plucky (8) mandos-keygen.8.gz

Provided by: mandos-client_1.8.18-1_amd64 bug

NAME

       mandos-keygen - Generate key and password for Mandos client and server.

SYNOPSIS

       mandos-keygen [--dir DIRECTORY | -d DIRECTORY]
                     [--type KEYTYPE | -t KEYTYPE]
                     [--length BITS | -l BITS]
                     [--subtype KEYTYPE | -s KEYTYPE]
                     [--sublength BITS | -L BITS]
                     [--name NAME | -n NAME]
                     [--email ADDRESS | -e ADDRESS]
                     [--comment TEXT | -c TEXT]
                     [--expire TIME | -x TIME]
                     [--tls-keytype KEYTYPE | -T KEYTYPE]
                     [--force | -f]

       mandos-keygen {--password | -p | --passfile FILE | -F FILE}
                     [--dir DIRECTORY | -d DIRECTORY]
                     [--name NAME | -n NAME] [--no-ssh | -S]

       mandos-keygen {--help | -h}

       mandos-keygen {--version | -v}

DESCRIPTION

       mandos-keygen is a program to generate the TLS and OpenPGP keys used by mandos-
       client(8mandos). The keys are normally written to /etc/keys/mandos for later installation
       into the initrd image, but this, and most other things, can be changed with command line
       options.

       This program can also be used with the --password or --passfile options to generate a
       ready-made section for clients.conf (see mandos-clients.conf(5)).

PURPOSE

       The purpose of this is to enable remote and unattended rebooting of client host computer
       with an encrypted root file system. See the section called “OVERVIEW” for details.

OPTIONS

       --help, -h
           Show a help message and exit

       --dir DIRECTORY, -d DIRECTORY
           Target directory for key files. Default is /etc/keys/mandos.

       --type TYPE, -t TYPE
           OpenPGP key type. Default is “RSA”.

       --length BITS, -l BITS
           OpenPGP key length in bits. Default is 4096.

       --subtype KEYTYPE, -s KEYTYPE
           OpenPGP subkey type. Default is “RSA”

       --sublength BITS, -L BITS
           OpenPGP subkey length in bits. Default is 4096.

       --email ADDRESS, -e ADDRESS
           Email address of key. Default is empty.

       --comment TEXT, -c TEXT
           Comment field for key. Default is empty.

       --expire TIME, -x TIME
           Key expire time. Default is no expiration. See gpg(1) for syntax.

       --tls-keytype KEYTYPE, -T KEYTYPE
           TLS key type. Default is “ed25519”

       --force, -f
           Force overwriting old key.

       --password, -p
           Prompt for a password and encrypt it with the key already present in either
           /etc/keys/mandos or the directory specified with the --dir option. Outputs, on
           standard output, a section suitable for inclusion in mandos-clients.conf(8). The host
           name or the name specified with the --name option is used for the section header. All
           other options are ignored, and no key is created. Note: white space is stripped from
           the beginning and from the end of the password; See the section called “BUGS”.

       --passfile FILE, -F FILE
           The same as --password, but read from FILE, not the terminal, and white space is not
           stripped from the password in any way.

       --no-ssh, -S
           When --password or --passfile is given, this option will prevent mandos-keygen from
           calling ssh-keyscan to get an SSH fingerprint for this host and, if successful, output
           suitable config options to use this fingerprint as a checker option in the output.
           This is otherwise the default behavior.

OVERVIEW

       This is part of the Mandos system for allowing computers to have encrypted root file
       systems and at the same time be capable of remote and/or unattended reboots. The computers
       run a small client program in the initial RAM disk environment which will communicate with
       a server over a network. All network communication is encrypted using TLS. The clients are
       identified by the server using a TLS key; each client has one unique to it. The server
       sends the clients an encrypted password. The encrypted password is decrypted by the
       clients using a separate OpenPGP key, and the password is then used to unlock the root
       file system, whereupon the computers can continue booting normally.

       This program is a small utility to generate new TLS and OpenPGP keys for new Mandos
       clients, and to generate sections for inclusion in clients.conf on the server.

EXIT STATUS

       The exit status will be 0 if a new key (or password, if the --password option was used)
       was successfully created, otherwise not.

ENVIRONMENT

       TMPDIR
           If set, temporary files will be created here. See mktemp(1).

FILES

       Use the --dir option to change where mandos-keygen will write the key files. The default
       file names are shown here.

       /etc/keys/mandos/seckey.txt
           OpenPGP secret key file which will be created or overwritten.

       /etc/keys/mandos/pubkey.txt
           OpenPGP public key file which will be created or overwritten.

       /etc/keys/mandos/tls-privkey.pem
           Private key file which will be created or overwritten.

       /etc/keys/mandos/tls-pubkey.pem
           Public key file which will be created or overwritten.

       /tmp
           Temporary files will be written here if TMPDIR is not set.

BUGS

       The --password/-p option strips white space from the start and from the end of the
       password before using it. If this is a problem, use the --passfile option instead, which
       does not do this.

       Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se>
       (subscription required). Note that this list is public. The developers can be reached
       privately at <mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A
       7223 2973 CA34 C2C4 for encrypted mail).

EXAMPLE

       Normal invocation needs no options:

       mandos-keygen

       Create key in another directory and of another type. Force overwriting old key files:

       mandos-keygen --dir ~/keydir --type RSA --force

       Prompt for a password, encrypt it with the keys in /etc/keys/mandos and output a section
       suitable for clients.conf.

       mandos-keygen --password

       Prompt for a password, encrypt it with the keys in the client-key directory and output a
       section suitable for clients.conf.

       mandos-keygen --password --dir client-key

SECURITY

       The --type, --length, --subtype, and --sublength options can be used to create keys of low
       security. If in doubt, leave them to the default values.

       The key expire time is not guaranteed to be honored by mandos(8).

SEE ALSO

       intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-client(8mandos), ssh-
       keyscan(1)

       Copyright © 2008-2019 Teddy Hogeborn, Björn Påhlsson

       This manual page is part of Mandos.

       Mandos is free software: you can redistribute it and/or modify it under the terms of the
       GNU General Public License as published by the Free Software Foundation, either version 3
       of the License, or (at your option) any later version.

       Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with Mandos. If
       not, see http://www.gnu.org/licenses/.