Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
new-machine-mandos.md 1.11 KiB

Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

  1. add a new key to the LUKS partition and prepare mandos snippet:

     echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
 apt install -y haveged mandos-client &&
 (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
 umask 077 &&
 t=`tempfile` &&
 dd if=/dev/random bs=1 count=128 of="$t" &&
 cryptsetup luksAddKey $DEVICE "$t" &&
 mandos-keygen --passfile "$t"

  2. add the output of mandos-keygen from above to /etc/mandos/clients.conf on the mandos-server and service mandos restart and puppet agent -t (to update the firewall after you added the host to ldap) and enable the node with mandos-ctl --enable FQDN

  3. add the machine to the roles::fde class in Puppet

  4. rebuild the initrd on the new host update-initramfs -u and reboot