Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
new-machine-mandos.mdwn 1.04 KiB 

Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

 1. add a new key to the LUKS partition and prepare mandos snippet:

         echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
         apt install -y haveged mandos-client &&
         (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
         umask 077 &&
         t=`tempfile` &&
         dd if=/dev/random bs=1 count=128 of="$t" &&
         cryptsetup luksAddKey $DEVICE "$t" &&
         mandos-keygen --passfile "$t"

 1. add the output of `mandos-keygen` from above to `/etc/mandos/clients.conf` on the mandos-server and `service mandos restart` and `puppet agent -t` (to update the firewall after you added the host to ldap)

 2. add the machine to the `roles::fde` class in Puppet
 1. rebuild the initrd on the new host `update-initramfs -u` and reboot