Key Escrow Service

Note: Our development of the key escrow service has been put on hold. However, the code was function and is available on this site. This development was performed with a previous version of TrueCrypt.


Secure your organization's data using TrueCrypt without the risk of losing data due to forgotten passwords.


The libwfu Key Escrow Service was built to support TrueCrypt. TrueCrypt is a "Free open-source disk encryption software..."

The client/server communication was developed using sample programs from the OpenSSL project:

Other projects used in this work: and


This document covers the main components of the escrow process: the Linux server, the Linux escrow/restore client and the Windows client. This page provides a pictorial overview of how the system works.

Many security measures help protect this system. However, these also add complexity to the install process.


The Linux clients will require the XML library and the OpenSSL library. The server will require XML, OpenSSL, LDAP and MySQL. Both will be compiled with gcc. Install these utilities if you do not have them.

The Windows client will require a Windows build of the OpenSSL library and the Microsoft Driver Development Kit.

The following yum commands will install the Linux prerequisites:

Setup (do not skip this step)

This section will guide you through the setup process. This includes the configuration parameters for your environment and the database server.

The server and the Linux clients read from an XML configuration file. The configuration files on the various systems will contain different data. For example, the RSA private key will only exist on the restore client. The absence of the private key on the server reduces the risk if the server were compromised. These differences will be specified later. For now, we will create a complete configuration file to use as a reference.

The Windows client also reads its configuration from an XML file. The format of this file is different than that of the Linux client. The Windows XML configuration file provides the additional ability for customization of dialog messages. Deployment of the Windows client in a new managed envrionment should only require a few customizations to this configuration file. The difference in format is illustrated in the Windows TrueCrypt Client section.

We will use the directory /usr/local/wfu to store most of the files for the Linux Server and Linux Client.
To begin the configuration, create the /usr/local/wfu directory.

This page will help you create a complete configuration file and setup the database. (Do not skip this section!)


The server code and client patches are available in wfu.tar.gz.

The API documentation is available here.


The Linux client and server components share much code in common. To accommodate this, the majority of the code is implemented as a library file called libwfu.a. The Linux client and server statically link with this library. The Windows client also uses a portion of the libwfu.a code.

The configure script accepts the following options:

Server Install

Linux Server Install: How to compile and install the server.

Linux TrueCrypt Client

Escrow Client: How to compile and install the Linux escrow client.
Restore Client: How to compile and install the Linux restore client.
Usage: How to use the Linux escrow and restore clients.

Windows TrueCrypt Client

Escrow Client: How to build and deploy the Windows TrueCrypt escrow client.

Final Thoughts