View Full Version : Announcement: Mandos - do unattended reboots with encrypted root file system

Teddy Hogeborn
10-18-08, 03:07 PM
Hi there; I just wanted all you security-conscious folks to know about
a new software project: Mandos.

The goal of the Mandos system is to enable Debian GNU/Linux computers
to have an encrypted root file system and still be able to reboot
automatically without anyone having to be there and type in a

The computers run a small client program in the initial RAM disk
environment which will communicate with a server over a network. All
network communication is encrypted using TLS. The clients are
identified by the server using an OpenPGP key; each client has one
unique to it. The server sends the clients an encrypted password.
The encrypted password is decrypted by the clients using the same
OpenPGP key, and the password is then used to unlock the root file
system, whereupon the computers can continue booting normally.

The server with the passwords continually checks that the client
computers are still up, and if the client is gone for more than a
configurable length of time, the server no longer gives out the
password for that client.

Please read the FAQ in the README file for more information on the
security model:

Oh yes, the project's home page: http://www.fukt.bsnet.se/mandos

Since we run Debian, that is what it will run on, and it ought to run
fine on Ubuntu as well. Ports to other distributions could probably
be made, but with some effort, since we use the Debian-specific
additions to the "cryptsetup" package (also in Ubuntu) when installing
into the initial RAM disk image. Porting Mandos to non-GNU/Linux-
based operating systems is probably not feasible.

I just thought you might find it interesting.

/Teddy, part of the Mandos Maintainer Team