'\" t .\" Title: mandos-keygen .\" Author: Bj\(:orn P\(oahlsson .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 2019-07-18 .\" Manual: Mandos Manual .\" Source: Mandos 1.8.14 .\" Language: English .\" .TH "MANDOS\-KEYGEN" "8" "2019\-07\-18" "Mandos 1.8.14" "Mandos Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" mandos-keygen \- Generate key and password for Mandos client and server\&. .SH "SYNOPSIS" .HP \w'\fBmandos\-keygen\fR\ 'u \fBmandos\-keygen\fR [\fB\-\-dir\ \fR\fB\fIDIRECTORY\fR\fR | \fB\-d\ \fR\fB\fIDIRECTORY\fR\fR] .br [\fB\-\-type\ \fR\fB\fIKEYTYPE\fR\fR | \fB\-t\ \fR\fB\fIKEYTYPE\fR\fR] .br [\fB\-\-length\ \fR\fB\fIBITS\fR\fR | \fB\-l\ \fR\fB\fIBITS\fR\fR] .br [\fB\-\-subtype\ \fR\fB\fIKEYTYPE\fR\fR | \fB\-s\ \fR\fB\fIKEYTYPE\fR\fR] .br [\fB\-\-sublength\ \fR\fB\fIBITS\fR\fR | \fB\-L\ \fR\fB\fIBITS\fR\fR] .br [\fB\-\-name\ \fR\fB\fINAME\fR\fR | \fB\-n\ \fR\fB\fINAME\fR\fR] .br [\fB\-\-email\ \fR\fB\fIADDRESS\fR\fR | \fB\-e\ \fR\fB\fIADDRESS\fR\fR] .br [\fB\-\-comment\ \fR\fB\fITEXT\fR\fR | \fB\-c\ \fR\fB\fITEXT\fR\fR] .br [\fB\-\-expire\ \fR\fB\fITIME\fR\fR | \fB\-x\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-tls\-keytype\ \fR\fB\fIKEYTYPE\fR\fR | \fB\-T\ \fR\fB\fIKEYTYPE\fR\fR] .br [\fB\-\-force\fR | \fB\-f\fR] .HP \w'\fBmandos\-keygen\fR\ 'u \fBmandos\-keygen\fR {\fB\-\-password\fR | \fB\-p\fR | \fB\-\-passfile\ \fR\fB\fIFILE\fR\fR | \fB\-F\fR\ \fIFILE\fR} .br [\fB\-\-dir\ \fR\fB\fIDIRECTORY\fR\fR | \fB\-d\ \fR\fB\fIDIRECTORY\fR\fR] .br [\fB\-\-name\ \fR\fB\fINAME\fR\fR | \fB\-n\ \fR\fB\fINAME\fR\fR] [\fB\-\-no\-ssh\fR | \fB\-S\fR] .HP \w'\fBmandos\-keygen\fR\ 'u \fBmandos\-keygen\fR {\fB\-\-help\fR | \fB\-h\fR} .HP \w'\fBmandos\-keygen\fR\ 'u \fBmandos\-keygen\fR {\fB\-\-version\fR | \fB\-v\fR} .SH "DESCRIPTION" .PP \fBmandos\-keygen\fR is a program to generate the TLS and OpenPGP keys used by \fBmandos-client\fR(8mandos)\&. The keys are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options\&. .PP This program can also be used with the \fB\-\-password\fR or \fB\-\-passfile\fR options to generate a ready\-made section for clients\&.conf (see \fBmandos-clients.conf\fR(5))\&. .SH "PURPOSE" .PP The purpose of this is to enable \fIremote and unattended rebooting\fR of client host computer with an \fIencrypted root file system\fR\&. See the section called \(lqOVERVIEW\(rq for details\&. .SH "OPTIONS" .PP \fB\-\-help\fR, \fB\-h\fR .RS 4 Show a help message and exit .RE .PP \fB\-\-dir \fR\fB\fIDIRECTORY\fR\fR, \fB\-d \fR\fB\fIDIRECTORY\fR\fR .RS 4 Target directory for key files\&. Default is /etc/keys/mandos\&. .RE .PP \fB\-\-type \fR\fB\fITYPE\fR\fR, \fB\-t \fR\fB\fITYPE\fR\fR .RS 4 OpenPGP key type\&. Default is \(lqRSA\(rq\&. .RE .PP \fB\-\-length \fR\fB\fIBITS\fR\fR, \fB\-l \fR\fB\fIBITS\fR\fR .RS 4 OpenPGP key length in bits\&. Default is 4096\&. .RE .PP \fB\-\-subtype \fR\fB\fIKEYTYPE\fR\fR, \fB\-s \fR\fB\fIKEYTYPE\fR\fR .RS 4 OpenPGP subkey type\&. Default is \(lqRSA\(rq .RE .PP \fB\-\-sublength \fR\fB\fIBITS\fR\fR, \fB\-L \fR\fB\fIBITS\fR\fR .RS 4 OpenPGP subkey length in bits\&. Default is 4096\&. .RE .PP \fB\-\-email \fR\fB\fIADDRESS\fR\fR, \fB\-e \fR\fB\fIADDRESS\fR\fR .RS 4 Email address of key\&. Default is empty\&. .RE .PP \fB\-\-comment \fR\fB\fITEXT\fR\fR, \fB\-c \fR\fB\fITEXT\fR\fR .RS 4 Comment field for key\&. Default is empty\&. .RE .PP \fB\-\-expire \fR\fB\fITIME\fR\fR, \fB\-x \fR\fB\fITIME\fR\fR .RS 4 Key expire time\&. Default is no expiration\&. See \fBgpg\fR(1) for syntax\&. .RE .PP \fB\-\-tls\-keytype \fR\fB\fIKEYTYPE\fR\fR, \fB\-T \fR\fB\fIKEYTYPE\fR\fR .RS 4 TLS key type\&. Default is \(lqed25519\(rq .RE .PP \fB\-\-force\fR, \fB\-f\fR .RS 4 Force overwriting old key\&. .RE .PP \fB\-\-password\fR, \fB\-p\fR .RS 4 Prompt for a password and encrypt it with the key already present in either /etc/keys/mandos or the directory specified with the \fB\-\-dir\fR option\&. Outputs, on standard output, a section suitable for inclusion in \fBmandos-clients.conf\fR(8)\&. The host name or the name specified with the \fB\-\-name\fR option is used for the section header\&. All other options are ignored, and no key is created\&. Note: white space is stripped from the beginning and from the end of the password; See the section called \(lqBUGS\(rq\&. .RE .PP \fB\-\-passfile \fR\fB\fIFILE\fR\fR, \fB\-F \fR\fB\fIFILE\fR\fR .RS 4 The same as \fB\-\-password\fR, but read from \fIFILE\fR, not the terminal, and white space is not stripped from the password in any way\&. .RE .PP \fB\-\-no\-ssh\fR, \fB\-S\fR .RS 4 When \fB\-\-password\fR or \fB\-\-passfile\fR is given, this option will prevent \fBmandos\-keygen\fR from calling \fBssh\-keyscan\fR to get an SSH fingerprint for this host and, if successful, output suitable config options to use this fingerprint as a \fBchecker\fR option in the output\&. This is otherwise the default behavior\&. .RE .SH "OVERVIEW" .PP This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots\&. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network\&. All network communication is encrypted using TLS\&. The clients are identified by the server using a TLS key; each client has one unique to it\&. The server sends the clients an encrypted password\&. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally\&. .PP This program is a small utility to generate new TLS and OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients\&.conf on the server\&. .SH "EXIT STATUS" .PP The exit status will be 0 if a new key (or password, if the \fB\-\-password\fR option was used) was successfully created, otherwise not\&. .SH "ENVIRONMENT" .PP \fBTMPDIR\fR .RS 4 If set, temporary files will be created here\&. See \fBmktemp\fR(1)\&. .RE .SH "FILES" .PP Use the \fB\-\-dir\fR option to change where \fBmandos\-keygen\fR will write the key files\&. The default file names are shown here\&. .PP /etc/keys/mandos/seckey\&.txt .RS 4 OpenPGP secret key file which will be created or overwritten\&. .RE .PP /etc/keys/mandos/pubkey\&.txt .RS 4 OpenPGP public key file which will be created or overwritten\&. .RE .PP /etc/keys/mandos/tls\-privkey\&.pem .RS 4 Private key file which will be created or overwritten\&. .RE .PP /etc/keys/mandos/tls\-pubkey\&.pem .RS 4 Public key file which will be created or overwritten\&. .RE .PP /tmp .RS 4 Temporary files will be written here if \fITMPDIR\fR is not set\&. .RE .SH "BUGS" .PP The \fB\-\-password\fR/\fB\-p\fR option strips white space from the start and from the end of the password before using it\&. If this is a problem, use the \fB\-\-passfile\fR option instead, which does not do this\&. .PP Please report bugs to the Mandos development mailing list: (subscription required)\&. Note that this list is public\&. The developers can be reached privately at (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail)\&. .SH "EXAMPLE" .PP Normal invocation needs no options: .PP \fBmandos\-keygen\fR .PP Create key in another directory and of another type\&. Force overwriting old key files: .PP \fBmandos\-keygen \-\-dir ~/keydir \-\-type RSA \-\-force\fR .PP Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section suitable for clients\&.conf\&. .PP \fBmandos\-keygen \-\-password\fR .PP Prompt for a password, encrypt it with the keys in the client\-key directory and output a section suitable for clients\&.conf\&. .PP \fBmandos\-keygen \-\-password \-\-dir client\-key\fR .SH "SECURITY" .PP The \fB\-\-type\fR, \fB\-\-length\fR, \fB\-\-subtype\fR, and \fB\-\-sublength\fR options can be used to create keys of low security\&. If in doubt, leave them to the default values\&. .PP The key expire time is \fInot\fR guaranteed to be honored by \fBmandos\fR(8)\&. .SH "SEE ALSO" .PP \fBintro\fR(8mandos), \fBgpg\fR(1), \fBmandos-clients.conf\fR(5), \fBmandos\fR(8), \fBmandos-client\fR(8mandos), \fBssh-keyscan\fR(1) .SH "COPYRIGHT" .br Copyright \(co 2008-2019 Teddy Hogeborn, Bj\(:orn P\(oahlsson .br .PP This manual page is part of Mandos\&. .PP Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. .PP Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. .PP You should have received a copy of the GNU General Public License along with Mandos\&. If not, see \m[blue]\fBhttp://www\&.gnu\&.org/licenses/\fR\m[]\&. .sp