Teach rc.d/encswap script how to use geli(8) for swap encryption.

MFC after: 3 days
2005-08-05 23:38:51 +00:00 · 2005-08-05 23:38:51 +00:00 · 49ad116fcc
commit 49ad116fcc
parent e816acc79b
3 changed files with 25 additions and 15 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -59,6 +59,8 @@ gbde_devices="NO" 	# Devices to automatically attach (list, or AUTO)
 gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
 gbde_lockdir="/etc"	# Where to look for gbde lockfiles

+geli_swap_flags="-a aes -l 256 -s 4096 -d"	# Options for GELI-encrypted swap partitions.
+
 root_rw_mount="YES"	# Set to NO to inhibit remounting root read-write.
 fsck_y_enable="NO"	# Set to YES to do fsck -y if the initial preen fails.
 background_fsck="YES"	# Attempt to run fsck in the background where possible.
--- a/etc/rc.d/encswap
+++ b/etc/rc.d/encswap
@ -9,11 +9,11 @@

 . /etc/rc.subr

-name="gbde_swap"
-start_cmd="gbde_swap_attach"
-stop_cmd="gbde_swap_detach"
+name="encswap"
+start_cmd="encswap_attach"
+stop_cmd="encswap_detach"

-gbde_swap_attach()
+encswap_attach()
 {
 	while read device mountpoint type options rest ; do
 		case ":${device}:${type}:${options}" in
@ -21,19 +21,20 @@ gbde_swap_attach()
 			continue
 			;;
 		*.bde:swap:sw)
+			passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q`
+			device="${device%.bde}"
+			gbde init "${device}" -P "${passphrase}" || return 1
+			gbde attach "${device}" -p "${passphrase}" || return 1
 			;;
-		*)
-			continue
+		*.eli:swap:sw)
+			device="${device%.eli}"
+			geli onetime ${geli_swap_flags} "${device}" || return 1
 			;;
 		esac
-		passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q`
-		device="${device%.bde}"
-		gbde init "${device}" -P "${passphrase}" || return 1
-		gbde attach "${device}" -p "${passphrase}" || return 1
 	done < /etc/fstab
 }

-gbde_swap_detach()
+encswap_detach()
 {
 	while read device mountpoint type options rest ; do
 		case ":${device}:${type}:${options}" in
@ -41,13 +42,14 @@ gbde_swap_detach()
 			continue
 			;;
 		*.bde:swap:sw)
+			device="${device%.bde}"
+			gbde detach "${device}"
 			;;
-		*)
-			continue
+		*.eli:swap:sw)
+			# Nothing here, because geli swap devices should be
+			# created with the auto-detach-on-last-close option.
 			;;
 		esac
-		device="${device%.bde}"
-		gbde detach "${device}"
 	done < /etc/fstab
 }

--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -1156,6 +1156,12 @@ Number of times to attempt attaching to a
 .Xr gbde 4
 device, i.e., how many times the user is asked for the pass-phrase.
 Default is 3.
+.It Va geli_swap_flags
+Options passed to the
+.Xr geli 8
+utility when encrypted GEOM providers for swap partitions are created.
+The default is
+.Dq Li -a aes -l 256 -s 4096 -d .
 .It Va root_rw_mount
 .Pq Vt bool
 Set to