Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

  1. add a new key to the LUKS partition and prepare mandos snippet:

     echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
     apt install -y haveged mandos-client &&
     (grep /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=' | tee -a /etc/mandos/plugin-runner.conf) &&
     umask 077 &&
     t=`tempfile` &&
     dd if=/dev/random bs=1 count=128 of="$t" &&
     cryptsetup luksAddKey $DEVICE "$t" &&
     mandos-keygen --passfile "$t"
  2. add the output of mandos-keygen from above to /etc/mandos/clients.conf on the mandos-server and service mandos restart and puppet agent -t (to update the firewall after you added the host to ldap) and enable the node with mandos-ctl --enable FQDN

  3. add the machine to the roles::fde class in Puppet

  4. rebuild the initrd on the new host update-initramfs -u and reboot