Get Mandos working in Ubuntu

May 20, 2014    encryption mandos patch security

I’ve been doing a lot of playing around with full dis encryption. Now there’s one big problem when you do full disk encryption is when the server reboots you are left at a prompt to enter your password to mount the drive. This is solved by a tool call mandos. This is a client/server tool that the mandos client is loaded into the initrd image on the server and on boot will query the server and if the server will send back the encryption key to the client to use.

So the issue is the packages just don’t work in ubuntu 12.04 and even 14.04. I have a patch you can apply to your source if you want to rebuild the packaged versions to make debs of your own.

Below is the patch. This works for 14.04 but is basically the same for 12.04. I think the initrd script is slightly different but you can get the gist of it.

--- mandos-1.6.0.orig/initramfs-tools-hook
+++ mandos-1.6.0/initramfs-tools-hook
@@ -148,11 +148,7 @@ for hook in /etc/mandos/network-hooks.d/

 # GPGME needs /usr/bin/gpg
-if [ ! -e "${DESTDIR}/usr/bin/gpg" \
-    -a -n "`ls \"${DESTDIR}\"/usr/lib/* \
-       2>/dev/null`" ]; then
-    copy_exec /usr/bin/gpg
+copy_exec /usr/bin/gpg

 # Config files
 for file in /etc/mandos/plugin-runner.conf; do
--- mandos-1.6.0.orig/mandos-keygen
+++ mandos-1.6.0/mandos-keygen
@@ -231,8 +231,12 @@ if [ "$mode" = keygen ]; then

     # Generate a new key in the key rings
     gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
-   --homedir "$RINGDIR" --trust-model always \
-   --gen-key "$BATCHFILE"
+        --homedir "$RINGDIR" \
+        --import-ownertrust < /dev/null
+    # Generate a new key in the key rings
+    gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
+        --homedir "$RINGDIR" --trust-model always \
+        --gen-key "$BATCHFILE"
     rm --force "$BATCHFILE"

     if tty --quiet; then

If anyone wants working packages for this let me know and I can post them for 12.04 and 14.04.

comments powered by Disqus