
Ask HN: How would you implement key escrow for FDE on a Linux workstation? - walrus01
I&#x27;m looking into what it would take to implement key escrow&#x2F;recovery with full disk encryption on a series of workstation laptops. The laptop software image will be based on Xubuntu 16.04, so basically Linux + xorg + xfce4. The plan is to deploy everything with &#x2F;home&#x2F; as its own encrypted partition.<p>Ordinary passphrase based FDE isn&#x27;t sufficient in this case as we need the ability to recover the contents of a company-owned laptop in the event that a person refuses to give up the passphrase and goes rogue, gets fired or for a variety of legal&#x2F;regulatory reasons. Has anyone implemented something like this for a corporate Linux workstation environment?
======
detaro
LUKS can have multiple valid keys for an encrypted partition, this might be a
starting point?

[https://wiki.archlinux.org/index.php/Dm-
crypt/Device_encrypt...](https://wiki.archlinux.org/index.php/Dm-
crypt/Device_encryption#Key_management)

