Skip to content

GitLab

T
team

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Last edited by Antoine Beaupré
Page history

new machine mandos

Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

  1. add a new key to the LUKS partition and prepare mandos snippet:

     echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
 apt install -y haveged mandos-client &&
 (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
 umask 077 &&
 t=`tempfile` &&
 dd if=/dev/random bs=1 count=128 of="$t" &&
 cryptsetup luksAddKey $DEVICE "$t" &&
 mandos-keygen --passfile "$t"

    If you are unsure which device is LUKS installed on, you could check it with:

    lsblk --fs

  2. add the roles::fde class to new host in Puppet

  3. on the mandos server, add the output of mandos-keygen from above to /etc/mandos/clients.conf and restart the service:

    service mandos restart

  4. on the mandos server, update the firewall after you added the host to ldap:

    puppet agent -t

  5. on the mandos server, enable the node:

    mandos-ctl --enable $FQDN

  6. reboot the new host to test unlocking

TODO: Mandos setups should be automatic, see issue 40096.