mandos-keygen - Generate key and password for Mandos client and server.
Contents
Bugs
The --password/-p option strips white space from the start and from the end of the password before using
it. If this is a problem, use the --passfile option instead, which does not do this.
Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se> (subscription
required). Note that this list is public. The developers can be reached privately at
<mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for
encrypted mail).
Copyright
Copyright © 2008-2019 Teddy Hogeborn, Björn Påhlsson
This manual page is part of Mandos.
Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License along with Mandos. If not, see
http://www.gnu.org/licenses/.
Mandos 1.8.19 2019-07-18 MANDOS-KEYGEN(8)
Description
mandos-keygen is a program to generate the TLS and OpenPGP keys used by mandos-client(8mandos). The keys are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options. This program can also be used with the --password or --passfile options to generate a ready-made section for clients.conf (see mandos-clients.conf(5)).
Environment
TMPDIR
If set, temporary files will be created here. See mktemp(1).
Example
Normal invocation needs no options:
mandos-keygen
Create key in another directory and of another type. Force overwriting old key files:
mandos-keygen--dir~/keydir--typeRSA--force
Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section suitable for
clients.conf.
mandos-keygen--password
Prompt for a password, encrypt it with the keys in the client-key directory and output a section suitable
for clients.conf.
mandos-keygen--password--dirclient-keyExit Status
The exit status will be 0 if a new key (or password, if the --password option was used) was successfully
created, otherwise not.
Files
Use the --dir option to change where mandos-keygen will write the key files. The default file names are
shown here.
/etc/keys/mandos/seckey.txt
OpenPGP secret key file which will be created or overwritten.
/etc/keys/mandos/pubkey.txt
OpenPGP public key file which will be created or overwritten.
/etc/keys/mandos/tls-privkey.pem
Private key file which will be created or overwritten.
/etc/keys/mandos/tls-pubkey.pem
Public key file which will be created or overwritten.
/tmp
Temporary files will be written here if TMPDIR is not set.
Name
mandos-keygen - Generate key and password for Mandos client and server.
Options
--help, -h
Show a help message and exit
--dirDIRECTORY, -dDIRECTORY
Target directory for key files. Default is /etc/keys/mandos.
--typeTYPE, -tTYPE
OpenPGP key type. Default is “RSA”.
--lengthBITS, -lBITS
OpenPGP key length in bits. Default is 4096.
--subtypeKEYTYPE, -sKEYTYPE
OpenPGP subkey type. Default is “RSA”
--sublengthBITS, -LBITS
OpenPGP subkey length in bits. Default is 4096.
--emailADDRESS, -eADDRESS
Email address of key. Default is empty.
--commentTEXT, -cTEXT
Comment field for key. Default is empty.
--expireTIME, -xTIME
Key expire time. Default is no expiration. See gpg(1) for syntax.
--tls-keytypeKEYTYPE, -TKEYTYPE
TLS key type. Default is “ed25519”
--force, -f
Force overwriting old key.
--password, -p
Prompt for a password and encrypt it with the key already present in either /etc/keys/mandos or the
directory specified with the --dir option. Outputs, on standard output, a section suitable for
inclusion in mandos-clients.conf(8). The host name or the name specified with the --name option is
used for the section header. All other options are ignored, and no key is created. Note: white space
is stripped from the beginning and from the end of the password; See the section called “BUGS”.
--passfileFILE, -FFILE
The same as --password, but read from FILE, not the terminal, and white space is not stripped from
the password in any way.
--no-ssh, -S
When --password or --passfile is given, this option will prevent mandos-keygen from calling
ssh-keyscan to get an SSH fingerprint for this host and, if successful, output suitable config
options to use this fingerprint as a checker option in the output. This is otherwise the default
behavior.
Overview
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the
same time be capable of remote and/or unattended reboots. The computers run a small client program in the
initial RAM disk environment which will communicate with a server over a network. All network
communication is encrypted using TLS. The clients are identified by the server using a TLS key; each
client has one unique to it. The server sends the clients an encrypted password. The encrypted password
is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the
root file system, whereupon the computers can continue booting normally.
This program is a small utility to generate new TLS and OpenPGP keys for new Mandos clients, and to
generate sections for inclusion in clients.conf on the server.
Purpose
The purpose of this is to enable remoteandunattendedrebooting of client host computer with an
encryptedrootfilesystem. See the section called “OVERVIEW” for details.
Security
The --type, --length, --subtype, and --sublength options can be used to create keys of low security. If
in doubt, leave them to the default values.
The key expire time is not guaranteed to be honored by mandos(8).
See Also
intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-client(8mandos), ssh-keyscan(1)
Synopsis
mandos-keygen [--dirDIRECTORY | -dDIRECTORY]
[--typeKEYTYPE | -tKEYTYPE]
[--lengthBITS | -lBITS]
[--subtypeKEYTYPE | -sKEYTYPE]
[--sublengthBITS | -LBITS]
[--nameNAME | -nNAME]
[--emailADDRESS | -eADDRESS]
[--commentTEXT | -cTEXT]
[--expireTIME | -xTIME]
[--tls-keytypeKEYTYPE | -TKEYTYPE]
[--force | -f]
mandos-keygen {--password | -p | --passfileFILE | -FFILE}
[--dirDIRECTORY | -dDIRECTORY]
[--nameNAME | -nNAME] [--no-ssh | -S]
mandos-keygen {--help | -h}
mandos-keygen {--version | -v}
