System information

At this point it is possible to choose an NSS database password. Each NSS database can

have a different password so the designated users do not need to share a single

password if a separate NSS database is used by each user.

C. Run:

pk12uti l -d /the/nss/directory -i the-pkcs12-file

4. Distribute the certificate to anyone installing systems or saving keys on existing systems.

5. For saved private keys, prepare storage that allows them to be looked up by machine and

volume. For example, this can be a simple directory with one subdirectory per machine, or a

database used for other system management tasks as well.

19.3.2. Saving encrypt ion keys

After completing the required preparation (see Section 19.3.1, “Preparation for saving encryption

keys” ) it is now possible to save the encryption keys using the following procedure.

Note

For all examples in this file, /path/to /vo l ume is a LUKS device, not the plaintext device

contained within; bl ki d -s type /path/to/volume should report

type= "crypto _LUKS".

Pro ced u re 19 .4 . Savin g en cryp t io n keys

1. Run:

vo l ume_key --save /path/to/volume -c /path/to/cert escro w-packet

2. Save the generated escro w-packet file in the prepared storage, associating it with the

system and the volume.

These steps can be performed manually, or scripted as part of system installation.

19.3.3. Rest oring access t o a volume

After the encryption keys have been saved (see Section 19.3.1, “Preparation for saving encryption

keys” and Section 19.3.2, “Saving encryption keys” ), access can be restored to a driver where

needed.

Pro ced u re 19 .5. Rest orin g access t o a vo lume

1. Get the escrow packet for the volume from the packet storage and send it to one of the

designated users for decryption.

2. The designated user runs:

vo l ume_key --reencrypt -d /the/nss/directory escro w-packet-i n -o

escro w-packet-o ut

Red Hat Ent erprise Lin ux 6 St orage Admin ist rat io n G uide

14 6