Teach gbde(8) to use a key file in addition to a passphrase. This

makes it practical to use GBDE for "something you have plus something
you know" security together with a USB flash drive.

Reviewed by:	phk
MFC after:	7 days

1 files changed, 24 insertions, 0 deletions

diff --git a/sbin/gbde/gbde.8 b/sbin/gbde/gbde.8
index fe3d55d..d9994ea 100644
--- a/sbin/gbde/gbde.8
+++ b/sbin/gbde/gbde.8
@@ -41,6 +41,7 @@
 .Nm
 .Cm attach
 .Ar destination
+.Op Fl k Ar keyfile
 .Op Fl l Ar lockfile
 .Op Fl p Ar pass-phrase
 .Nm
@@ -51,25 +52,30 @@
 .Ar destination
 .Op Fl i
 .Op Fl f Ar filename
+.Op Fl K Ar new-keyfile
 .Op Fl L Ar new-lockfile
 .Op Fl P Ar new-pass-phrase
 .Nm
 .Cm setkey
 .Ar destination
 .Op Fl n Ar key
+.Op Fl k Ar keyfile
 .Op Fl l Ar lockfile
 .Op Fl p Ar pass-phrase
+.Op Fl K Ar new-keyfile
 .Op Fl L Ar new-lockfile
 .Op Fl P Ar new-pass-phrase
 .Nm
 .Cm nuke
 .Ar destination
 .Op Fl n Ar key
+.Op Fl k Ar keyfile
 .Op Fl l Ar lockfile
 .Op Fl p Ar pass-phrase
 .Nm
 .Cm destroy
 .Ar destination
+.Op Fl k Ar keyfile
 .Op Fl l Ar lockfile
 .Op Fl p Ar pass-phrase
 .Sh DESCRIPTION
@@ -180,6 +186,24 @@ Be aware that using this option may expose the pass-phrase to other
 users who happen to run
 .Xr ps 1
 or similar while the command is running.
+.Pp
+The
+.Fl k Ar keyfile
+argument specifies a key file to be used in combination with the
+pass-phrase (whether the pass-phrase is specified on the command line
+or entered from the terminal) for opening the device.
+The device will only be opened if the contents of the key file and the
+pass-phrase are both correct.
+.Pp
+The
+.Fl K Ar new-keyfile
+argument can be used to specify a new key file to the
+.Cm init
+and
+.Cm setkey
+subcommands.
+If not specified, no key file will be used (even if one was previously
+used).
 .Sh EXAMPLES
 To initialize a device, using default parameters:
 .Pp