Mandos

Mandos is a system for allowing servers with encrypted root file systems to reboot unattended and/or remotely. See the manual for more information, including an FAQ list.

Mandos is Free Software, licensed using the GNU General Public License v3 or later.

(The Halls of Mandos is, in the fictional world of J. R. R. Tolkien, where the spirits of dead elves would go to be judged and possibly reincarnated. Similarly, the Mandos system allows “dead” servers to request reincarnation, which can be either denied or granted by the Mandos server.)

Current Status

Mandos is feature-complete; that is, it solves the problem it was created to solve. It has been included in Ubuntu ever since the Ubuntu Karmic release of October 2009, and in Debian since the Debian 6.0 “squeeze” release of February 2011. The latest versions of Mandos are uploaded to Debian unstable.

For future plans, see the TODO file.

Documentation

See the manual pages below.

Architectural Overview

Keys and Communication

[Key and communication overview]

Plugin System

[Plugin system overview]

The Manual Pages

intro(8mandos)
general discussion and FAQ

Server

mandos(8)
The network server program
mandos.conf(5)
Server configuration file
mandos-clients.conf(5)
Another server configuration file
mandos-ctl(8)
A command line utility to control the server
mandos-monitor(8)
A text-based UI to the server

Client

plugin-runner(8mandos)
The plugin runner
mandos-client(8mandos)
The network client plugin
password-prompt(8mandos)
Console interactive plugin
plymouth(8mandos)
Asks for password interactively via Plymouth.
usplash(8mandos)
Asks for password interactively via Usplash.
splashy(8mandos)
Asks for password interactively via Splashy.
askpass-fifo(8mandos)
Provides compatibility with the “askpass” program from the cryptsetup package.
password-agent(8mandos)
Runner of mandos-client in systemd-based boot environments; replaces plugin-runner
mandos-keygen(8)
Command line utility

Support/Contact

There is a mailing list “mandos-dev”. Subscribe or read its archives at https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev

The current maintainers can be reached at mandos@recompile.se

Download

Debian and Ubuntu

Mandos is available directly in Debian unstable and in the Ubuntu “universe” component, so to get Mandos installed in those distributions you use whatever method you normally use to select and install software packages for that distribution. There is no need to download anything from here, unless you want the latest version.

Debian stable/bookworm/12

Add these lines to a new file, named /etc/apt/sources.list.d/mandos.sources

# Mandos - <https://www.recompile.se/mandos>
Types: deb deb-src
URIs: https://ftp.recompile.se/pub/mandos/debian
Suites: bookworm-backports
Components: main
Signed-By: /etc/apt/keyrings/mandos.pgp

Then, do this to download the key used to sign the packages

su -c "mkdir --parents --mode=0755 /etc/apt/keyrings"
su -c "wget --timestamping --directory-prefix=/etc/apt/keyrings https://www.recompile.se/mandos/mandos.pgp"
su -c "chmod a+r /etc/apt/keyrings/mandos.pgp"

(The key should have the fingerprint “153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4”.)

Debian oldstable/bullseye/11

Add these lines to a new file, named /etc/apt/sources.list.d/mandos.sources

# Mandos - <https://www.recompile.se/mandos>
Types: deb deb-src
URIs: https://ftp.recompile.se/pub/mandos/debian
Suites: bullseye-backports
Components: main
Signed-By: /etc/apt/keyrings/mandos.pgp

(For the key file, see stable/bookworm/12 above.)

Debian oldoldstable/buster/10

Add these lines to a new file, named /etc/apt/sources.list.d/mandos.sources

# Mandos - <https://www.recompile.se/mandos>
Types: deb deb-src
URIs: https://ftp.recompile.se/pub/mandos/debian
Suites: buster-backports
Components: main
Signed-By: /etc/apt/keyrings/mandos.pgp

(For the key file, see stable/bookworm/12 above.)

Debian stretch/9

Add these lines to a new file, named /etc/apt/sources.list.d/mandos.sources

# Mandos - <https://www.recompile.se/mandos>
Types: deb deb-src
URIs: http://ftp.recompile.se/pub/mandos/debian
Suites: stretch-backports
Components: main
Signed-By: /etc/apt/keyrings/mandos.pgp

(For the key file, see stable/bookworm/12 above.)

Development Source Code

Known bugs and planned features are kept in the TODO file.

Instructions for Compiling and Installing From Source

Step 1

Check out the source code from the repository (requires the Breezy (brz) version control system, package name “brz”.):

brz branch ftp://anonymous@ftp.recompile.se/pub/mandos/trunk mandos
Step 2

Build the Debian package (requires the brz-debian Breezy plugin package, package name “brz-debian”):

cd mandos
brz builddeb --builder='debuild -i -us -uc -b'

The .deb files should now be built and can be found in the parent directory.

Step 3

After installing a package, follow the instructions in the file “/usr/share/doc/package-name/README.Debian”.