Mailinglist Archive: opensuse (1620 mails)

< Previous Next >
Re: [opensuse] Is there something like Debians Mandos for Opensuse?

-----Urspr√ľngliche Nachricht-----
Von:Carlos E. R. <robin.listas@xxxxxxxxxxxxxx>
Gesendet: Sam 29 November 2014 17:52
The mandos client is installed in initrd, which is why it's so hard to get it
running on anything that isn't Debian based. From what I've read Debian has
lots of hooks to add things to initrd, but all other distributions don't.

PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail

An: oS-en <opensuse@xxxxxxxxxxxx>
Betreff: Re: [opensuse] Is there something like Debians Mandos for Opensuse?

On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good
thing. If somebody steals the machine, they can "open" it completely!

How does that Mandos does the trick, where is the password stored?

It looks a bit like a Kerberos ticket server.
The key is not stored on the machine with the encrypted ROOTFS.
Rather the boot sequence - think of it as a shim within grub (or
whatever) - contacts the key server much in the same way that a kerberos
enabled session starts up.

I can imagine two possibilities.

one is that the initrd image contains the needed scripts/binaries to
contact the mandos server.

Another is that grub2 itself, which has some decryption capabilities to
boot from an encrypted root (without a plain /boot), includes itself the
code needed for mandos.

This is not so simple as adding a package to the distribution.

It could also be a variation of tiny-ftp... it can be used for booting
from network.

Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

< Previous Next >
Follow Ups