Mandos 1.8.9 migration from 1.7.19 issues

Alan Ho alan.ho at visier.com
Tue Apr 4 20:04:18 CEST 2023 

Hello Mandos Dev/Support,

We have been a big fan of Mandos and have been deploying the service on
many Ubuntu machines within our corporate network.(So that people cannot
steal physical desktop from the office and expect it to boot up elsewhere)

Currently, we are migrating from Ubuntu 18.04 to 20.04. When we upgraded
Mandos, we found that the new mandos-client ( 1.8.9) now requires
*--tls-privkey* and *--tls-pubkey.*

1. When I manually test the command from client machine to request the disk
decryption key from the mandos server, it is successful IF I specify the
path of the tls key pair

sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \

--pubkey=/etc/keys/mandos/pubkey.txt \

--seckey=/etc/keys/mandos/seckey.txt \

*--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*

*--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*

--debug


2. However, it appeared that once we rebooted the desktop with new mandos
1.8.9, it failed to boot and it got stuck in the stage where it is
expecting a password from the mandos server. I am wondering if the new
*tls-pubkey.pem* and *tls-pubkey.pem *keypair in /etc/keys/mandos/ were not
found during the new startup process. My hunch is this needs to be
specified in the initramfs but unfortunately there is very little migration
documentation for this topic so I hope I come to the right place for some
insights on how to proceed next.

Sincerely,

-- 
*Alan Ho* | he/him/his | Sr. IT Ops Engineer
office: 604-753-8842
toll-free: 1-888-277-9331
alan.ho at visier.com
www.visier.com
<https://www.visier.com?utm_source=visier_email_signature&utm_medium=email>
| Blog
<https://www.visier.com/clarity/?utm_source=visier_email_signature&utm_medium=email>
<https://twitter.com/visier> <https://www.youtube.com/VisierAnalytics>
<https://www.linkedin.com/company/visier-analytics/>
<https://www.facebook.com/Visier/>
<https://events.visier.com/outsmart23?utm_source=marketing&utm_campaign=outsmart-23&utm_medium=email&utm_term=&utm_content=email-banner&cid=6c08a47702e2a6b38953>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230404/fa6f1c4a/attachment.htm>

More information about the Mandos-Dev mailing list