<div dir="ltr">Hello Mandos Dev/Support,<div><br></div><div>We have been a big fan of Mandos and have been deploying the service on many Ubuntu machines within our corporate network.(So that people cannot steal physical desktop from the office and expect it to boot up elsewhere)</div><div><br></div><div>Currently, we are migrating from Ubuntu 18.04 to 20.04. When we upgraded Mandos, we found that the new <span style="background-color:rgb(247,247,247);color:rgb(17,17,17);font-family:monospace,monospace;font-size:0.875rem">mandos-client (</span> 1.8.9) now requires <b>--tls-privkey</b> and <b>--tls-pubkey.</b></div><div><br></div>1. When I manually test the command from client machine to request the disk decryption key from the mandos server, it is successful IF I specify the path of the tls key pair <blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font face="monospace">sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \</font></p></div><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font face="monospace">--pubkey=/etc/keys/mandos/pubkey.txt \</font></p></div><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font face="monospace">--seckey=/etc/keys/mandos/seckey.txt \</font></p></div><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font face="monospace" color="#ff0000"><b>--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \</b></font></p></div><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font color="#ff0000"><font face="monospace"><b>--tls-privkey=/etc/keys/mandos/</b></font><b style="font-family:monospace">tls-pubkey.pem</b><font face="monospace"><b> \</b></font></font></p></div><div><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:18px;line-height:normal"><font face="monospace">--debug</font></p></div></blockquote><div><br></div><div>2. However, it appeared that once we rebooted the desktop with new mandos 1.8.9, it failed to boot and it got stuck in the stage where it is expecting a password from the mandos server. I am wondering if the new <b>tls-pubkey.pem</b> and <b>tls-pubkey.pem </b>keypair in /etc/keys/mandos/ were not found during the new startup process. My hunch is this needs to be specified in the initramfs but unfortunately there is very little migration documentation for this topic so I hope I come to the right place for some insights on how to proceed next.</div><div><br></div><div>Sincerely,</div><div><br></div><div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><table border="0" width="450px" style="max-width:450px">
<tbody>
<tr height="110px;">
<td valign="top" style="padding-top:6px;max-width:20px" width="20px">
<img src="https://www.visier.com/wp-content/uploads/2017/10/Visier_Vert_Black_NoTag.png" width="20px" style="max-width:20px" height="86px">
</td>
<td valign="top">
<table border="0">
<tbody>
<tr valign="top">
<td style="padding-left:7px;font-family:'Arial','Helvetica',sans-serif;font-size:13px">
<strong>Alan Ho</strong> | he/him/his | Sr. IT Ops Engineer<br>
office: 604-753-8842 <br>
toll-free: 1-888-277-9331<br>
<a href="mailto:alan.ho@visier.com" style="color:#000" target="_blank">alan.ho@visier.com</a><br>
<a href="https://www.visier.com?utm_source=visier_email_signature&utm_medium=email" style="color:#000;text-decoration:underline;display:inline" target="_blank">www.visier.com</a> |
<a href="https://www.visier.com/clarity/?utm_source=visier_email_signature&utm_medium=email" style="color:#000;text-decoration:underline;display:inline" target="_blank"> Blog</a>
<br>
<div style="padding-top:7px">
<a href="https://twitter.com/visier" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/twitter_black-1.png" style="max-width:25px;width:25px;height:25px"></a>
<a href="https://www.youtube.com/VisierAnalytics" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/youtube_black-1.png" style="max-width:25px;width:25px;height:25px"></a>
<a href="https://www.linkedin.com/company/visier-analytics/" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/linkedin_black-1.png" style="max-width:25px;width:25px;height:25px"></a>
<a href="https://www.facebook.com/Visier/" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/facebook_black-1.png" style="max-width:25px;width:25px;height:25px"></a>
</div>
<div style="max-width:630px">
<a href="https://events.visier.com/outsmart23?utm_source=marketing&utm_campaign=outsmart-23&utm_medium=email&utm_term=&utm_content=email-banner&cid=6c08a47702e2a6b38953" target="_blank">
<img src="https://images.ctfassets.net/lbgy40h4xfb7/1kH7CP9wycpbkLybcLnQ2x/09d3ca4d9bee9d125bf372b2cdf42de6/Outsmart_2023_employee_email_footer_630.jpg" style="max-width:630px">
</a>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div></div></div>