Antoine BeaupréMandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.
Here's how you add a new client to our setup:
-
add a new key to the LUKS partition and prepare mandos snippet:
echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE && apt install -y haveged mandos-client && (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) && umask 077 && t=`tempfile` && dd if=/dev/random bs=1 count=128 of="$t" && cryptsetup luksAddKey $DEVICE "$t" && mandos-keygen --passfile "$t"If you are unsure which device is LUKS installed on, you could check it with:
lsblk --fs -
add the
roles::fdeclass to new host in Puppet and run puppet there:puppet agent -t -
on the mandos server, add the output of
mandos-keygenfrom above to/etc/mandos/clients.confand restart the service:service mandos restart -
on the mandos server, update the firewall after you added the host to ldap:
puppet agent -t -
on the mandos server, enable the node:
mandos-ctl --enable $FQDN -
reboot the new host to test unlocking
TODO: Mandos setups should be automatic, see issue 40096.