mandos-client on Debian Buster
Birger Brunswiek
birger at brunswiek.org
Thu Sep 5 15:17:56 CEST 2019
On 03.09.19 18:47, Teddy Hogeborn wrote:
> Birger Brunswiek <birger at brunswiek.org> writes:
>
>> Well there is one more issue. Only my root device is decrypted at boot
>> time. Before I upgraded cryptsetup and cryptsetup-initramfs I could
>> work around the issue by reverting revision 906
>> (https://bzr.recompile.se/loggerhead/mandos/trunk/revision/906). With
>> the new cryptsetup mandos-to-cryptroot-unlock is used but the issue is
>> essentially the same. The retrieved key is only used to decrypt the
>> root device but not other devices scripts/local-top/cryptroot wants to
>> open. If I remove the break at
>> https://bzr.recompile.se/loggerhead/mandos/trunk/view/970/mandos-to-cryptroot-unlock#L72
>> it works. The better way is probably to restart the inner loop. Even
>> better would be to determine how many devices still need to be opened
>> and only break if there are none left.
> Hmm, Mandos is really meant to unlock only the root device, since if you
> have additional devices to unlock, you could just store the keys to
> those additional devices directly in files on that root file system,
> possibly somewhere in the /etc/keys directory. Is there a reason for
> why you want to use Mandos to unlock more than one device? What threat
> model do you mean to defend against using this setup?
Reconsidering my setup I came to the conclusion that opening other
devices but the single one for root in the initrd is not required. I
falsely believed that all volumes of LVM needed to be available before
exiting the initrd. I changed my setup to use Debian's decrypt_derived
to open the remaining devices outside of initrd. Booting now works
without the modifications to the Mandos scripts made earlier. Thanks for
the hint.
Birger
More information about the Mandos-Dev
mailing list