20.3. Using volume_key in a Larger Organization
In a larger organization, using a single password known by every system administrator and keeping track of a separate password for each system is impractical and a security risk. To counter this,
volume_key
can use asymmetric cryptography to minimize the number of people who know the password required to access encrypted data on any computer.
This section will cover the procedures required for preparation before saving encryption keys, how to save encryption keys, restoring access to a volume, and setting up emergency passphrases.
20.3.1. Preparation for Saving Encryption Keys
In order to begin saving encryption keys, some preparation is required.
Procedure 20.3. Preparation
- Create an X509 certificate/private pair.
- Designate trusted users who are trusted not to compromise the private key. These users will be able to decrypt the escrow packets.
- Choose which systems will be used to decrypt the escrow packets. On these systems, set up an NSS database that contains the private key.If the private key was not created in an NSS database, follow these steps:
- Store the certificate and private key in an
PKCS#12
file. - Run:
certutil -d
/the/nss/directory
-NAt this point it is possible to choose an NSS database password. Each NSS database can have a different password so the designated users do not need to share a single password if a separate NSS database is used by each user. - Run:
pk12util -d
/the/nss/directory
-ithe-pkcs12-file
- Distribute the certificate to anyone installing systems or saving keys on existing systems.
- For saved private keys, prepare storage that allows them to be looked up by machine and volume. For example, this can be a simple directory with one subdirectory per machine, or a database used for other system management tasks as well.
20.3.2. Saving Encryption Keys
After completing the required preparation (see Section 20.3.1, “Preparation for Saving Encryption Keys”) it is now possible to save the encryption keys using the following procedure.
Note
For all examples in this file,
/path/to/volume
is a LUKS device, not the plaintext device contained within; blkid -s type /path/to/volume
should report type="crypto_LUKS"
.
Procedure 20.4. Saving Encryption Keys
- Run:
volume_key --save
/path/to/volume
-c/path/to/cert
escrow-packet - Save the generated
escrow-packet
file in the prepared storage, associating it with the system and the volume.
These steps can be performed manually, or scripted as part of system installation.
20.3.3. Restoring Access to a Volume
After the encryption keys have been saved (see Section 20.3.1, “Preparation for Saving Encryption Keys” and Section 20.3.2, “Saving Encryption Keys”), access can be restored to a driver where needed.
Procedure 20.5. Restoring Access to a Volume
- Get the escrow packet for the volume from the packet storage and send it to one of the designated users for decryption.
- The designated user runs:
volume_key --reencrypt -d
/the/nss/directory
escrow-packet-in -o escrow-packet-outAfter providing the NSS database password, the designated user chooses a passphrase for encryptingescrow-packet-out
. This passphrase can be different every time and only protects the encryption keys while they are moved from the designated user to the target system. - Obtain the
escrow-packet-out
file and the passphrase from the designated user. - Boot the target system in an environment that can run
volume_key
and have theescrow-packet-out
file available, such as in a rescue mode. - Run:
volume_key --restore
/path/to/volume
escrow-packet-outA prompt will appear for the packet passphrase chosen by the designated user, and for a new passphrase for the volume. - Mount the volume using the chosen volume passphrase.
It is possible to remove the old passphrase that was forgotten by using
cryptsetup luksKillSlot
, for example, to free up the passphrase slot in the LUKS header of the encrypted volume. This is done with the command cryptsetup luksKillSlot device key-slot
. For more information and examples see cryptsetup --help
.
20.3.4. Setting up Emergency Passphrases
In some circumstances (such as traveling for business) it is impractical for system administrators to work directly with the affected systems, but users still need access to their data. In this case,
volume_key
can work with passphrases as well as encryption keys.
During the system installation, run:
volume_key --save /path/to/volume
-c /path/to/ert
--create-random-passphrase passphrase-packet
This generates a random passphrase, adds it to the specified volume, and stores it to
passphrase-packet
. It is also possible to combine the --create-random-passphrase
and -o
options to generate both packets at the same time.
If a user forgets the password, the designated user runs:
volume_key --secrets -d /your/nss/directory passphrase-packet
This shows the random passphrase. Give this passphrase to the end user.