Show Table of Contents
20.2. Using volume_key as an Individual User
As an individual user,
volume_key can be used to save encryption keys by using the following procedure.
Note
For all examples in this file,
/path/to/volume is a LUKS device, not the plaintext device contained within. blkid -s type /path/to/volume should report type="crypto_LUKS".
Procedure 20.1. Using volume_key Stand-alone
- Run:
A prompt will then appear requiring an escrow packet passphrase to protect the key.volume_key --save/path/to/volume-o escrow-packet - Save the generated
escrow-packetfile, ensuring that the passphrase is not forgotten.
If the volume passphrase is forgotten, use the saved escrow packet to restore access to the data.
Procedure 20.2. Restore Access to Data with Escrow Packet
- Boot the system in an environment where
volume_keycan be run and the escrow packet is available (a rescue mode, for example). - Run:
A prompt will appear for the escrow packet passphrase that was used when creating the escrow packet, and for the new passphrase for the volume.volume_key --restore/path/to/volumeescrow-packet - Mount the volume using the chosen passphrase.
To free up the passphrase slot in the LUKS header of the encrypted volume, remove the old, forgotten passphrase by using the command
cryptsetup luksKillSlot.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.