19.3.3. Restoring access to a volume
After the encryption keys have been saved (see Section 19.3.1, “Preparation for saving encryption keys” and Section 19.3.2, “Saving encryption keys”), access can be restored to a driver where needed.
Procedure 19.5. Restoring access to a volume
- Get the escrow packet for the volume from the packet storage and send it to one of the designated users for decryption.
- The designated user runs:
volume_key --reencrypt -d
/the/nss/directory
escrow-packet-in -o escrow-packet-outAfter providing the NSS database password, the designated user chooses a passphrase for encryptingescrow-packet-out
. This passphrase can be different every time and only protects the encryption keys while they are moved from the designated user to the target system. - Obtain the
escrow-packet-out
file and the passphrase from the designated user. - Boot the target system in an environment that can run
volume_key
and have theescrow-packet-out
file available, such as in a rescue mode. - Run:
volume_key --restore
/path/to/volume
escrow-packet-outA prompt will appear for the packet passphrase chosen by the designated user, and for a new passphrase for the volume. - Mount the volume using the chosen volume passphrase.
It is possible to remove the old passphrase that was forgotten by using
cryptsetup luksKillSlot
, for example, to free up the passphrase slot in the LUKS header of the encrypted volume. This is done with the command cryptsetup luksKillSlot device key-slot
. For more information and examples see cryptsetup --help
.