25c25
< .\" $FreeBSD: head/sbin/geom/class/eli/geli.8 213172 2010-09-25 17:38:57Z pjd $
---
> .\" $FreeBSD: head/sbin/geom/class/eli/geli.8 214118 2010-10-20 20:50:55Z pjd $
27c27
< .Dd September 25, 2010
---
> .Dd October 20, 2010
121a122,131
> .Cm suspend
> .Op Fl v
> .Fl a | Ar prov ...
> .Nm
> .Cm resume
> .Op Fl pv
> .Op Fl j Ar passfile
> .Op Fl k Ar keyfile
> .Ar prov
> .Nm
209a220,221
> .It
> Allows to suspend and resume encrypted devices.
460a473,474
> .Pp
> Additional options include:
484a499,500
> .Pp
> Additional options include:
492a509,510
> .Pp
> Additional options include:
510a529,587
> .It Cm suspend
> Suspend device by waiting for all inflight request to finish, clearing all
> sensitive informations (like keys) from the kernel memory and blocking all
> further I/O requests until the
> .Cm resume
> subcommand is executed.
> This functionality is useful for eg. laptops - when one wants to suspend a
> laptop, one does not want to leave encrypted device attached.
> Instead of closing all files and directories opened from a file system placed
> on an encrypted device, unmounting the file system and detaching the device,
> the
> .Cm suspend
> subcommand can be used.
> Any access to the encrypted device will be blocked until the keys are
> recovered through
> .Cm resume
> subcommand, thus there is no need to close nor unmount anything.
> The
> .Cm suspend
> subcommand does not work with devices created with the
> .Cm onetime
> subcommand.
> Please note that sensitive data might still be present in memory after
> suspending encrypted device, because of file system cache, etc.
> .Pp
> Additional options include:
> .Bl -tag -width ".Fl a"
> .It Fl a
> Suspend all
> .Nm
> devices.
> .El
> .It Cm resume
> Resume previously suspended device.
> The caller must ensure that executing this subcommand won't try to access
> suspended device, which will lead to a deadlock.
> For example suspending device, which contains file system where the
> .Nm
> utility is stored is bad idea.
> .Pp
> Additional options include:
> .Bl -tag -width ".Fl j Ar passfile"
> .It Fl j Ar passfile
> Specifies a file which contains the passphrase or its part.
> For more information see the description of the
> .Fl J
> option for the
> .Cm init
> subcommand.
> .It Fl k Ar keyfile
> Specifies a file which contains part of the key.
> For more information see the description of the
> .Fl K
> option for the
> .Cm init
> subcommand.
> .It Fl p
> Do not use passphrase as the key component.
> .El
516a594,595
> .Pp
> Additional options include:
748a828,840
> .Pp
> Suspend all
> .Nm
> devices, suspend a laptop, then resume devices one by one after resuming a
> laptop:
> .Bd -literal -offset indent
> # geli suspend -a
> # zzz
> <resume your laptop>
> # geli resume -p -k keyfile gpt/secret
> # geli resume gpt/private
> Enter passphrase:
> .Ed
< .\" $FreeBSD: head/sbin/geom/class/eli/geli.8 213172 2010-09-25 17:38:57Z pjd $
---
> .\" $FreeBSD: head/sbin/geom/class/eli/geli.8 214118 2010-10-20 20:50:55Z pjd $
27c27
< .Dd September 25, 2010
---
> .Dd October 20, 2010
121a122,131
> .Cm suspend
> .Op Fl v
> .Fl a | Ar prov ...
> .Nm
> .Cm resume
> .Op Fl pv
> .Op Fl j Ar passfile
> .Op Fl k Ar keyfile
> .Ar prov
> .Nm
209a220,221
> .It
> Allows to suspend and resume encrypted devices.
460a473,474
> .Pp
> Additional options include:
484a499,500
> .Pp
> Additional options include:
492a509,510
> .Pp
> Additional options include:
510a529,587
> .It Cm suspend
> Suspend device by waiting for all inflight request to finish, clearing all
> sensitive informations (like keys) from the kernel memory and blocking all
> further I/O requests until the
> .Cm resume
> subcommand is executed.
> This functionality is useful for eg. laptops - when one wants to suspend a
> laptop, one does not want to leave encrypted device attached.
> Instead of closing all files and directories opened from a file system placed
> on an encrypted device, unmounting the file system and detaching the device,
> the
> .Cm suspend
> subcommand can be used.
> Any access to the encrypted device will be blocked until the keys are
> recovered through
> .Cm resume
> subcommand, thus there is no need to close nor unmount anything.
> The
> .Cm suspend
> subcommand does not work with devices created with the
> .Cm onetime
> subcommand.
> Please note that sensitive data might still be present in memory after
> suspending encrypted device, because of file system cache, etc.
> .Pp
> Additional options include:
> .Bl -tag -width ".Fl a"
> .It Fl a
> Suspend all
> .Nm
> devices.
> .El
> .It Cm resume
> Resume previously suspended device.
> The caller must ensure that executing this subcommand won't try to access
> suspended device, which will lead to a deadlock.
> For example suspending device, which contains file system where the
> .Nm
> utility is stored is bad idea.
> .Pp
> Additional options include:
> .Bl -tag -width ".Fl j Ar passfile"
> .It Fl j Ar passfile
> Specifies a file which contains the passphrase or its part.
> For more information see the description of the
> .Fl J
> option for the
> .Cm init
> subcommand.
> .It Fl k Ar keyfile
> Specifies a file which contains part of the key.
> For more information see the description of the
> .Fl K
> option for the
> .Cm init
> subcommand.
> .It Fl p
> Do not use passphrase as the key component.
> .El
516a594,595
> .Pp
> Additional options include:
748a828,840
> .Pp
> Suspend all
> .Nm
> devices, suspend a laptop, then resume devices one by one after resuming a
> laptop:
> .Bd -literal -offset indent
> # geli suspend -a
> # zzz
> <resume your laptop>
> # geli resume -p -k keyfile gpt/secret
> # geli resume gpt/private
> Enter passphrase:
> .Ed