Announcement: Yet another GnuTLS-using program: Mandos

Teddy Hogeborn teddy at
Wed Oct 8 03:26:11 CEST 2008

(The web page <> says
"Please contact us at bug-gnutls at to notify us about other
programs that use gnutls.", so I'm sending this there as well.)

Hi there; I just wanted all you GnuTLS folks to know about our project
Mandos' slightly unusual use of GnuTLS.

The goal of the Mandos system is to enable server computers to have an
encrypted root file system and still be able to reboot automatically
without anyone having to be there and type in a password.

What happens is that we run a small Mandos client program at boot time
in the initial RAM disk environment (initrd), before even networking
is configured, using IPv6 link-local addresses.

The Mandos client connects to the Mandos server.  The Mandos clients
each have an OpenPGP key, which they use to handshake as TLS *servers*
to the Mandos server, which in turn handshakes as a TLS *client*.  The
Mandos server does not have a key, but computes the fingerprint of the
OpenPGP key received from the Mandos client and looks up that
fingerprint in an internal list, and, if the fingerprint is found,
sends the corresponding binary blob to the client.

(This binary blob is an OpenPGP-encrypted password necessary to unlock
the client's root file system, but this is no longer GnuTLS-related.)

(The server is written in Python, and uses the python-gnutls library
from <>.)

Oh yes, the project's home page:

I just thought you might find it interesting.

/Teddy, Mandos Maintainer Team

More information about the Gnutls-devel mailing list