%common; ]> Mandos &version; &TIMESTAMP; Björn Påhlsson

belorn@recompile.se

Teddy Hogeborn

teddy@recompile.se

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Teddy Hogeborn Björn Påhlsson &COMMANDNAME; 8 &COMMANDNAME; Generate key and password for Mandos client and server. &COMMANDNAME; --dir DIRECTORY -d DIRECTORY --type KEYTYPE -t KEYTYPE --length BITS -l BITS --subtype KEYTYPE -s KEYTYPE --sublength BITS -L BITS --name NAME -n NAME --email ADDRESS -e ADDRESS --comment TEXT -c TEXT --expire TIME -x TIME --tls-keytype KEYTYPE -T KEYTYPE --force -f &COMMANDNAME; --password -p --passfile FILE -F FILE --dir DIRECTORY -d DIRECTORY --name NAME -n NAME --no-ssh -S &COMMANDNAME; --help -h &COMMANDNAME; --version -v &COMMANDNAME; is a program to generate the TLS and OpenPGP keys used by mandos-client 8mandos. The keys are normally written to /etc/keys/mandos for later installation into the initrd image, but this, and most other things, can be changed with command line options. This program can also be used with the --password or --passfile options to generate a ready-made section for clients.conf (see mandos-clients.conf 5). The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. --help -h Show a help message and exit --dir DIRECTORY -d DIRECTORY Target directory for key files. Default is /etc/keys/mandos. --type TYPE -t TYPE OpenPGP key type. Default is RSA. --length BITS -l BITS OpenPGP key length in bits. Default is 4096. --subtype KEYTYPE -s KEYTYPE OpenPGP subkey type. Default is RSA --sublength BITS -L BITS OpenPGP subkey length in bits. Default is 4096. --email ADDRESS -e ADDRESS Email address of key. Default is empty. --comment TEXT -c TEXT Comment field for key. Default is empty. --expire TIME -x TIME Key expire time. Default is no expiration. See gpg 1 for syntax. --tls-keytype KEYTYPE -T KEYTYPE TLS key type. Default is ed25519 --force -f Force overwriting old key. --password -p Prompt for a password and encrypt it with the key already present in either /etc/keys/mandos or the directory specified with the --dir option. Outputs, on standard output, a section suitable for inclusion in mandos-clients.conf8. The host name or the name specified with the --name option is used for the section header. All other options are ignored, and no key is created. --passfile FILE -F FILE The same as --password, but read from FILE, not the terminal. --no-ssh -S When --password or --passfile is given, this option will prevent &COMMANDNAME; from calling ssh-keyscan to get an SSH fingerprint for this host and, if successful, output suitable config options to use this fingerprint as a checker option in the output. This is otherwise the default behavior. This program is a small utility to generate new TLS and OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients.conf on the server. The exit status will be 0 if a new key (or password, if the --password option was used) was successfully created, otherwise not. TMPDIR If set, temporary files will be created here. See mktemp 1. Use the --dir option to change where &COMMANDNAME; will write the key files. The default file names are shown here. /etc/keys/mandos/seckey.txt OpenPGP secret key file which will be created or overwritten. /etc/keys/mandos/pubkey.txt OpenPGP public key file which will be created or overwritten. /etc/keys/mandos/tls-privkey.pem Private key file which will be created or overwritten. /etc/keys/mandos/tls-pubkey.pem Public key file which will be created or overwritten. /tmp Temporary files will be written here if TMPDIR is not set. Normal invocation needs no options: &COMMANDNAME; Create key in another directory and of another type. Force overwriting old key files: &COMMANDNAME; --dir ~/keydir --type RSA --force Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section suitable for clients.conf. &COMMANDNAME; --password Prompt for a password, encrypt it with the keys in the client-key directory and output a section suitable for clients.conf. &COMMANDNAME; --password --dir client-key The --type, --length, --subtype, and --sublength options can be used to create keys of low security. If in doubt, leave them to the default values. The key expire time is not guaranteed to be honored by mandos 8. intro 8mandos, gpg 1, mandos-clients.conf 5, mandos 8, mandos-client 8mandos, ssh-keyscan 1