Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
team
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 133
    • Issues 133
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • TPA
  • team
  • Wiki
    • Howto
  • new machine mandos

Last edited by Antoine Beaupré Nov 23, 2020
Page history

new machine mandos

Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

  1. add a new key to the LUKS partition and prepare mandos snippet:

     echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
     apt install -y haveged mandos-client &&
     (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
     umask 077 &&
     t=`tempfile` &&
     dd if=/dev/random bs=1 count=128 of="$t" &&
     cryptsetup luksAddKey $DEVICE "$t" &&
     mandos-keygen --passfile "$t"

    If you are unsure which device is LUKS installed on, you could check it with:

    lsblk --fs
  2. add the roles::fde class to new host in Puppet

  3. on the mandos server, add the output of mandos-keygen from above to /etc/mandos/clients.conf and restart the service:

    service mandos restart
  4. on the mandos server, update the firewall after you added the host to ldap:

    puppet agent -t
  5. on the mandos server, enable the node:

    mandos-ctl --enable $FQDN
  6. reboot the new host to test unlocking

TODO: Mandos setups should be automatic, see issue 40096.

Clone repository

Quick links

  • How to get help!
  • User documentation
  • Sysadmin howtos
  • Services
  • Policies
  • Meetings
  • Roadmaps