19.3.3. Restoring access to a volume

download PDF
After the encryption keys have been saved (see Section 19.3.1, “Preparation for saving encryption keys” and Section 19.3.2, “Saving encryption keys”), access can be restored to a driver where needed.

Procedure 19.5. Restoring access to a volume

  1. Get the escrow packet for the volume from the packet storage and send it to one of the designated users for decryption.
  2. The designated user runs:
    volume_key --reencrypt -d /the/nss/directory escrow-packet-in -o escrow-packet-out
    After providing the NSS database password, the designated user chooses a passphrase for encrypting escrow-packet-out. This passphrase can be different every time and only protects the encryption keys while they are moved from the designated user to the target system.
  3. Obtain the escrow-packet-out file and the passphrase from the designated user.
  4. Boot the target system in an environment that can run volume_key and have the escrow-packet-out file available, such as in a rescue mode.
  5. Run:
    volume_key --restore /path/to/volume escrow-packet-out
    A prompt will appear for the packet passphrase chosen by the designated user, and for a new passphrase for the volume.
  6. Mount the volume using the chosen volume passphrase.
It is possible to remove the old passphrase that was forgotten by using cryptsetup luksKillSlot, for example, to free up the passphrase slot in the LUKS header of the encrypted volume. This is done with the command cryptsetup luksKillSlot device key-slot. For more information and examples see cryptsetup --help.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.