Chapter 19. The volume_key function
The volume_key function provides two tools, libvolume_key and
volume_key
. libvolume_key is a library for manipulating storage volume encryption keys and storing them separately from volumes. volume_key
is an associated command line tool used to extract keys and passphrases in order to restore access to an encrypted hard drive.
This is useful for when the primary user forgets their keys and passwords, after an employee leaves abruptly, or in order to extract data after a hardware or software failure corrupts the header of the encrypted volume. In a corporate setting, the IT help desk can use
volume_key
to back up the encryption keys before handing over the computer to the end user.
Currently,
volume_key
only supports the LUKS volume encryption format.
Note
volume_key
is not included in a standard install of Red Hat Enterprise Linux 6 server. For information on installing it, refer to http://fedoraproject.org/wiki/Disk_encryption_key_escrow_use_cases.
19.1. Commands
The format for
volume_key
is:
volume_key [OPTION]... OPERAND
The operands and mode of operation for
volume_key
are determined by specifying one of the following options:
--save
- This command expects the operand volume [packet]. If a packet is provided then
volume_key
will extract the keys and passphrases from it. If packet is not provided, thenvolume_key
will extract the keys and passphrases from the volume, prompting the user where necessary. These keys and passphrases will then be stored in one or more output packets. --restore
- This command expects the operands volume packet. It then opens the volume and uses the keys and passphrases in the packet to make the volume accessible again, prompting the user where necessary, such as allowing the user to enter a new passphrase, for example.
--setup-volume
- This command expects the operands volume packet name. It then opens the volume and uses the keys and passphrases in the packet to set up the volume for use of the decrypted data as name.Name is the name of a dm-crypt volume. This operation makes the decrypted volume available as
/dev/mapper/name
.This operation does not permanently alter the volume by adding a new passphrase, for example. The user can access and modify the decrypted volume, modifying volume in the process. --reencrypt
,--secrets
, and--dump
- These three commands perform similar functions with varying output methods. They each require the operand packet, and each opens the packet, decrypting it where necessary.
--reencrypt
then stores the information in one or more new output packets.--secrets
outputs the keys and passphrases contained in the packet.--dump
outputs the content of the packet, though the keys and passphrases are not output by default. This can be changed by appending--with-secrets
to the command. It is also possible to only dump the unencrypted parts of the packet, if any, by using the--unencrypted
command. This does not require any passphrase or private key access.
Each of these can be appended with the following options:
-o
,--output packet
- This command writes the default key or passphrase to the packet. The default key or passphrase depends on the volume format. Ensure it is one that is unlikely to expire, and will allow
--restore
to restore access to the volume. --output-format format
- This command uses the specified format for all output packets. Currently, format can be one of the following:
asymmetric
: uses CMS to encrypt the whole packet, and requires a certificateasymmetric_wrap_secret_only
: wraps only the secret, or keys and passphrases, and requires a certificatepassphrase
: uses GPG to encrypt the whole packet, and requires a passphrase
--create-random-passphrase packet
- This command generates a random alphanumeric passphrase, adds it to the volume (without affecting other passphrases), and then stores this random passphrase into the packet.