volume.tc is a TrueCrypt volume.
When mounting the volume, the user is prompted for the volume password.
After entering the correct volume password, the user is given the option
to escrow the keys for this volume.
If the user selects Yes, prompts for the network username and password will
follow.
[root@bobby truecrypt]# [root@bobby truecrypt]# truecrypt volume.tc /mnt Enter password for '/root/truecrypt/volume.tc': Do you want to escrow the keys for this volume? [Y/n]: Y Enter your network username: rollins Enter the network passwd for 'rollins': Your key escrow number is 5 [root@bobby truecrypt]# |
[root@bobby truecrypt]# [root@bobby truecrypt]# truecrypt volume.tc /mnt Enter password for '/root/truecrypt/volume.tc': Do you want to escrow the keys for this volume? [Y/n]: Y Enter your network username: rollins The keys for this volume are already stored on the server. This key escrow number is 5 [root@bobby truecrypt]# |
[root@bobby truecrypt]# [root@bobby truecrypt]# truecrypt volume.tc /mnt Enter password for '/root/truecrypt/volume.tc': Do you want to escrow the keys for this volume? [Y/n]: Y Enter your network username: mike Enter the network passwd for 'mike': Your key escrow number is 6 [root@bobby truecrypt]# |
The restore process must be performed by an authorized user from an allowed network, and the user must have the RSA private key.
To restore the keys (or reset the password) the truecrypt command is issued with
the -R option. The -R is followed by the username of an authorized user and then
the TrueCrypt file or device.
The network allowed for restore commands is specified in the XML configuration file
with the <ADMIN_SUBNET_MASK>.
A user is considered authorized if the USER table has a value of 1 in the USER_ADMIN column.
In the following example, we will grant the user rollins authorization
to restore key information.
[root@terry wfu]# mysql -u wfu_user wfu_db --password=wfu_passwd mysql> mysql> update USER set USER_ADMIN=1 where USER_NAME='rollins'; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> select * from USER; +---------+-----------+------------+ | USER_ID | USER_NAME | USER_ADMIN | +---------+-----------+------------+ | 1 | rollins | 1 | | 2 | mike | 1 | | 3 | bob | 0 | | 4 | joe | 0 | +---------+-----------+------------+ 4 rows in set (0.00 sec) mysql> |
In this example,
the user rollins is performing a reset on the
TrueCrypt volume volume.tc. The system returns with two
possible options. Here we see the date of escrow, the escrow number and the username.
Both of these entries reference the same set of keys, but they were escrowed by two
different users. The user selects entry 5 for the restore.
[root@bobby truecrypt]# [root@bobby truecrypt]# truecrypt -R rollins volume.tc Enter the network passwd for 'rollins': Checking the server for possible matches... Normal header search: 2 2007-08-15 20:12:29: 5 rollins 2007-08-15 20:30:39: 6 mike Enter PK number : 5 Enter new password for 'volume.tc': Re-enter new password: TrueCrypt will now collect random data. Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: n Please type at least 320 randomly chosen characters and then press Enter: fre356t6432wry8i87y6tr5reasdfas... Password changed. [root@bobby truecrypt]# |
Let's say one of your users has a 2 Gig USB Jump Drive formatted as TrueCrypt volume. The user forgets his password and calls the Help Desk. But, it is not practical for the user to come by the Help Desk, and the 2 Gig size makes network transfer a little cumbersome.
To expedite the restore process, a restore can be performed on a header backup. The user performs a header backup and sends the 1 KB backup file to the Help Desk. The restore is made to the header backup file and the file is sent back to the user. When the user restores the new header, he can use his new password to access his data.
The restore command behaves the same as with the actual volume. This will also work on regular and hidden volumes.