LUKS Management
You asked, and we delivered. Many users shared that migrating system and data between virtual machines (VMs) was challenging due to encryption management.
FireMon now supports managing LUKS key files and passphrases, making VM cloning and encryption administration easier and more secure.
With these enhancements, you can:
-
Add passphrases to encrypted drives
-
Reset key files when migrating VMs
-
Manage key slots directly
These options give you full control over disk encryption—without the risk of losing access due to misplaced key files or passwords.
You will need to have CLI access to the VM.
FMOS LUKS Commands
Manage LUKS passphrases and keyfiles with the following commands.
| Command | Function |
|---|---|
| Positional Arguments: | |
| add | Add a new LUKS passphrase |
| list | List information about LUKS drives |
| reset- keyfile | Resets keyfile of new machine |
| revoke | Revokes a passphrase or slot |
| Options: | |
| - h, - - help | Show this help message and exit |
| - - color {auto, always, never} | Control color in output |
| - - quiet, - q | Suppress informational messages |
List LUKS Passphrase Slots
To see a list of LUKS drives on the system, use the command: fmos luks list
Add LUKS Passphrase
To add a passphrase, use the command: fmos luks add
This prompts for a new passphrase and adds it to the LUKS drive.
The keyfile will automatically be picked up by using the file on the device.
This is an implementation of the cryptsetup luksAddKey <device> --key-file <keyfile name>
This will run the above command on every LUKS device.
Reset LUKS Passphrase
To reset a passphrase, use the command: fmos luks reset-keyfile
Resets the keyfile to the current machine. The keyfile is always stored in slot 0
This will set the keyfile to one on the current machine.
This is an implementation of cryptsetup luksAddKey <device> <keyfile>
This command will ask for the a passphrase so you must have set a passphrase.
Revoke LUKS Passphrase
To revoke a passphrase, use the command: fmos luks revoke
Prompts for a passphrase and revokes it from the LUKS drive. Use --slot to revoke a specific slot.
This command will let you revoke a passphrase that you have created.
This is an implementation of cryptsetup luksRemoveKey <device>
This will ask you for your passphrase to remove and do it on every device
fmos luks revoke --slot 1
This will revoke a passphrase in a slot 1-7 and cannot revoke the default keyfile