From 49ad116fcc61697bdb76c2a29ee51a4b9bbd1621 Mon Sep 17 00:00:00 2001 From: Pawel Jakub Dawidek Date: Fri, 5 Aug 2005 23:38:51 +0000 Subject: [PATCH] Teach rc.d/encswap script how to use geli(8) for swap encryption. MFC after: 3 days --- etc/defaults/rc.conf | 2 ++ etc/rc.d/encswap | 32 +++++++++++++++++--------------- share/man/man5/rc.conf.5 | 6 ++++++ 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 0e2eaf0fbac7..e9d86e46e79d 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -59,6 +59,8 @@ gbde_devices="NO" # Devices to automatically attach (list, or AUTO) gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices gbde_lockdir="/etc" # Where to look for gbde lockfiles +geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted swap partitions. + root_rw_mount="YES" # Set to NO to inhibit remounting root read-write. fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails. background_fsck="YES" # Attempt to run fsck in the background where possible. diff --git a/etc/rc.d/encswap b/etc/rc.d/encswap index 82ac8da45f1a..622199869d1c 100644 --- a/etc/rc.d/encswap +++ b/etc/rc.d/encswap @@ -9,11 +9,11 @@ . /etc/rc.subr -name="gbde_swap" -start_cmd="gbde_swap_attach" -stop_cmd="gbde_swap_detach" +name="encswap" +start_cmd="encswap_attach" +stop_cmd="encswap_detach" -gbde_swap_attach() +encswap_attach() { while read device mountpoint type options rest ; do case ":${device}:${type}:${options}" in @@ -21,19 +21,20 @@ gbde_swap_attach() continue ;; *.bde:swap:sw) + passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` + device="${device%.bde}" + gbde init "${device}" -P "${passphrase}" || return 1 + gbde attach "${device}" -p "${passphrase}" || return 1 ;; - *) - continue + *.eli:swap:sw) + device="${device%.eli}" + geli onetime ${geli_swap_flags} "${device}" || return 1 ;; esac - passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` - device="${device%.bde}" - gbde init "${device}" -P "${passphrase}" || return 1 - gbde attach "${device}" -p "${passphrase}" || return 1 done < /etc/fstab } -gbde_swap_detach() +encswap_detach() { while read device mountpoint type options rest ; do case ":${device}:${type}:${options}" in @@ -41,13 +42,14 @@ gbde_swap_detach() continue ;; *.bde:swap:sw) + device="${device%.bde}" + gbde detach "${device}" ;; - *) - continue + *.eli:swap:sw) + # Nothing here, because geli swap devices should be + # created with the auto-detach-on-last-close option. ;; esac - device="${device%.bde}" - gbde detach "${device}" done < /etc/fstab } diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index fcab89fd7946..69e9821cad1e 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1156,6 +1156,12 @@ Number of times to attempt attaching to a .Xr gbde 4 device, i.e., how many times the user is asked for the pass-phrase. Default is 3. +.It Va geli_swap_flags +Options passed to the +.Xr geli 8 +utility when encrypted GEOM providers for swap partitions are created. +The default is +.Dq Li -a aes -l 256 -s 4096 -d . .It Va root_rw_mount .Pq Vt bool Set to