If you use a kickstart file during installation, you can automatically save the passphrases used during installation to an encrypted file (an escrow packet) on the local file system. To use this feature, you must have an X.509 certificate available at a location that anaconda can access. To specify the URL of this certificate, add the --escrowcert parameter to any of the autopart, logvol, part or raid commands. During installation, the encryption keys for the specified devices are saved in files in /root, encrypted with the certificate.

You can save escrow packets during installation only with the use of a kickstart file — refer to Chapter 15, Kickstart Installations for more detail. You cannot save an escrow packet during an interactive installation, although you can create one on an installed system with the volume_key tool. The volume_key tool also allows you to use the information stored in an escrow packet to restore access to an encrypted volume. Refer to the volume_key manpage for more information.