Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
151152153154155156157158159160
After providing the NSS database password, the designated user chooses a passphrase for
encrypting escro w-packet-o ut. This passphrase can be different every time and only
protects the encryption keys while they are moved from the designated user to the target
system.
3. Obtain the escro w-packet-o ut file and the passphrase from the designated user.
4. Boot the target system in an environment that can run vo l ume_key and have the escro w-
packet-o ut file available, such as in a rescue mode.
5. Run:
vo l ume_key --resto re /path/to/volume escro w-packet-o ut
A prompt will appear for the packet passphrase chosen by the designated user, and for a new
passphrase for the volume.
6. Mount the volume using the chosen volume passphrase.
It is possible to remove the old passphrase that was forgotten by using cryptsetup
l uksKi l l Sl o t, for example, to free up the passphrase slot in the LUKS header of the encrypted
volume. This is done with the command cryptsetup l uksKi l l Sl o t device key-slot. For
more information and examples see cryptsetup --hel p.
19.3.4 . Set t ing up emergency passphrases
In some circumstances (such as traveling for business) it is impractical for system administrators to
work directly with the affected systems, but users still need access to their data. In this case,
vo l ume_key can work with passphrases as well as encryption keys.
During the system installation, run:
vo l ume_key --save /path/to/volume -c /path/to/ert --create-rand o m-
passphrase passphrase-packet
This generates a random passphrase, adds it to the specified volume, and stores it to passphrase-
packet. It is also possible to combine the --create-rand o m-passphrase and -o options to
generate both packets at the same time.
If a user forgets the password, the designated user runs:
vo l ume_key --secrets -d /your/nss/directory passphrase-packet
This shows the random passphrase. Give this passphrase to the end user.
19.4. vo l ume_key References
More information on vo lume_key can be found:
in the readme file located at /usr/share/d o c/vo l ume_key-*/R EAD ME
on vo l ume_key's manpage using man vo l ume_key
online at http://fedoraproject.org/wiki/D isk_encryption_key_escrow_use_cases
Chapt er 1 9 . T he volume_key funct ion
14 7