Provided by: mandos-client_1.4.0-1_i386 bug

NAME

       mandos-keygen - Generate key and password for Mandos client and server.

SYNOPSIS

       mandos-keygen [--dir DIRECTORY | -d DIRECTORY]
                     [--type KEYTYPE | -t KEYTYPE]
                     [--length BITS | -l BITS]
                     [--subtype KEYTYPE | -s KEYTYPE]
                     [--sublength BITS | -L BITS]
                     [--name NAME | -n NAME]
                     [--email ADDRESS | -e ADDRESS]
                     [--comment TEXT | -c TEXT]
                     [--expire TIME | -x TIME]
                     [--force]

       mandos-keygen {--password | -p | --passfile FILE | -F FILE}
                     [--dir DIRECTORY | -d DIRECTORY]
                     [--name NAME | -n NAME]

       mandos-keygen {--help | -h}

       mandos-keygen {--version | -v}

DESCRIPTION

       mandos-keygen is a program to generate the OpenPGP key used by mandos-
       client(8mandos). The key is normally written to /etc/mandos for later
       installation into the initrd image, but this, and most other things,
       can be changed with command line options.

       This program can also be used with the --password or --passfile options
       to generate a ready-made section for clients.conf (see mandos-
       clients.conf(5)).

PURPOSE

       The purpose of this is to enable remote and unattended rebooting of
       client host computer with an encrypted root file system. See the
       section called "OVERVIEW" for details.

OPTIONS

       --help, -h
           Show a help message and exit

       --dir DIRECTORY, -d DIRECTORY
           Target directory for key files. Default is /etc/mandos.

       --type TYPE, -t TYPE
           Key type. Default is "DSA".

       --length BITS, -l BITS
           Key length in bits. Default is 2048.

       --subtype KEYTYPE, -s KEYTYPE
           Subkey type. Default is "ELG-E" (Elgamal encryption-only).

       --sublength BITS, -L BITS
           Subkey length in bits. Default is 2048.

       --email ADDRESS, -e ADDRESS
           Email address of key. Default is empty.

       --comment TEXT, -c TEXT
           Comment field for key. The default value is "Mandos client key".

       --expire TIME, -x TIME
           Key expire time. Default is no expiration. See gpg(1) for syntax.

       --force, -f
           Force overwriting old key.

       --password, -p
           Prompt for a password and encrypt it with the key already present
           in either /etc/mandos or the directory specified with the --dir
           option. Outputs, on standard output, a section suitable for
           inclusion in mandos-clients.conf(8). The host name or the name
           specified with the --name option is used for the section header.
           All other options are ignored, and no key is created.

       --passfile FILE, -F FILE
           The same as --password, but read from FILE, not the terminal.

OVERVIEW

       This is part of the Mandos system for allowing computers to have
       encrypted root file systems and at the same time be capable of remote
       and/or unattended reboots. The computers run a small client program in
       the initial RAM disk environment which will communicate with a server
       over a network. All network communication is encrypted using TLS. The
       clients are identified by the server using an OpenPGP key; each client
       has one unique to it. The server sends the clients an encrypted
       password. The encrypted password is decrypted by the clients using the
       same OpenPGP key, and the password is then used to unlock the root file
       system, whereupon the computers can continue booting normally.

       This program is a small utility to generate new OpenPGP keys for new
       Mandos clients, and to generate sections for inclusion in clients.conf
       on the server.

EXIT STATUS

       The exit status will be 0 if a new key (or password, if the --password
       option was used) was successfully created, otherwise not.

ENVIRONMENT

       TMPDIR
           If set, temporary files will be created here. See mktemp(1).

FILES

       Use the --dir option to change where mandos-keygen will write the key
       files. The default file names are shown here.

       /etc/mandos/seckey.txt
           OpenPGP secret key file which will be created or overwritten.

       /etc/mandos/pubkey.txt
           OpenPGP public key file which will be created or overwritten.

       /tmp
           Temporary files will be written here if TMPDIR is not set.

EXAMPLE

       Normal invocation needs no options:

       mandos-keygen

       Create key in another directory and of another type. Force overwriting
       old key files:

       mandos-keygen --dir ~/keydir --type RSA --force

       Prompt for a password, encrypt it with the key in /etc/mandos and
       output a section suitable for clients.conf.

       mandos-keygen --password

       Prompt for a password, encrypt it with the key in the client-key
       directory and output a section suitable for clients.conf.

       mandos-keygen --password --dir client-key

SECURITY

       The --type, --length, --subtype, and --sublength options can be used to
       create keys of low security. If in doubt, leave them to the default
       values.

       The key expire time is not guaranteed to be honored by mandos(8).

SEE ALSO

       intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-
       client(8mandos)

COPYRIGHT

       Copyright (C) 2008-2009, 2011 Teddy Hogeborn, Bjorn Pahlsson

       This manual page is free software: you can redistribute it and/or
       modify it under the terms of the GNU General Public License as
       published by the Free Software Foundation, either version 3 of the
       License, or (at your option) any later version.

       This manual page is distributed in the hope that it will be useful, but
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
       General Public License for more details.

       You should have received a copy of the GNU General Public License along
       with this program. If not, see http://www.gnu.org/licenses/.