1 '\" te
   2 .\" Copyright 2013 Nexenta Systems, Inc. All rights reserved.
   3 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with
   6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH LOFIADM 1M "Aug 28, 2013"
   8 .SH NAME
   9 lofiadm \- administer files available as block devices through lofi
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBlofiadm\fR [\fB-r\fR] \fB-a\fR \fIfile\fR [\fIdevice\fR]
  14 .fi
  15 
  16 .LP
  17 .nf
  18 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
  19 .fi
  20 
  21 .LP
  22 .nf
  23 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-k\fR \fIraw_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
  24 .fi
  25 
  26 .LP
  27 .nf
  28 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
  29 .fi
  30 
  31 .LP
  32 .nf
  33 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR
  34      \fB-k\fR \fIwrapped_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
  35 .fi
  36 
  37 .LP
  38 .nf
  39 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-e\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
  40 .fi
  41 
  42 .LP
  43 .nf
  44 \fBlofiadm\fR \fB-C\fR \fIalgorithm\fR [\fB-s\fR \fIsegment_size\fR] \fIfile\fR
  45 .fi
  46 
  47 .LP
  48 .nf
  49 \fBlofiadm\fR \fB-d\fR \fIfile\fR | \fIdevice\fR
  50 .fi
  51 
  52 .LP
  53 .nf
  54 \fBlofiadm\fR \fB-U\fR \fIfile\fR
  55 .fi
  56 
  57 .LP
  58 .nf
  59 \fBlofiadm\fR [ \fIfile\fR | \fIdevice\fR]
  60 .fi
  61 
  62 .SH DESCRIPTION
  63 .sp
  64 .LP
  65 \fBlofiadm\fR administers \fBlofi\fR, the loopback file driver. \fBlofi\fR
  66 allows a file to be associated with a block device. That file can then be
  67 accessed through the block device. This is useful when the file contains an
  68 image of some filesystem (such as a floppy or \fBCD-ROM\fR image), because the
  69 block device can then be used with the normal system utilities for mounting,
  70 checking or repairing filesystems. See \fBfsck\fR(1M) and \fBmount\fR(1M).
  71 .sp
  72 .LP
  73 Use \fBlofiadm\fR to add a file as a loopback device, remove such an
  74 association, or print information about the current associations.
  75 .sp
  76 .LP
  77 Encryption and compression options are mutually exclusive on the command line.
  78 Further, an encrypted file cannot be compressed later, nor can a compressed
  79 file be encrypted later.
  80 
  81 In the global zone, \fBlofiadm\fR can be used on both the global
  82 zone devices and all devices owned by other non-global zones on the system.
  83 .sp
  84 .SH OPTIONS
  85 .sp
  86 .LP
  87 The following options are supported:
  88 .sp
  89 .ne 2
  90 .na
  91 \fB\fB-a\fR \fIfile\fR [\fIdevice\fR]\fR
  92 .ad
  93 .sp .6
  94 .RS 4n
  95 Add \fIfile\fR as a block device.
  96 .sp
  97 If \fIdevice\fR is not specified, an available device is picked.
  98 .sp
  99 If \fIdevice\fR is specified, \fBlofiadm\fR attempts to assign it to
 100 \fIfile\fR. \fIdevice\fR must be available or \fBlofiadm\fR will fail. The
 101 ability to specify a device is provided for use in scripts that wish to
 102 reestablish a particular set of associations.
 103 .RE
 104 
 105 .sp
 106 .ne 2
 107 .na
 108 \fB\fB-C\fR {\fIgzip\fR | \fIgzip-N\fR | \fIlzma\fR}\fR
 109 .ad
 110 .sp .6
 111 .RS 4n
 112 Compress the file with the specified compression algorithm.
 113 .sp
 114 The \fBgzip\fR compression algorithm uses the same compression as the
 115 open-source \fBgzip\fR command. You can specify the \fBgzip\fR level by using
 116 the value \fBgzip-\fR\fIN\fR where \fIN\fR is 6 (fast) or 9 (best compression
 117 ratio). Currently, \fBgzip\fR, without a number, is equivalent to \fBgzip-6\fR
 118 (which is also the default for the \fBgzip\fR command).
 119 .sp
 120 \fIlzma\fR stands for the LZMA (Lempel-Ziv-Markov) compression algorithm.
 121 .sp
 122 Note that you cannot write to a compressed file, nor can you mount a compressed
 123 file read/write.
 124 .RE
 125 
 126 .sp
 127 .ne 2
 128 .na
 129 \fB\fB-d\fR \fIfile\fR | \fIdevice\fR\fR
 130 .ad
 131 .sp .6
 132 .RS 4n
 133 Remove an association by \fIfile\fR or \fIdevice\fR name, if the associated
 134 block device is not busy, and deallocates the block device.
 135 .RE
 136 
 137 .sp
 138 .ne 2
 139 .na
 140 \fB\fB-r\fR
 141 .ad
 142 .sp .6
 143 .RS 4n
 144 If the \fB-r\fR option is specified before the \fB-a\fR option, the
 145 \fIdevice\fR will be opened read-only.
 146 .RE
 147 
 148 .sp
 149 .ne 2
 150 .na
 151 \fB\fB-s\fR \fIsegment_size\fR\fR
 152 .ad
 153 .sp .6
 154 .RS 4n
 155 The segment size to use to divide the file being compressed. \fIsegment_size\fR
 156 can be an integer multiple of 512.
 157 .RE
 158 
 159 .sp
 160 .ne 2
 161 .na
 162 \fB\fB-U\fR \fIfile\fR\fR
 163 .ad
 164 .sp .6
 165 .RS 4n
 166 Uncompress a compressed file.
 167 .RE
 168 
 169 .sp
 170 .LP
 171 The following options are used when the file is encrypted:
 172 .sp
 173 .ne 2
 174 .na
 175 \fB\fB-c\fR \fIcrypto_algorithm\fR\fR
 176 .ad
 177 .sp .6
 178 .RS 4n
 179 Select the encryption algorithm. The algorithm must be specified when
 180 encryption is enabled because the algorithm is not stored in the disk image.
 181 .sp
 182 If none of \fB-e\fR, \fB-k\fR, or \fB-T\fR is specified, \fBlofiadm\fR prompts
 183 for a passphrase, with a minimum length of eight characters, to be entered .
 184 The passphrase is used to derive a symmetric encryption key using PKCS#5 PBKD2.
 185 .RE
 186 
 187 .sp
 188 .ne 2
 189 .na
 190 \fB\fB-k\fR \fIraw_key_file\fR | \fIwrapped_key_file\fR\fR
 191 .ad
 192 .sp .6
 193 .RS 4n
 194 Path to raw or wrapped symmetric encryption key. If a PKCS#11 object is also
 195 given with the \fB-T\fR option, then the key is wrapped by that object. If
 196 \fB-T\fR is not specified, the key is used raw.
 197 .RE
 198 
 199 .sp
 200 .ne 2
 201 .na
 202 \fB\fB-T\fR \fItoken_key\fR\fR
 203 .ad
 204 .sp .6
 205 .RS 4n
 206 The key in a PKCS#11 token to use for the encryption or for unwrapping the key
 207 file.
 208 .sp
 209 If \fB-k\fR is also specified, \fB-T\fR identifies the unwrapping key, which
 210 must be an RSA private key.
 211 .RE
 212 
 213 .sp
 214 .ne 2
 215 .na
 216 \fB\fB-e\fR\fR
 217 .ad
 218 .sp .6
 219 .RS 4n
 220 Generate an ephemeral symmetric encryption key.
 221 .RE
 222 
 223 .SH OPERANDS
 224 .sp
 225 .LP
 226 The following operands are supported:
 227 .sp
 228 .ne 2
 229 .na
 230 \fB\fIcrypto_algorithm\fR\fR
 231 .ad
 232 .sp .6
 233 .RS 4n
 234 One of: \fBaes-128-cbc\fR, \fBaes-192-cbc\fR, \fBaes-256-cbc\fR,
 235 \fBdes3-cbc\fR, \fBblowfish-cbc\fR.
 236 .RE
 237 
 238 .sp
 239 .ne 2
 240 .na
 241 \fB\fIdevice\fR\fR
 242 .ad
 243 .sp .6
 244 .RS 4n
 245 Display the file name associated with the block device \fIdevice\fR.
 246 .sp
 247 Without arguments, print a list of the current associations. Filenames must be
 248 valid absolute pathnames.
 249 .sp
 250 When a file is added, it is opened for reading or writing by root. Any
 251 restrictions apply (such as restricted root access over \fBNFS\fR). The file is
 252 held open until the association is removed. It is not actually accessed until
 253 the block device is used, so it will never be written to if the block device is
 254 only opened read-only.
 255 
 256 Note that the filename may appear as "?" if it is not possible to resolve the
 257 path in the current context (for example, if it's an NFS path in a non-global
 258 zone).
 259 .RE
 260 
 261 .sp
 262 .ne 2
 263 .na
 264 \fB\fIfile\fR\fR
 265 .ad
 266 .sp .6
 267 .RS 4n
 268 Display the block device associated with \fIfile\fR.
 269 .RE
 270 
 271 .sp
 272 .ne 2
 273 .na
 274 \fB\fIraw_key_file\fR\fR
 275 .ad
 276 .sp .6
 277 .RS 4n
 278 Path to a file of the appropriate length, in bits, to use as a raw symmetric
 279 encryption key.
 280 .RE
 281 
 282 .sp
 283 .ne 2
 284 .na
 285 \fB\fItoken_key\fR\fR
 286 .ad
 287 .sp .6
 288 .RS 4n
 289 PKCS#11 token object in the format:
 290 .sp
 291 .in +2
 292 .nf
 293 \fItoken_name\fR:\fImanufacturer_id\fR:\fIserial_number\fR:\fIkey_label\fR
 294 .fi
 295 .in -2
 296 .sp
 297 
 298 All but the key label are optional and can be empty. For example, to specify a
 299 token object with only its key label \fBMylofiKey\fR, use:
 300 .sp
 301 .in +2
 302 .nf
 303 -T :::MylofiKey
 304 .fi
 305 .in -2
 306 .sp
 307 
 308 .RE
 309 
 310 .sp
 311 .ne 2
 312 .na
 313 \fB\fIwrapped_key_file\fR\fR
 314 .ad
 315 .sp .6
 316 .RS 4n
 317 Path to file containing a symmetric encryption key wrapped by the RSA private
 318 key specified by \fB-T\fR.
 319 .RE
 320 
 321 .SH EXAMPLES
 322 .LP
 323 \fBExample 1 \fRMounting an Existing CD-ROM Image
 324 .sp
 325 .LP
 326 You should ensure that Solaris understands the image before creating the
 327 \fBCD\fR. \fBlofi\fR allows you to mount the image and see if it works.
 328 
 329 .sp
 330 .LP
 331 This example mounts an existing \fBCD-ROM\fR image (\fBsparc.iso\fR), of the
 332 \fBRed Hat 6.0 CD\fR which was downloaded from the Internet. It was created
 333 with the \fBmkisofs\fR utility from the Internet.
 334 
 335 .sp
 336 .LP
 337 Use \fBlofiadm\fR to attach a block device to it:
 338 
 339 .sp
 340 .in +2
 341 .nf
 342 # \fBlofiadm -a /home/mike_s/RH6.0/sparc.iso\fR
 343 /dev/lofi/1
 344 .fi
 345 .in -2
 346 .sp
 347 
 348 .sp
 349 .LP
 350 \fBlofiadm\fR picks the device and prints the device name to the standard
 351 output. You can run \fBlofiadm\fR again by issuing the following command:
 352 
 353 .sp
 354 .in +2
 355 .nf
 356 # \fBlofiadm\fR
 357 Block Device     File                           Options
 358 /dev/lofi/1      /home/mike_s/RH6.0/sparc.iso   -
 359 .fi
 360 .in -2
 361 .sp
 362 
 363 .sp
 364 .LP
 365 Or, you can give it one name and ask for the other, by issuing the following
 366 command:
 367 
 368 .sp
 369 .in +2
 370 .nf
 371 # \fBlofiadm /dev/lofi/1\fR
 372 /home/mike_s/RH6.0/sparc.iso
 373 .fi
 374 .in -2
 375 .sp
 376 
 377 .sp
 378 .LP
 379 Use the \fBmount\fR command to mount the image:
 380 
 381 .sp
 382 .in +2
 383 .nf
 384 # \fBmount -F hsfs -o ro /dev/lofi/1 /mnt\fR
 385 .fi
 386 .in -2
 387 .sp
 388 
 389 .sp
 390 .LP
 391 Check to ensure that Solaris understands the image:
 392 
 393 .sp
 394 .in +2
 395 .nf
 396 # \fBdf -k /mnt\fR
 397 Filesystem            kbytes    used   avail capacity  Mounted on
 398 /dev/lofi/1           512418  512418       0   100%    /mnt
 399 # \fBls /mnt\fR
 400 \&./            RedHat/       doc/          ls-lR         rr_moved/
 401 \&../           TRANS.TBL     dosutils/     ls-lR.gz      sbin@
 402 \&.buildlog     bin@          etc@          misc/         tmp/
 403 COPYING       boot/         images/       mnt/          usr@
 404 README        boot.cat*     kernels/      modules/
 405 RPM-PGP-KEY   dev@          lib@          proc/
 406 .fi
 407 .in -2
 408 .sp
 409 
 410 .sp
 411 .LP
 412 Solaris can mount the CD-ROM image, and understand the filenames. The image was
 413 created properly, and you can now create the \fBCD-ROM\fR with confidence.
 414 
 415 .sp
 416 .LP
 417 As a final step, unmount and detach the images:
 418 
 419 .sp
 420 .in +2
 421 .nf
 422 # \fBumount /mnt\fR
 423 # \fBlofiadm -d /dev/lofi/1\fR
 424 # \fBlofiadm\fR
 425 Block Device             File             Options
 426 .fi
 427 .in -2
 428 .sp
 429 
 430 .LP
 431 \fBExample 2 \fRMounting a Floppy Image
 432 .sp
 433 .LP
 434 This is similar to the first example.
 435 
 436 .sp
 437 .LP
 438 Using \fBlofi\fR to help you mount files that contain floppy images is helpful
 439 if a floppy disk contains a file that you need, but the machine which you are
 440 on does not have a floppy drive. It is also helpful if you do not want to take
 441 the time to use the \fBdd\fR command to copy the image to a floppy.
 442 
 443 .sp
 444 .LP
 445 This is an example of getting to \fBMDB\fR floppy for Solaris on an x86
 446 platform:
 447 
 448 .sp
 449 .in +2
 450 .nf
 451 # \fBlofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3\fR
 452 /dev/lofi/1
 453 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
 454 # \fBls /mnt\fR
 455 \&./            COMMENT.BAT*  RC.D/         SOLARIS.MAP*
 456 \&../           IDENT*        REPLACE.BAT*  X/
 457 APPEND.BAT*   MAKEDIR.BAT*  SOLARIS/
 458 # \fBumount /mnt\fR
 459 # \fBlofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3\fR
 460 .fi
 461 .in -2
 462 .sp
 463 
 464 .LP
 465 \fBExample 3 \fRMaking a \fBUFS\fR Filesystem on a File
 466 .sp
 467 .LP
 468 Making a \fBUFS\fR filesystem on a file can be useful, particularly if a test
 469 suite requires a scratch filesystem. It can be painful (or annoying) to have to
 470 repartition a disk just for the test suite, but you do not have to. You can
 471 \fBnewfs\fR a file with \fBlofi\fR
 472 
 473 .sp
 474 .LP
 475 Create the file:
 476 
 477 .sp
 478 .in +2
 479 .nf
 480 # \fBmkfile 35m /export/home/test\fR
 481 .fi
 482 .in -2
 483 .sp
 484 
 485 .sp
 486 .LP
 487 Attach it to a block device. You also get the character device that \fBnewfs\fR
 488 requires, so \fBnewfs\fR that:
 489 
 490 .sp
 491 .in +2
 492 .nf
 493 # \fBlofiadm -a /export/home/test\fR
 494 /dev/lofi/1
 495 # \fBnewfs /dev/rlofi/1\fR
 496 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
 497 /dev/rlofi/1:   71638 sectors in 119 cylinders of 1 tracks, 602 sectors
 498         35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
 499 super-block backups (for fsck -F ufs -o b=#) at:
 500  32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
 501 .fi
 502 .in -2
 503 .sp
 504 
 505 .sp
 506 .LP
 507 Note that \fBufs\fR might not be able to use the entire file. Mount and use the
 508 filesystem:
 509 
 510 .sp
 511 .in +2
 512 .nf
 513 # \fBmount /dev/lofi/1 /mnt\fR
 514 # \fBdf -k /mnt\fR
 515 Filesystem            kbytes    used   avail capacity  Mounted on
 516 /dev/lofi/1            33455       9   30101     1%    /mnt
 517 # \fBls /mnt\fR
 518 \&./           ../          lost+found/
 519 # \fBumount /mnt\fR
 520 # \fBlofiadm -d /dev/lofi/1\fR
 521 .fi
 522 .in -2
 523 .sp
 524 
 525 .LP
 526 \fBExample 4 \fRCreating a PC (FAT) File System on a Unix File
 527 .sp
 528 .LP
 529 The following series of commands creates a \fBFAT\fR file system on a Unix
 530 file. The file is associated with a block device created by \fBlofiadm\fR.
 531 
 532 .sp
 533 .in +2
 534 .nf
 535 # \fBmkfile 10M /export/test/testfs\fR
 536 # \fBlofiadm -a /export/test testfs\fR
 537 /dev/lofi/1
 538 \fBNote use of\fR rlofi\fB, not\fR lofi\fB, in following command.\fR
 539 # \fBmkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1\fR
 540 \fBConstruct a new FAT file system on /dev/rlofi/1: (y/n)?\fR y
 541 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
 542 # \fBcd /mnt\fR
 543 # \fBdf -k .\fR
 544 Filesystem            kbytes    used   avail capacity  Mounted on
 545 /dev/lofi/1            10142       0   10142     0%    /mnt
 546 .fi
 547 .in -2
 548 .sp
 549 
 550 .LP
 551 \fBExample 5 \fRCompressing an Existing CD-ROM Image
 552 .sp
 553 .LP
 554 The following example illustrates compressing an existing CD-ROM image
 555 (\fBsolaris.iso\fR), verifying that the image is compressed, and then
 556 uncompressing it.
 557 
 558 .sp
 559 .in +2
 560 .nf
 561 # \fBlofiadm -C gzip /export/home/solaris.iso\fR
 562 .fi
 563 .in -2
 564 .sp
 565 
 566 .sp
 567 .LP
 568 Use \fBlofiadm\fR to attach a block device to it:
 569 
 570 .sp
 571 .in +2
 572 .nf
 573 # \fBlofiadm -a /export/home/solaris.iso\fR
 574   /dev/lofi/1
 575 .fi
 576 .in -2
 577 .sp
 578 
 579 .sp
 580 .LP
 581 Check if the mapped image is compressed:
 582 
 583 .sp
 584 .in +2
 585 .nf
 586 # \fBlofiadm\fR
 587 Block Device      File                            Options
 588 /dev/lofi/1       /export/home/solaris.iso        Compressed(gzip)
 589 /dev/lofi/2       /export/home/regular.iso        -
 590 .fi
 591 .in -2
 592 .sp
 593 
 594 .sp
 595 .LP
 596 Unmap the compressed image and uncompress it:
 597 
 598 .sp
 599 .in +2
 600 .nf
 601 # \fBlofiadm -d /dev/lofi/1\fR
 602 # \fBlofiadm -U /export/home/solaris.iso\fR
 603 .fi
 604 .in -2
 605 .sp
 606 
 607 .LP
 608 \fBExample 6 \fRCreating an Encrypted UFS File System on a File
 609 .sp
 610 .LP
 611 This example is similar to the example of making a UFS filesystem on a file,
 612 above.
 613 
 614 .sp
 615 .LP
 616 Create the file:
 617 
 618 .sp
 619 .in +2
 620 .nf
 621 # \fBmkfile 35m /export/home/test\fR
 622 .fi
 623 .in -2
 624 .sp
 625 
 626 .sp
 627 .LP
 628 Attach the file to a block device and specify that the file image is encrypted.
 629 As a result of this command, you obtain the character device, which is
 630 subsequently used by \fBnewfs\fR:
 631 
 632 .sp
 633 .in +2
 634 .nf
 635 # \fBlofiadm -c aes-256-cbc -a /export/home/secrets\fR
 636 Enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR           (\fBnot echoed\fR)
 637 Re-enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR        (\fBnot echoed\fR)
 638 /dev/lofi/1
 639 
 640 # \fBnewfs /dev/rlofi/1\fR
 641 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
 642 /dev/rlofi/1:   71638 sectors in 119 cylinders of 1 tracks, 602 sectors
 643        35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
 644 super-block backups (for fsck -F ufs -o b=#) at:
 645 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
 646 .fi
 647 .in -2
 648 .sp
 649 
 650 .sp
 651 .LP
 652 The mapped file system shows that encryption is enabled:
 653 
 654 .sp
 655 .in +2
 656 .nf
 657 # \fBlofiadm\fR
 658 Block Device    File                     Options
 659 /dev/lofi/1     /export/home/secrets     Encrypted
 660 .fi
 661 .in -2
 662 .sp
 663 
 664 .sp
 665 .LP
 666 Mount and use the filesystem:
 667 
 668 .sp
 669 .in +2
 670 .nf
 671 # \fBmount /dev/lofi/1 /mnt\fR
 672 # \fBcp moms_secret_*_recipe /mnt\fR
 673 # \fBls /mnt\fR
 674 \&./           moms_secret_cookie_recipe    moms_secret_soup_recipe
 675 \&../          moms_secret_fudge_recipe     moms_secret_stuffing_recipe
 676 lost+found/  moms_secret_meatloaf_recipe  moms_secret_waffle_recipe
 677 # \fBumount /mnt\fR
 678 # \fBlofiadm -d /dev/lofi/1\fR
 679 .fi
 680 .in -2
 681 .sp
 682 
 683 .sp
 684 .LP
 685 Subsequent attempts to map the filesystem with the wrong key or the wrong
 686 encryption algorithm will fail:
 687 
 688 .sp
 689 .in +2
 690 .nf
 691 # \fBlofiadm -c blowfish-cbc -a /export/home/secrets\fR
 692 Enter passphrase: \fBmommy\fR                                (\fInot echoed\fR)
 693 Re-enter passphrase: \fBmommy\fR                             (\fInot echoed\fR)
 694 lofiadm: could not map file /root/lofi: Invalid argument
 695 # \fBlofiadm\fR
 696 Block Device    File                    Options
 697 #
 698 .fi
 699 .in -2
 700 .sp
 701 
 702 .sp
 703 .LP
 704 Attempts to map the filesystem without encryption will succeed, however
 705 attempts to mount and use the filesystem will fail:
 706 
 707 .sp
 708 .in +2
 709 .nf
 710 # \fBlofiadm -a /export/home/secrets\fR
 711 /dev/lofi/1
 712 # \fBlofiadm\fR
 713 Block Device    File                     Options
 714 /dev/lofi/1     /export/home/secrets     -
 715 # \fBmount /dev/lofi/1 /mnt\fR
 716 mount: /dev/lofi/1 is not this fstype
 717 #
 718 .fi
 719 .in -2
 720 .sp
 721 
 722 .SH ENVIRONMENT VARIABLES
 723 .sp
 724 .LP
 725 See \fBenviron\fR(5) for descriptions of the following environment variables
 726 that affect the execution of \fBlofiadm\fR: \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR
 727 and \fBNLSPATH\fR.
 728 .SH EXIT STATUS
 729 .sp
 730 .LP
 731 The following exit values are returned:
 732 .sp
 733 .ne 2
 734 .na
 735 \fB\fB0\fR\fR
 736 .ad
 737 .sp .6
 738 .RS 4n
 739 Successful completion.
 740 .RE
 741 
 742 .sp
 743 .ne 2
 744 .na
 745 \fB\fB>0\fR\fR
 746 .ad
 747 .sp .6
 748 .RS 4n
 749 An error occurred.
 750 .RE
 751 
 752 .SH SEE ALSO
 753 .sp
 754 .LP
 755 \fBfsck\fR(1M), \fBmount\fR(1M), \fBmount_ufs\fR(1M), \fBnewfs\fR(1M),
 756 \fBattributes\fR(5), \fBlofi\fR(7D), \fBlofs\fR(7FS)
 757 .SH NOTES
 758 .sp
 759 .LP
 760 Just as you would not directly access a disk device that has mounted file
 761 systems, you should not access a file associated with a block device except
 762 through the \fBlofi\fR file driver. It might also be appropriate to ensure that
 763 the file has appropriate permissions to prevent such access.
 764 .sp
 765 .LP
 766 The abilities of \fBlofiadm\fR, and who can use them, are controlled by the
 767 permissions of \fB/dev/lofictl\fR. Read-access allows query operations, such as
 768 listing all the associations. Write-access is required to do any state-changing
 769 operations, like adding an association. As shipped, \fB/dev/lofictl\fR is owned
 770 by \fBroot\fR, in group \fBsys\fR, and mode \fB0644\fR, so all users can do
 771 query operations but only root can change anything. The administrator can give
 772 users write-access, allowing them to add or delete associations, but that is
 773 very likely a security hole and should probably only be given to a trusted
 774 group.
 775 .sp
 776 .LP
 777 When mounting a filesystem image, take care to use appropriate mount options.
 778 In particular, the \fBnosuid\fR mount option might be appropriate for \fBUFS\fR
 779 images whose origin is unknown. Also, some options might not be useful or
 780 appropriate, like \fBlogging\fR or \fBforcedirectio\fR for \fBUFS\fR. For
 781 compatibility purposes, a raw device is also exported along with the block
 782 device. For example, \fBnewfs\fR(1M) requires one.
 783 .sp
 784 .LP
 785 The output of \fBlofiadm\fR (without arguments) might change in future
 786 releases.