Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
team
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 129
    • Issues 129
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • TPA
  • team
  • Issues
  • #40096

Closed
Open
Opened Nov 23, 2020 by anarcat@anarcat💬Owner1 of 4 tasks completed1/4 tasks

automate/puppetize (or replace) mandos installation

we use Mandos to unlock server's LUKS-encrypted partitions on boot, but the setup is done manually. that is error-prone and slow, it's actually one of the slowest part of our install procedure.

in #31239, we identified the following steps to get this ball rolling:

  • export/import firewall rules (in roles::fde)
  • generate and export new LUKS key in Puppet
  • import new key on mandos server
  • rebuild initramfs

We should also consider alternatives to Mandos, if this "Puppetization" is too complicated. On the top of my head, there is also:

  • arver
  • secure enclaves and secureboot, e.g. this, this, or this, this, or mortar
  • clevis (in Debian since buster), introduced by RedHat as NDBE
Edited Nov 23, 2020 by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/tpa/team#40096