mandos-keygen — Generate key and password for Mandos client and server.
mandos-keygen
[ --dir
| DIRECTORY
-d
]DIRECTORY
[ --type
| KEYTYPE
-t
]KEYTYPE
[ --length
| BITS
-l
]BITS
[ --subtype
| KEYTYPE
-s
]KEYTYPE
[ --sublength
| BITS
-L
]BITS
[ --name
| NAME
-n
]NAME
[ --email
| ADDRESS
-e
]ADDRESS
[ --comment
| TEXT
-c
]TEXT
[ --expire
| TIME
-x
]TIME
[ --tls-keytype
| KEYTYPE
-T
]KEYTYPE
[ --force
| -f
]
mandos-keygen
{ --password
| -p
| --passfile
| FILE
-F
FILE
}
[ --dir
| DIRECTORY
-d
]DIRECTORY
[ --name
| NAME
-n
] [ NAME
--no-ssh
| -S
]
mandos-keygen
{ --help
| -h
}
mandos-keygen
{ --version
| -v
}
mandos-keygen is a program to generate the TLS and OpenPGP keys used by mandos-client(8mandos). The keys are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options.
This program can also be used with the
--password
or --passfile
options to generate a ready-made section for
clients.conf
(see
mandos-clients.conf(5)).
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.
--help
, -h
Show a help message and exit
--dir
DIRECTORY
, -d
DIRECTORY
Target directory for key files. Default is /etc/keys/mandos
.
--type
TYPE
, -t
TYPE
OpenPGP key type. Default is “RSA”.
--length
BITS
, -l
BITS
OpenPGP key length in bits. Default is 4096.
--subtype
KEYTYPE
, -s
KEYTYPE
OpenPGP subkey type. Default is “RSA”
--sublength
BITS
, -L
BITS
OpenPGP subkey length in bits. Default is 4096.
--email
ADDRESS
, -e
ADDRESS
Email address of key. Default is empty.
--comment
TEXT
, -c
TEXT
Comment field for key. Default is empty.
--expire
TIME
, -x
TIME
Key expire time. Default is no expiration. See gpg(1) for syntax.
--tls-keytype
KEYTYPE
, -T
KEYTYPE
TLS key type. Default is “ed25519”
--force
, -f
Force overwriting old key.
--password
, -p
Prompt for a password and encrypt it with the key already
present in either /etc/keys/mandos
or
the directory specified with the --dir
option. Outputs, on standard output, a section suitable
for inclusion in mandos-clients.conf(8). The host name or the name
specified with the --name
option is used
for the section header. All other options are ignored,
and no key is created. Note: white space is stripped from
the beginning and from the end of the password; See the section called “BUGS”.
--passfile
FILE
, -F
FILE
The same as --password
, but read from
FILE
, not the terminal, and
white space is not stripped from the password in any way.
--no-ssh
, -S
When --password
or
--passfile
is given, this option will
prevent mandos-keygen from calling
ssh-keyscan to get an SSH fingerprint
for this host and, if successful, output suitable config
options to use this fingerprint as a
checker
option in the output. This is
otherwise the default behavior.
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.
This program is a small utility to generate new TLS and OpenPGP
keys for new Mandos clients, and to generate sections for
inclusion in clients.conf
on the server.
The exit status will be 0 if a new key (or password, if the
--password
option was used) was successfully
created, otherwise not.
Use the --dir
option to change where
mandos-keygen will write the key files. The
default file names are shown here.
/etc/keys/mandos/seckey.txt
OpenPGP secret key file which will be created or overwritten.
/etc/keys/mandos/pubkey.txt
OpenPGP public key file which will be created or overwritten.
/etc/keys/mandos/tls-privkey.pem
Private key file which will be created or overwritten.
/etc/keys/mandos/tls-pubkey.pem
Public key file which will be created or overwritten.
/tmp
Temporary files will be written here if
TMPDIR
is not set.
The --password
/-p
option
strips white space from the start and from the end of the
password before using it. If this is a problem, use the
--passfile
option instead, which does not do
this.
Please report bugs to the Mandos development mailing list:
<mandos-dev@recompile.se>
(subscription required).
Note that this list is public. The developers can be reached
privately at <mandos@recompile.se>
(OpenPGP key
fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
C2C4
for encrypted mail).
Normal invocation needs no options:
mandos-keygen
Create key in another directory and of another type. Force overwriting old key files:
mandos-keygen --dir ~/keydir --type RSA --force
Prompt for a password, encrypt it with the keys in /etc/keys/mandos
and output a
section suitable for clients.conf
.
mandos-keygen --password
Prompt for a password, encrypt it with the keys in the
client-key
directory and output a section
suitable for clients.conf
.
mandos-keygen --password --dir client-key
The --type
, --length
,
--subtype
, and --sublength
options can be used to create keys of low security. If in
doubt, leave them to the default values.
The key expire time is not guaranteed to be honored by mandos(8).