heirecka / volume_key

Forked from volume_key 6 months ago
Clone
README
About
=====
The volume_key project provides a libvolume_key, a library for manipulating
storage volume encryption keys and storing them separately from volumes, and an
associated command-line tool, named volume_key.

The main goal of the software is to allow restoring access to an encrypted
hard drive if the primary user forgets the passphrase.  The encryption key
back up can also be useful for extracting data after a hardware or software
failure that corrupts the header of the encrypted volume, or to access the
company data after an employee leaves abruptly.

In a corporate setting the IT help desk could use it to back up the encryption
keys before handing the computer over to the end user.  volume_key can be used
by individual users as well.

volume_key currently supports only the LUKS volume encryption format.  Support
for other formats is possible, some formats are planned for future releases.

The project's home page is at https://pagure.io/volume_key .

Using volume_key stand-alone
============================
As an individual user, you can use volume_key to save the encryption keys like
this:

* Run
        volume_key --save /path/to/volume -o escrow-packet
  You will be prompted for an escrow packet passphrase to protect the key.

  In all examples in this file, /path/to/volume is a LUKS device, not the
  plaintext device contained within: (blkid -s TYPE /path/to/volume) should
  report TYPE="crypto_LUKS".

* Save the generated `escrow-packet' file, make sure you won't forget the
  passphrase.

If you forget the volume passphrase and want to use the saved escrow packet to
restore access to your data:

* Boot the system in an environment where you can run volume_key and you have
  the escrow packet available (e.g. a rescue mode).
* Run
        volume_key --restore /path/to/volume escrow-packet
  You will be prompted for the escrow packet passphrase you used when creating
  the escrow packet, and for a new passphrase for the volume.
* You can now mount the volume using the chosen volume passphrase.
  If you want to, you can remove the old passphrase you forgot by using e.g.
  (cryptsetup luksKillSlot), to free up the passphrase slot in the LUKS header
  of your encrypted volume.

Using volume_key in a larger organization
=========================================

In a larger organization, it is impractical to use a single password known
by every system administrator that installs a system, as well as to keep
track of a separate password for each system.  volume_key can use asymmetric
cryptography to minimize the number of people who know the password necessary
to access encrypted data on any computer.

Preparation
-----------

A little preparation is necessary before saving encryption keys:
* Create a X509 certificate/private key pair.  Consider signing the certificate
  by your company CA, if you have one.
* Designate users that will be able to decrypt the escrow packets.  These
  users are trusted not to compromise the private key.
* Choose which systems will be used to decrypt the escrow packets.
* On these systems, set up a NSS database that contains the private key.  If
  the private key was not created in a NSS database in the first place, follow
  these steps:
  * Store the certificate and private key in a PKCS#12 file.
  * Run
        certutil -d /your/nss/directory -N
    You'll be able to choose a NSS database password at this point.  Each NSS
    database can have a different password (the designated users do not need to
    share a single password if each user uses a separate NSS database).
  * Run
        pk12util -d /your/nss/directory -i your-pkcs12-file
* Distribute the certificate to everyone who will be installing systems or
  saving keys on existing systems.
* Prepare storage for the saved private keys, that allows you to look them up
  by machine and volume.  This can be e.g. a simple directory with one
  subdirectory per machine, or a database that you use for other system
  management tasks as well.

Saving encryption keys
----------------------

* Run
	volume_key --save /path/to/volume -c /path/to/cert -o escrow-packet
  where /path/to/cert points to the certificate distributed in the preparation
  phase.

  In all examples in this file, /path/to/volume is a LUKS device, not the
  plaintext device contained within: (blkid -s TYPE /path/to/volume) should
  report TYPE="crypto_LUKS".
* Save the generated `escrow-packet' file in the prepared storage, associating
  it with the system and the volume.

These steps can be performed manually, or scripted as a part of system
installation.

Restoring access to a volume
----------------------------

* Get the escrow packet for the volume from your packet storage, send it to
  one of the designated users for decryption.
* The designated user will run
        volume_key --reencrypt -d /your/nss/directory escrow-packet-in \
                -o escrow-packet-out
  After providing the NSS database password, the designated user chooses a
  passphrase for encrypting escrow-packet-out.  This passphrase can be different
  each time, and only protects the encryption keys while they are moved from
  the designated user to the target system.
* Get the `escrow-packet-out' file and the passphrase from the designated user.
* Boot the target system in an environment where you can run volume_key and you
  have the `escrow-packet-out' file available (e.g. a rescue mode).
* Run
        volume_key --restore /path/to/volume escrow-packet-out
  You will be prompted for the packet passphrase chosen by the designated user,
  and for a new passphrase for the volume.
* You can now mount the volume using the chosen volume passphrase.
  If you want to, you can remove the old passphrase you forgot by using e.g.
  (cryptsetup luksKillSlot), to free up the passphrase slot in the LUKS header
  of your encrypted volume.

Setting up emergency passphrases
--------------------------------
In some cases (e.g. business travel) it is not practical for system
administrators to work with the affected systems directly, but users still need
access to their data.  To handle this case, volume_key can work with passphrases
as well as encryption keys.

During system installation, run
	volume_key --save /path/to/volume -c /path/to/cert \
                --create-random-passphrase passphrase-packet
This will generate a random passphrase, add it to the specified volume, and
store it to `passphrase-packet'.  (You can also combine the
--create-random-passphrase and -o options to generate both packet at the same
time.)

When an user forgets the password, let the designated user run
        volume_key --secrets -d /your/nss/directory passphrase-packet
This will show the random passphrase.  Give this passphrase to the end user.

More
====
See volume_key(8) for more possibilities how to use the volume_key utility.

Bugs
====
Please consider reporting the bug to your distribution's bug tracking system.

Otherwise, please report bugs at https://pagure.io/volume_key .  Pull requests
are especially welcome.