Chapter 19. The volume_key Function

The volume_key function provides two tools, libvolume_key and volume_key. libvolume_key is a library for manipulating storage volume encryption keys and storing them separately from volumes. volume_key is an associated command line tool used to extract keys and passphrases in order to restore access to an encrypted hard drive.
This is useful for when the primary user forgets their keys and passwords, after an employee leaves abruptly, or in order to extract data after a hardware or software failure corrupts the header of the encrypted volume. In a corporate setting, the IT help desk can use volume_key to back up the encryption keys before handing over the computer to the end user.
Currently, volume_key only supports the LUKS volume encryption format.

Note

volume_key is not included in a standard install of Red Hat Enterprise Linux 7 server. For information on installing it, refer to http://fedoraproject.org/wiki/Disk_encryption_key_escrow_use_cases.

19.1. volume_key Commands

The format for volume_key is:
volume_key [OPTION]... OPERAND
The operands and mode of operation for volume_key are determined by specifying one of the following options:
--save
This command expects the operand volume [packet]. If a packet is provided then volume_key will extract the keys and passphrases from it. If packet is not provided, then volume_key will extract the keys and passphrases from the volume, prompting the user where necessary. These keys and passphrases will then be stored in one or more output packets.
--restore
This command expects the operands volume packet. It then opens the volume and uses the keys and passphrases in the packet to make the volume accessible again, prompting the user where necessary, such as allowing the user to enter a new passphrase, for example.
--setup-volume
This command expects the operands volume packet name. It then opens the volume and uses the keys and passphrases in the packet to set up the volume for use of the decrypted data as name.
Name is the name of a dm-crypt volume. This operation makes the decrypted volume available as /dev/mapper/name.
This operation does not permanently alter the volume by adding a new passphrase, for example. The user can access and modify the decrypted volume, modifying volume in the process.
--reencrypt, --secrets, and --dump
These three commands perform similar functions with varying output methods. They each require the operand packet, and each opens the packet, decrypting it where necessary. --reencrypt then stores the information in one or more new output packets. --secrets outputs the keys and passphrases contained in the packet. --dump outputs the content of the packet, though the keys and passphrases are not output by default. This can be changed by appending --with-secrets to the command. It is also possible to only dump the unencrypted parts of the packet, if any, by using the --unencrypted command. This does not require any passphrase or private key access.
Each of these can be appended with the following options:
-o, --output packet
This command writes the default key or passphrase to the packet. The default key or passphrase depends on the volume format. Ensure it is one that is unlikely to expire, and will allow --restore to restore access to the volume.
--output-format format
This command uses the specified format for all output packets. Currently, format can be one of the following:
  • asymmetric: uses CMS to encrypt the whole packet, and requires a certificate
  • asymmetric_wrap_secret_only: wraps only the secret, or keys and passphrases, and requires a certificate
  • passphrase: uses GPG to encrypt the whole packet, and requires a passphrase
--create-random-passphrase packet
This command generates a random alphanumeric passphrase, adds it to the volume (without affecting other passphrases), and then stores this random passphrase into the packet.