|
|
marry(ADM) uses the marry driver to associate a block special device file with a regular file. The regular file may then be accessed through the block device node or a character device node created below the /dev/marry directory.
Do not use the marry driver to swap to a file. The kernel allows swapping to a file without the marry driver. See swap(ADM) for more information.
The only permanent device file associated with the marry driver is /dev/rmarry, a character device node that allows control of the driver through ioctl(S) calls. The default permissions on this node are 777. If you change the permissions on /dev/rmarry, you should also edit /etc/conf/node.d/marry so that the new permissions take effect whenever the kernel environment is rebuilt.
Note: Although file permissions were the means used to restrict access to the marry driver in previous releases, the privilege mechanism should be used for that purpose.
The stretching process increases the keys entropy (i.e., randomness). MryEnc_MMDDBA_StretchCnt_TUNE refers to the key used for the Encrypted State Information Area. MryEnc_MKSB_StretchCnt_TUNE refers to the keys used for the User Data Area. Each key is individually stretched. The settable values range from zero to the maximum value representable by an unsigned 64 bit integer. The value of zero defines a predefined stretch count defined in /usr/include/sys/fs/marry.h. The default value is one; this effectively disables the key stretching.
Depending on the stretch count value(s) selected and the speed of the machine, stretching can have a significant impact on the time it takes to start up and initialize a marriage. The stretch count does not affect the performance once the marriage has been created.
Defining a stretch count that both meets the needs of the desired increase in the number of bits of entropy for the key and an acceptable start up and initialization time for the marriage on a given system will require experimentation. NOTE: Once a stretch count is defined on a regfile that is enabled with the marry encrypted feature for the first time, it remains at that value regardless of any subsequent change to the tuneables. It is therefore suggested to use a temporary regfile while determining the appropriate stretch count for the system.
An alternate or combined (i.e. with stretching) method to increase a key's entropy is to increase the length of the passphrase. The passphrase should be unpredictable as well. Approximately 128 bits of entropy can be realized from a 64 character passphrase.
In order for changes to the tuneable parameters to take effect, the marry driver must be unloaded, rebuilt, and reloaded.
It is recommended that you do not modify any of the other tuneables in the marry driver's space.c file.