:51 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2005-08-05 23:38:51 +0000 |
| commit | 0c7478173c04ee05edc6f162c406af8897da1221 (patch) | |
| tree | 9525933ae3f12c9e693f6f7e9051f8f460bd3eb0 | |
| parent | 0b10714f0fa7894dee283f7086b8ea2a68874f43 (diff) | |
| download | FreeBSD-src-0c7478173c04ee05edc6f162c406af8897da1221.zip FreeBSD-src-0c7478173c04ee05edc6f162c406af8897da1221.tar.gz | |
Teach rc.d/encswap script how to use geli(8) for swap encryption.
MFC after: 3 days
| -rw-r--r-- | etc/defaults/rc.conf | 2 | ||||
| -rw-r--r-- | etc/rc.d/encswap | 32 | ||||
| -rw-r--r-- | share/man/man5/rc.conf.5 | 6 |
3 files changed, 25 insertions, 15 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 0e2eaf0..e9d86e4 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -59,6 +59,8 @@ gbde_devices="NO" # Devices to automatically attach (list, or AUTO) gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices gbde_lockdir="/etc" # Where to look for gbde lockfiles +geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted swap partitions. + root_rw_mount="YES" # Set to NO to inhibit remounting root read-write. fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails. background_fsck="YES" # Attempt to run fsck in the background where possible. diff --git a/etc/rc.d/encswap b/etc/rc.d/encswap index 82ac8da..6221998 100644 --- a/etc/rc.d/encswap +++ b/etc/rc.d/encswap @@ -9,11 +9,11 @@ . /etc/rc.subr -name="gbde_swap" -start_cmd="gbde_swap_attach" -stop_cmd="gbde_swap_detach" +name="encswap" +start_cmd="encswap_attach" +stop_cmd="encswap_detach" -gbde_swap_attach() +encswap_attach() { while read device mountpoint type options rest ; do case ":${device}:${type}:${options}" in @@ -21,19 +21,20 @@ gbde_swap_attach() continue ;; *.bde:swap:sw) + passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` + device="${device%.bde}" + gbde init "${device}" -P "${passphrase}" || return 1 + gbde attach "${device}" -p "${passphrase}" || return 1 ;; - *) - continue + *.eli:swap:sw) + device="${device%.eli}" + geli onetime ${geli_swap_flags} "${device}" || return 1 ;; esac - passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` - device="${device%.bde}" - gbde init "${device}" -P "${passphrase}" || return 1 - gbde attach "${device}" -p "${passphrase}" || return 1 done < /etc/fstab } -gbde_swap_detach() +encswap_detach() { while read device mountpoint type options rest ; do case ":${device}:${type}:${options}" in @@ -41,13 +42,14 @@ gbde_swap_detach() continue ;; *.bde:swap:sw) + device="${device%.bde}" + gbde detach "${device}" ;; - *) - continue + *.eli:swap:sw) + # Nothing here, because geli swap devices should be + # created with the auto-detach-on-last-close option. ;; esac - device="${device%.bde}" - gbde detach "${device}" done < /etc/fstab } diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index fcab89f..69e9821 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1156,6 +1156,12 @@ Number of times to attempt attaching to a .Xr gbde 4 device, i.e., how many times the user is asked for the pass-phrase. Default is 3. +.It Va geli_swap_flags +Options passed to the +.Xr geli 8 +utility when encrypted GEOM providers for swap partitions are created. +The default is +.Dq Li -a aes -l 256 -s 4096 -d . .It Va root_rw_mount .Pq Vt bool Set to |
