[src/trunk]: src/share/man/man7 Document vm.swap_encrypt.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/man/man7 Document vm.swap_encrypt.
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Sun, 10 May 2020 06:11:02 +0000

details:   https://anonhg.NetBSD.org/src/rev/69ce6d897508
branches:  trunk
changeset: 932505:69ce6d897508
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun May 10 02:31:29 2020 +0000

description:
Document vm.swap_encrypt.

diffstat:

 share/man/man7/sysctl.7 |  26 +++++++++++++++++++++++++-
 1 files changed, 25 insertions(+), 1 deletions(-)

diffs (47 lines):

diff -r b5644efd087b -r 69ce6d897508 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7   Sun May 10 02:30:33 2020 +0000
+++ b/share/man/man7/sysctl.7   Sun May 10 02:31:29 2020 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.7,v 1.144 2020/05/10 02:30:33 riastradh Exp $
+.\"    $NetBSD: sysctl.7,v 1.145 2020/05/10 02:31:29 riastradh Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -2493,6 +2493,7 @@
 .It vm.proc.map        struct kinfo_vmentry    no
 .It vm.guard_size      unsigned int    no
 .It vm.thread_guard_size       unsigned int    yes
+.It vm.swap_encrypt    bool    yes
 .El
 .Bl -tag -width "123456"
 .It Li vm.anonmax ( Dv VM_ANONMAX )
@@ -2566,6 +2567,29 @@
 .It Li vm.thread_guard_size
 Return system wide default size for the guard area of all other threads
 of a program.
+.It Li vm.swap_encrypt
+If true, encrypt data while swapped out to disk.
+.Pp
+Each swap device maintains an independent AES-256 key, generated when
+the first page is swapped to that device.
+Each page is swapped independently using AES-CBC, with an
+initialization vector chosen by the encryption under the AES-256 key of
+the little-endian swap slot number padded to 128 bits with zeros.
+(This is essentially the
+.Xr cgd 4
+.Sq encblkno1
+method.)
+.Pp
+Changes to
+.Li vm.swap_encrypt
+only affect pages of swap newly written out.
+To force encrypting or decrypting all existing swap, or to rekey
+previously encrypted swap, you can remove the swap devices and re-add
+them with
+.Xr swapctl 8 ,
+with the caveat that whatever pages were already written to disk
+unencrypted or encrypted with a compromised key may still be written to
+disk afterward.
 .\" XXX vm.idlezero
 .El
 .Ss The ddb.* subtree ( Dv CTL_DDB )

Prev by Date: [src/trunk]: src/share/man/man7 Tweak kern.arandom documentation.
Next by Date: [src/trunk]: src/share/man/man7 Mark experimental-default-off knobs clearly a...
Previous by Thread: [src/trunk]: src/share/man/man7 Tweak kern.arandom documentation.
Next by Thread: [src/trunk]: src/share/man/man7 Mark experimental-default-off knobs clearly a...
Indexes:

Home | Main Index | Thread Index | Old Index