Http server instead of own server?

[Teddy Hogeborn]

Cesare Bianchi <kzar79 at gmail.com> writes:

> I manage various (virtual) servers running in various clients'
> locations. The clients must not have direct access to the servers
> data, so I ecnrypted the disks. At the present time, I must physically
> go (or connect to the virtual host) if a server reboots.
>
> I wanted to install Mandos client on the servers, but it needs a
> Mandos server runnning in the network, and obviously this only adds
> complexity.
>
> So, is it possible to use some simple form of connection to the
> "Mandos server", for example with a public basic http server?

Firstly, your setup is not secure.  Your clients can access the memory
of the virtual machines, where the keys to the encrypted disks are
stored.

Secondly, the problem you want to solve does not need any source
changes; the code is written to be flexible enough to cover your use
case.  What you should do is four things:

1. Add "ip=dhcp" to the Linux kernel command line; do this by editing
   the GRUB_CMDLINE_LINUX_DEFAULT setting in your /etc/default/grub
   file; add "ip=dhcp" to the setting.  If DHCP is not available for the
   Mandos client systems, use the syntax "ip=1.1.1.2::1.1.1.1", where
   "1.1.1.2" is the client IP address and "1.1.1.1" is the local
   gateway.

2. Add, to the /etc/mandos/plugin-runner.conf file, this line:

--options-for=mandos-client:--connect=1.2.3.4:1234

   Replace "1.2.3.4:1234" with the IP address and your chosen port of
   the Mandos server.
   
3. Run "update-initramfs -k all -u" to update the initramfs image.

4. Configure the Mandos server to use a specific port number by
   uncommenting and editing the "port" setting in /etc/mandos.conf on
   the Mandos server host.

(Note; I have written these four steps mostly from my memory of how this
is supposed to work, but I have not tested them.  It is always possible
I have forgotten something.)

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos