logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

mandos-keygen - Generate key and password for Mandos client and server.

Bugs

       The --password/-p option strips white space from the start and from the end of the password before using
       it. If this is a problem, use the --passfile option instead, which does not do this.

       Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se> (subscription
       required). Note that this list is public. The developers can be reached privately at
       <mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for
       encrypted mail).

Description

mandos-keygen is a program to generate the TLS and OpenPGP keys used by mandos-client(8mandos). The keys
       are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most
       other things, can be changed with command line options.

       This program can also be used with the --password or --passfile options to generate a ready-made section
       for clients.conf (see mandos-clients.conf(5)).

Environment

TMPDIR
           If set, temporary files will be created here. See mktemp(1).

Example

       Normal invocation needs no options:

       mandos-keygen

       Create key in another directory and of another type. Force overwriting old key files:

       mandos-keygen--dir~/keydir--typeRSA--force

       Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section suitable for
       clients.conf.

       mandos-keygen--password

       Prompt for a password, encrypt it with the keys in the client-key directory and output a section suitable
       for clients.conf.

       mandos-keygen--password--dirclient-key

Exit Status

       The exit status will be 0 if a new key (or password, if the --password option was used) was successfully
       created, otherwise not.

Files

       Use the --dir option to change where mandos-keygen will write the key files. The default file names are
       shown here.

       /etc/keys/mandos/seckey.txt
           OpenPGP secret key file which will be created or overwritten.

       /etc/keys/mandos/pubkey.txt
           OpenPGP public key file which will be created or overwritten.

       /etc/keys/mandos/tls-privkey.pem
           Private key file which will be created or overwritten.

       /etc/keys/mandos/tls-pubkey.pem
           Public key file which will be created or overwritten.

       /tmp
           Temporary files will be written here if TMPDIR is not set.

Name

       mandos-keygen - Generate key and password for Mandos client and server.

Options

--help, -h
           Show a help message and exit

       --dirDIRECTORY, -dDIRECTORY
           Target directory for key files. Default is /etc/keys/mandos.

       --typeTYPE, -tTYPE
           OpenPGP key type. Default is “RSA”.

       --lengthBITS, -lBITS
           OpenPGP key length in bits. Default is 4096.

       --subtypeKEYTYPE, -sKEYTYPE
           OpenPGP subkey type. Default is “RSA”

       --sublengthBITS, -LBITS
           OpenPGP subkey length in bits. Default is 4096.

       --emailADDRESS, -eADDRESS
           Email address of key. Default is empty.

       --commentTEXT, -cTEXT
           Comment field for key. Default is empty.

       --expireTIME, -xTIME
           Key expire time. Default is no expiration. See gpg(1) for syntax.

       --tls-keytypeKEYTYPE, -TKEYTYPE
           TLS key type. Default is “ed25519”

       --force, -f
           Force overwriting old key.

       --password, -p
           Prompt for a password and encrypt it with the key already present in either /etc/keys/mandos or the
           directory specified with the --dir option. Outputs, on standard output, a section suitable for
           inclusion in mandos-clients.conf(8). The host name or the name specified with the --name option is
           used for the section header. All other options are ignored, and no key is created. Note: white space
           is stripped from the beginning and from the end of the password; See the section called “BUGS”.

       --passfileFILE, -FFILE
           The same as --password, but read from FILE, not the terminal, and white space is not stripped from
           the password in any way.

       --no-ssh, -S
           When --password or --passfile is given, this option will prevent mandos-keygen from calling
           ssh-keyscan to get an SSH fingerprint for this host and, if successful, output suitable config
           options to use this fingerprint as a checker option in the output. This is otherwise the default
           behavior.

Overview

       This is part of the Mandos system for allowing computers to have encrypted root file systems and at the
       same time be capable of remote and/or unattended reboots. The computers run a small client program in the
       initial RAM disk environment which will communicate with a server over a network. All network
       communication is encrypted using TLS. The clients are identified by the server using a TLS key; each
       client has one unique to it. The server sends the clients an encrypted password. The encrypted password
       is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the
       root file system, whereupon the computers can continue booting normally.

       This program is a small utility to generate new TLS and OpenPGP keys for new Mandos clients, and to
       generate sections for inclusion in clients.conf on the server.

Purpose

       The purpose of this is to enable remoteandunattendedrebooting of client host computer with an
       encryptedrootfilesystem. See the section called “OVERVIEW” for details.

Security

       The --type, --length, --subtype, and --sublength options can be used to create keys of low security. If
       in doubt, leave them to the default values.

       The key expire time is not guaranteed to be honored by mandos(8).

See Also

intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-client(8mandos), ssh-keyscan(1)

Synopsis

mandos-keygen [--dirDIRECTORY | -dDIRECTORY]
                     [--typeKEYTYPE | -tKEYTYPE]
                     [--lengthBITS | -lBITS]
                     [--subtypeKEYTYPE | -sKEYTYPE]
                     [--sublengthBITS | -LBITS]
                     [--nameNAME | -nNAME]
                     [--emailADDRESS | -eADDRESS]
                     [--commentTEXT | -cTEXT]
                     [--expireTIME | -xTIME]
                     [--tls-keytypeKEYTYPE | -TKEYTYPE]
                     [--force | -f]

       mandos-keygen {--password | -p | --passfileFILE | -FFILE}
                     [--dirDIRECTORY | -dDIRECTORY]
                     [--nameNAME | -nNAME] [--no-ssh | -S]

       mandos-keygen {--help | -h}

       mandos-keygen {--version | -v}

See Also