System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA

141

142

143

144

145

146

147

148

149

150

This operation does not permanently alter the volume by adding a new passphrase, for

example. The user can access and modify the decrypted volume, modifying volume in the

process.

--reencrypt, --secrets, an d --d ump

These three commands perform similar functions with varying output methods. They each

require the operand packet, and each opens the packet, decrypting it where necessary. --

reencrypt then stores the information in one or more new output packets. --secrets

outputs the keys and passphrases contained in the packet. --d ump outputs the content of

the packet, though the keys and passphrases are not output by default. This can be

changed by appending --wi th-secrets to the command. It is also possible to only dump

the unencrypted parts of the packet, if any, by using the --unencrypted command. This

does not require any passphrase or private key access.

Each of these can be appended with the following options:

-o , --o utput packet

This command writes the default key or passphrase to the packet. The default key or

passphrase depends on the volume format. Ensure it is one that is unlikely to expire, and

will allow --resto re to restore access to the volume.

--o utput-fo rmat format

This command uses the specified format for all output packets. Currently, format can be one

of the following:

asymmetri c: uses CMS to encrypt the whole packet, and requires a certificate

asymmetri c_wrap_secret_o nl y: wraps only the secret, or keys and passphrases,

and requires a certificate

passphrase: uses GPG to encrypt the whole packet, and requires a passphrase

--create-rand o m-passphrase packet

This command generates a random alphanumeric passphrase, adds it to the volume

(without affecting other passphrases), and then stores this random passphrase into the

packet.

19.2. Using vo l ume_key as an individual user

As an individual user, vo l ume_key can be used to save encryption keys by using the following

procedure.

Note

For all examples in this file, /path/to/volume is a LUKS device, not the plaintext device

contained within. bl ki d -s type /path/to/volume should report

type= "crypto _LUKS".

Pro ced u re 19 .1. Usin g vo l ume_key st an d- alo n e

1. Run:

Red Hat Ent erprise Lin ux 6 St orage Admin ist rat io n G uide

14 4