[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos
simon at josefsson.org
Wed Oct 8 10:30:43 CEST 2008
Teddy Hogeborn <teddy at fukt.bsnet.se> writes:
> Hi there; I just wanted all you GnuTLS folks to know about our project
> Mandos' slightly unusual use of GnuTLS.
> The goal of the Mandos system is to enable server computers to have an
> encrypted root file system and still be able to reboot automatically
> without anyone having to be there and type in a password.
> What happens is that we run a small Mandos client program at boot time
> in the initial RAM disk environment (initrd), before even networking
> is configured, using IPv6 link-local addresses.
> The Mandos client connects to the Mandos server. The Mandos clients
> each have an OpenPGP key, which they use to handshake as TLS *servers*
> to the Mandos server, which in turn handshakes as a TLS *client*. The
> Mandos server does not have a key, but computes the fingerprint of the
> OpenPGP key received from the Mandos client and looks up that
> fingerprint in an internal list, and, if the fingerprint is found,
> sends the corresponding binary blob to the client.
> (This binary blob is an OpenPGP-encrypted password necessary to unlock
> the client's root file system, but this is no longer GnuTLS-related.)
I'm not sure you have to do the handshake backwards, couldn't just the
mandos server have a OpenPGP key that the mandos client doesn't need to
One additional idea I get is to add some mechanism in the Mandos server
to require authorization before sending the blob. I.e., the
administrator is sent a jabber/e-mail/whatever ping that some machine
needs to reboot, and then she needs to go to a web page and authorize
the operation. Otherwise, the machine cannot boot. This might
introduce network timeouts, but if the Mandos client is robust about
that there shouldn't be a problem.
This would protect against someone stealing a server without keeping it
You'll have a problem if someone also gets control of the Mandos server
Maybe one could extend the scheme, so that N out of M machines have to
participate in reconstructing the blob before any single machine can
boots. Just getting control of <N of the M machine should not reveal
Whether this aspect is useful depends on your threat model. Maybe your
model is different from what I assumed...
> Oh yes, the project's home page: http://www.fukt.bsnet.se/mandos
Thanks, added to <http://www.gnu.org/software/gnutls/programs.html>.
More information about the Gnutls-help