Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
141142143144145146147148149150
vo l ume_key --save /path/to/volume -o escro w-packet
A prompt will then appear requiring an escrow packet passphrase to protect the key.
2. Save the generated escro w-packet file, ensuring that the passphrase is not forgotten.
If the volume passphrase is forgotten, use the saved escrow packet to restore access to the data.
Pro ced u re 19 .2. Rest ore access t o d at a wit h escro w p acket
1. Boot the system in an environment where vo l ume_key can be run and the escrow packet is
available (a rescue mode, for example).
2. Run:
vo l ume_key --resto re /path/to/volume escro w-packet
A prompt will appear for the escrow packet passphrase that was used when creating the
escrow packet, and for the new passphrase for the volume.
3. Mount the volume using the chosen passphrase.
To free up the passphrase slot in the LUKS header of the encrypted volume, remove the old, forgotten
passphrase by using the command cryptsetup l uksKi l l Sl o t.
19.3. Using vo l ume_key in a larger organizat ion
In a larger organization, using a single password known by every system administrator and keeping
track of a separate password for each system is impractical and a security risk. To counter this,
vo l ume_key can use asymmetric cryptography to minimize the number of people who know the
password required to access encrypted data on any computer.
This section will cover the procedures required for preparation before saving encryption keys, how to
save encryption keys, restoring access to a volume, and setting up emergency passphrases.
19.3.1. Preparat ion for saving encrypt ion keys
In order to begin saving encryption keys, some preparation is required.
Pro ced u re 19 .3. Prep arat io n
1. Create an X509 certificate/private pair.
2. Designate trusted users who are trusted not to compromise the private key. These users will
be able to decrypt the escrow packets.
3. Choose which systems will be used to decrypt the escrow packets. On these systems, set up
an NSS database that contains the private key.
If the private key was not created in an NSS database, follow these steps:
A. Store the certificate and private key in an P KC S#12 file.
B. Run:
certuti l -d /the/nss/directory -N
Chapt er 1 9 . T he volume_key funct ion
14 5