Chapter 20. The volume_key Function
The volume_key function provides two tools, libvolume_key and
volume_key. libvolume_key is a library for manipulating storage volume encryption keys and storing them separately from volumes.
volume_keyis an associated command line tool used to extract keys and passphrases in order to restore access to an encrypted hard drive.
This is useful for when the primary user forgets their keys and passwords, after an employee leaves abruptly, or in order to extract data after a hardware or software failure corrupts the header of the encrypted volume. In a corporate setting, the IT help desk can use
volume_keyto back up the encryption keys before handing over the computer to the end user.
volume_keyonly supports the LUKS volume encryption format.
volume_keyis not included in a standard install of Red Hat Enterprise Linux 7 server. For information on installing it, refer to http://fedoraproject.org/wiki/Disk_encryption_key_escrow_use_cases.
The format for
volume_key [OPTION]... OPERAND
The operands and mode of operation for
volume_keyare determined by specifying one of the following options:
- This command expects the operand volume [packet]. If a packet is provided then
volume_keywill extract the keys and passphrases from it. If packet is not provided, then
volume_keywill extract the keys and passphrases from the volume, prompting the user where necessary. These keys and passphrases will then be stored in one or more output packets.
- This command expects the operands volume packet. It then opens the volume and uses the keys and passphrases in the packet to make the volume accessible again, prompting the user where necessary, such as allowing the user to enter a new passphrase, for example.
- This command expects the operands volume packet name. It then opens the volume and uses the keys and passphrases in the packet to set up the volume for use of the decrypted data as name.Name is the name of a dm-crypt volume. This operation makes the decrypted volume available as
/dev/mapper/name.This operation does not permanently alter the volume by adding a new passphrase, for example. The user can access and modify the decrypted volume, modifying volume in the process.
- These three commands perform similar functions with varying output methods. They each require the operand packet, and each opens the packet, decrypting it where necessary.
--reencryptthen stores the information in one or more new output packets.
--secretsoutputs the keys and passphrases contained in the packet.
--dumpoutputs the content of the packet, though the keys and passphrases are not output by default. This can be changed by appending
--with-secretsto the command. It is also possible to only dump the unencrypted parts of the packet, if any, by using the
--unencryptedcommand. This does not require any passphrase or private key access.
Each of these can be appended with the following options:
- This command writes the default key or passphrase to the packet. The default key or passphrase depends on the volume format. Ensure it is one that is unlikely to expire, and will allow
--restoreto restore access to the volume.
- This command uses the specified format for all output packets. Currently, format can be one of the following:
asymmetric: uses CMS to encrypt the whole packet, and requires a certificate
asymmetric_wrap_secret_only: wraps only the secret, or keys and passphrases, and requires a certificate
passphrase: uses GPG to encrypt the whole packet, and requires a passphrase
- This command generates a random alphanumeric passphrase, adds it to the volume (without affecting other passphrases), and then stores this random passphrase into the packet.