CVS commit: src/share/man/man7

Sat, 09 May 2020 19:32:17 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Sun May 10 02:31:29 UTC 2020

Modified Files:
        src/share/man/man7: sysctl.7

Log Message:
Document vm.swap_encrypt.


To generate a diff of this commit:
cvs rdiff -u -r1.144 -r1.145 src/share/man/man7/sysctl.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/man/man7/sysctl.7
diff -u src/share/man/man7/sysctl.7:1.144 src/share/man/man7/sysctl.7:1.145
--- src/share/man/man7/sysctl.7:1.144	Sun May 10 02:30:33 2020
+++ src/share/man/man7/sysctl.7	Sun May 10 02:31:29 2020
@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.7,v 1.144 2020/05/10 02:30:33 riastradh Exp $
+.\"	$NetBSD: sysctl.7,v 1.145 2020/05/10 02:31:29 riastradh Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -2493,6 +2493,7 @@ privilege may change the value.
 .It vm.proc.map	struct kinfo_vmentry	no
 .It vm.guard_size	unsigned int	no
 .It vm.thread_guard_size	unsigned int	yes
+.It vm.swap_encrypt	bool	yes
 .El
 .Bl -tag -width "123456"
 .It Li vm.anonmax ( Dv VM_ANONMAX )
@@ -2566,6 +2567,29 @@ Return system wide guard size for the ma
 .It Li vm.thread_guard_size
 Return system wide default size for the guard area of all other threads
 of a program.
+.It Li vm.swap_encrypt
+If true, encrypt data while swapped out to disk.
+.Pp
+Each swap device maintains an independent AES-256 key, generated when
+the first page is swapped to that device.
+Each page is swapped independently using AES-CBC, with an
+initialization vector chosen by the encryption under the AES-256 key of
+the little-endian swap slot number padded to 128 bits with zeros.
+(This is essentially the
+.Xr cgd 4
+.Sq encblkno1
+method.)
+.Pp
+Changes to
+.Li vm.swap_encrypt
+only affect pages of swap newly written out.
+To force encrypting or decrypting all existing swap, or to rekey
+previously encrypted swap, you can remove the swap devices and re-add
+them with
+.Xr swapctl 8 ,
+with the caveat that whatever pages were already written to disk
+unencrypted or encrypted with a compromised key may still be written to
+disk afterward.
 .\" XXX vm.idlezero
 .El
 .Ss The ddb.* subtree ( Dv CTL_DDB )

Reply via email to