Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
141142143144145146147148149150
Chapter 19. The vo l ume_key function
The volume_key function provides two tools, libvolume_key and vo l ume_key. libvolume_key is a
library for manipulating storage volume encryption keys and storing them separately from volumes.
vo l ume_key is an associated command line tool used to extract keys and passphrases in order to
restore access to an encrypted hard drive.
This is useful for when the primary user forgets their keys and passwords, after an employee leaves
abruptly, or in order to extract data after a hardware or software failure corrupts the header of the
encrypted volume. In a corporate setting, the IT help desk can use vo lume_key to back up the
encryption keys before handing over the computer to the end user.
Currently, vo l ume_key only supports the LUKS volume encryption format.
Note
vo l ume_key is not included in a standard install of Red Hat Enterprise Linux 6 server. For
information on installing it, refer to
http://fedoraproject.org/wiki/Disk_encryption_key_escrow_use_cases.
19.1. Commands
The format for vo l ume_key is:
vo l ume_key [O P T IO N]. . . O P ER AND
The operands and mode of operation for vo l ume_key are determined by specifying one of the
following options:
--save
This command expects the operand volume [packet]. If a packet is provided then
vo l ume_key will extract the keys and passphrases from it. If packet is not provided, then
vo l ume_key will extract the keys and passphrases from the volume, prompting the user
where necessary. These keys and passphrases will then be stored in one or more output
packets.
--resto re
This command expects the operands volume packet. It then opens the volume and uses the
keys and passphrases in the packet to make the volume accessible again, prompting the
user where necessary, such as allowing the user to enter a new passphrase, for example.
--setup-vo l ume
This command expects the operands volume packet name. It then opens the volume and uses
the keys and passphrases in the packet to set up the volume for use of the decrypted data as
name.
Name is the name of a dm-crypt volume. This operation makes the decrypted volume
available as /d ev/mapper/name.
Chapt er 1 9 . T he volume_key funct ion
14 3