GitLab

we use Mandos to unlock server's LUKS-encrypted partitions on boot, but the setup is done manually. that is error-prone and slow, it's actually one of the slowest part of our install procedure.

in #31239, we identified the following steps to get this ball rolling:

• export/import firewall rules (in roles::fde)
• generate and export new LUKS key in Puppet
• import new key on mandos server
• rebuild initramfs

We should also consider alternatives to Mandos, if this "Puppetization" is too complicated. On the top of my head, there is also:

• arver
• secure enclaves and secureboot, e.g. this, this, or this, this, or mortar
• clevis (in Debian since buster), introduced by RedHat as NDBE