Comment 16 for bug 579876

I have been exploring the geli encryption functions in FreeBSD, and I found that they already have a fully functioning encryption system for whole volume encryption that does not have the problem listed here in this bug. I will quote the pertinent section of their man page here.

From geli(8) in FreeBSD 8.2:
You are the security-person in your company. Create an encrypted
     provider for use by the user, but remember that users forget their
     passphrases, so back Master Key up with your own random key:

    # dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1
    # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e
    # geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname`
    (use key number 0, so the encrypted Master Key by you will be overwritten)
    # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e
    (allow the user to enter his passphrase)
    Enter new passphrase:
    Reenter new passphrase:

As you can see they have implemented a system where the root user has a master passphrase that can be entered and used to change the user's encrypted data or passphrase.

The geli manpage can be read in full here:
http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html

And the source code for geli can be found here:
http://svnweb.freebsd.org/base/head/sys/geom/eli/

I have contacted the author of the code, Pawel Jakub Dawidek, about geli in the past, and he is quite friendly. I'm sure that if you did not want to reuse the code due to its BSD rather than GPL license, he may be able to at least give you a pointer as to how to go about implementing this feature.