program is the only official operation and management interface for the
.Xrgbde4
GEOM based disk encryption kernel facility.
The interaction between the
.Nm
program and the kernel part is not a published interface.
.Pp
The operational aspect consists of two subcommands, one to open and attach
a device and one to close and dettach
a device to the in-kernel cryptographic gbde module.
.Pp
The management part allows initialization of the master key and lock sectors
on a device, initialization and replacement of pass-phrases and
key invalidation and blackening functions.
.Pp
The
.FllArlockfile
argument is used to supply the lock selector data.
If no
.Fll
argument is specified, the first sector is used for this purpose.
.Pp
.FlLArnew-lockfile
specifies the lock selector file for the key modified with the
.Arsetkeysubcommand.
.Pp
The
.FlnArkey
argument can be used to specify which of the four keys the operation applies to.
A value of 1 to 4 selects the specified key, a value of 0 (the default) means "this key" (ie, the key used to gain access to the device) and a value of -1 means "all keys".
.Pp
The
.FlfArfilename
specifies an optional parameter file for use under initialization.
.Pp
Alternatively the
.Fli
optional toggles an interactive mode where a template file with descriptions
of the parameters can be interactively edited.
.Pp
.FlpArpass-phrase
specifies the pass-phrase used to opening the device.
If not specified the controlling terminal will be used to prompt the user
for the pass-phrase.
.Pp
.FlPArnew-pass-phrase
can be used to specify the new pass-phrase to the
.Arsetkey
subcommand.
If not specified, the user is prompted for the new pass-phrase on the
controlling terminal.
.ShEXAMPLES
To initialize a device, using default parameters:
.Dl#gbdeinit/dev/ad0s1f-l/etc/ad0s1f.lock
.Pp
To attach an encrypted device:
.Dl#gbdeattachad0s1f-l/etc/ad0s1f.lock
.Pp
To dettach an encrypted device:
.Dl#gbdedettachad0s1f
.Pp
To initialize the second key using a dettached lockfile and a trivial
pass-phrase:
.Dl#gbdesetkeyad0s1f-n2-Pfoo-Lkey2.lockfile
.Pp
To destroy all copies of the masterkey:
.Dl#gbdedestroyad0s1f-n-1
.ShSEEALSO
.Xrgbde4,
.Xrgeom4.
.Rs
.%APoul-HenningKamp
.%T"Making sure data is lost: Spook-strength encryption of on-disk data"
.%R"Refereed paper, NORDU2003 conference"
.Re
.ShHISTORY
This software was developed for the FreeBSD Project by Poul-Henning Kamp
and NAI Labs, the Security Research Division of Network Associates, Inc.
under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the