Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.

Here's how you add a new client to our setup:

  1. add a new key to the LUKS partition and prepare mandos snippet:

     echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
     apt install -y haveged mandos-client &&
     (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
     umask 077 &&
     t=`tempfile` &&
     dd if=/dev/random bs=1 count=128 of="$t" &&
     cryptsetup luksAddKey $DEVICE "$t" &&
     mandos-keygen --passfile "$t"
    
  2. add the output of mandos-keygen from above to /etc/mandos/clients.conf on the mandos-server and service mandos restart and puppet agent -t (to update the firewall after you added the host to ldap)

  3. rebuild the initrd on the new host update-initramfs -u and reboot