table of contents
MANDOS-KEYGEN(8) | Mandos Manual | MANDOS-KEYGEN(8) |
NAME¶
mandos-keygen - Generate key and password for Mandos client and server.SYNOPSIS¶
mandos-keygen
[--dir DIRECTORY |
-d DIRECTORY]
[ --type KEYTYPE |
-t KEYTYPE]
[ --length BITS |
-l BITS]
[ --subtype KEYTYPE |
-s KEYTYPE]
[ --sublength BITS |
-L BITS]
[ --name NAME | -n NAME]
[ --email ADDRESS |
-e ADDRESS]
[ --comment TEXT |
-c TEXT]
[ --expire TIME |
-x TIME]
[ --force | -f]
mandos-keygen {--password | -p |
--passfile FILE | -F FILE}
[ --dir DIRECTORY |
-d DIRECTORY]
[ --name NAME | -n NAME]
[ --no-ssh | -S]
mandos-keygen {--help | -h}
mandos-keygen {--version | -v}
DESCRIPTION¶
mandos-keygen is a program to generate the OpenPGP key used by mandos-client(8mandos). The key is normally written to /etc/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options. This program can also be used with the --password or --passfile options to generate a ready-made section for clients.conf (see mandos-clients.conf(5)).PURPOSE¶
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.OPTIONS¶
--help, -hShow a help message and exit
--dir DIRECTORY, -d DIRECTORY
Target directory for key files. Default is
/etc/mandos.
--type TYPE, -t TYPE
Key type. Default is “RSA”.
--length BITS, -l BITS
Key length in bits. Default is 4096.
--subtype KEYTYPE, -s KEYTYPE
Subkey type. Default is “RSA” (Elgamal
encryption-only).
--sublength BITS, -L BITS
Subkey length in bits. Default is 4096.
--email ADDRESS, -e ADDRESS
Email address of key. Default is empty.
--comment TEXT, -c TEXT
Comment field for key. Default is empty.
--expire TIME, -x TIME
Key expire time. Default is no expiration. See
gpg(1) for syntax.
--force, -f
Force overwriting old key.
--password, -p
Prompt for a password and encrypt it with the key already
present in either /etc/mandos or the directory specified with the --dir
option. Outputs, on standard output, a section suitable for inclusion in
mandos-clients.conf(8). The host name or the name specified with the
--name option is used for the section header. All other options are
ignored, and no key is created.
--passfile FILE, -F FILE
The same as --password, but read from FILE,
not the terminal.
--no-ssh, -S
When --password or --passfile is given,
this option will prevent mandos-keygen from calling ssh-keyscan
to get an SSH fingerprint for this host and, if successful, output suitable
config options to use this fingerprint as a checker option in the
output. This is otherwise the default behavior.
OVERVIEW¶
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally. This program is a small utility to generate new OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients.conf on the server.EXIT STATUS¶
The exit status will be 0 if a new key (or password, if the --password option was used) was successfully created, otherwise not.ENVIRONMENT¶
TMPDIRIf set, temporary files will be created here. See
mktemp(1).
FILES¶
Use the --dir option to change where mandos-keygen will write the key files. The default file names are shown here. /etc/mandos/seckey.txtOpenPGP secret key file which will be created or
overwritten.
/etc/mandos/pubkey.txt
OpenPGP public key file which will be created or
overwritten.
/tmp
Temporary files will be written here if TMPDIR is
not set.
EXAMPLE¶
Normal invocation needs no options: mandos-keygen Create key in another directory and of another type. Force overwriting old key files: mandos-keygen --dir ~/keydir --type RSA --force Prompt for a password, encrypt it with the key in /etc/mandos and output a section suitable for clients.conf. mandos-keygen --password Prompt for a password, encrypt it with the key in the client-key directory and output a section suitable for clients.conf. mandos-keygen --password --dir client-keySECURITY¶
The --type, --length, --subtype, and --sublength options can be used to create keys of low security. If in doubt, leave them to the default values. The key expire time is not guaranteed to be honored by mandos(8).SEE ALSO¶
intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-client(8mandos), ssh-keyscan(1)COPYRIGHT¶
Copyright © 2008-2009, 2011-2012 Teddy Hogeborn, Björn Påhlsson2014-06-22 | Mandos 1.6.9 |