table of contents
MANDOS-KEYGEN(8) | Mandos Manual | MANDOS-KEYGEN(8) |
NAME¶
mandos-keygen - Generate key and password for Mandos client and server.
SYNOPSIS¶
mandos-keygen
[--dir DIRECTORY |
-d DIRECTORY]
[--type KEYTYPE |
-t KEYTYPE]
[--length BITS |
-l BITS]
[--subtype KEYTYPE |
-s KEYTYPE]
[--sublength BITS |
-L BITS]
[--name NAME |
-n NAME]
[--email ADDRESS |
-e ADDRESS]
[--comment TEXT |
-c TEXT]
[--expire TIME |
-x TIME]
[--tls-keytype KEYTYPE |
-T KEYTYPE]
[--force | -f]
mandos-keygen {--password | -p |
--passfile FILE | -F FILE}
[--dir DIRECTORY |
-d DIRECTORY]
[--name NAME |
-n NAME] [--no-ssh | -S]
mandos-keygen {--help | -h}
mandos-keygen {--version | -v}
DESCRIPTION¶
mandos-keygen is a program to generate the TLS and OpenPGP keys used by mandos-client(8mandos). The keys are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options.
This program can also be used with the --password or --passfile options to generate a ready-made section for clients.conf (see mandos-clients.conf(5)).
PURPOSE¶
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.
OPTIONS¶
--help, -h
--dir DIRECTORY, -d DIRECTORY
--type TYPE, -t TYPE
--length BITS, -l BITS
--subtype KEYTYPE, -s KEYTYPE
--sublength BITS, -L BITS
--email ADDRESS, -e ADDRESS
--comment TEXT, -c TEXT
--expire TIME, -x TIME
--tls-keytype KEYTYPE, -T KEYTYPE
--force, -f
--password, -p
--passfile FILE, -F FILE
--no-ssh, -S
OVERVIEW¶
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.
This program is a small utility to generate new TLS and OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients.conf on the server.
EXIT STATUS¶
The exit status will be 0 if a new key (or password, if the --password option was used) was successfully created, otherwise not.
ENVIRONMENT¶
TMPDIR
FILES¶
Use the --dir option to change where mandos-keygen will write the key files. The default file names are shown here.
/etc/keys/mandos/seckey.txt
/etc/keys/mandos/pubkey.txt
/etc/keys/mandos/tls-privkey.pem
/etc/keys/mandos/tls-pubkey.pem
/tmp
BUGS¶
The --password/-p option strips white space from the start and from the end of the password before using it. If this is a problem, use the --passfile option instead, which does not do this.
Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se> (subscription required). Note that this list is public. The developers can be reached privately at <mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail).
EXAMPLE¶
Normal invocation needs no options:
mandos-keygen
Create key in another directory and of another type. Force overwriting old key files:
mandos-keygen --dir ~/keydir --type RSA --force
Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section suitable for clients.conf.
mandos-keygen --password
Prompt for a password, encrypt it with the keys in the client-key directory and output a section suitable for clients.conf.
mandos-keygen --password --dir client-key
SECURITY¶
The --type, --length, --subtype, and --sublength options can be used to create keys of low security. If in doubt, leave them to the default values.
The key expire time is not guaranteed to be honored by mandos(8).
SEE ALSO¶
intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-client(8mandos), ssh-keyscan(1)
COPYRIGHT¶
Copyright © 2008-2019 Teddy Hogeborn, Björn
Påhlsson
This manual page is part of Mandos.
Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Mandos. If not, see http://www.gnu.org/licenses/.
2019-07-18 | Mandos 1.8.17 |