Mandos 1.8.16

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using an OpenPGP key, and the password is then used to unlock the root file system.

Tags boot security cryptography systems administration
License GNU GPLv3
State stable

Recent Releases

1.8.1608 Feb 2023 01:37 major bugfix: Bug fix release, fixes a bug in the server where it would randomly run some checkers much too frequently.
1.8.1525 Apr 2022 20:08 documentation: Minor release, fixes a bug in mandos-keygen which would interpret backslashes as backslash escapes.
1.8.1403 Feb 2021 10:34 documentation: Minor release, add a workaround for a change in udev when initramfs-tools is used in the initial RAM disk image.
1.8.1330 Nov 2020 18:43 documentation: Minor release, fixes an unreliable test in tests of password-agent(8mandos) program.
1.8.1204 Jul 2020 13:38 documentation: Minor release, fixes compatibility with the GNU C Library version 2.31, and may help with an issue reported with Ubuntu 19.10.
1.8.1108 Apr 2020 19:14 documentation: Minor release, fixes a minor but important bug.
1.8.1021 Mar 2020 18:39 documentation: Minor release, fixes some minor bugs. Adds easier modification of server options when using systemd and client options when using systemd and dracut.
1.8.903 Sep 2019 19:57 documentation: Very minor release, mostly to improve Debian packaging. Also move to use Python 3 by default.
1.8.818 Aug 2019 20:31 documentation: Very minor release, mostly to improve Debian packaging.
1.8.705 Aug 2019 21:40 documentation: Documentation improvements, and a minor compilation flag change (enable LFS).
1.8.603 Aug 2019 13:41 minor bugfix: Minor bug fixes: Fix memory alignment issue on some architectures. Ignore deleted and moved question files when using dracut(8) with systemd(1).
1.8.530 Jul 2019 19:27 major feature: Major feature: dracut(8) support. Also minor bug fixes: The server can now successfully restart when the "port" option is used, and does not leave any zombie processes while running. The client also gets a minor bug fix in the mandos-keygen --passfile option; it can now read file with names starting with "-".
1.8.409 Apr 2019 20:36 minor bugfix: Fix of minor memory leak, and fix in Debian packaging to not conflict with the "dropbear-initramfs" package.
1.8.311 Feb 2019 06:46 minor feature: Minor fix to packaging dependencies, and elimination of some compiler warnings.
1.8.210 Feb 2019 10:58 minor bugfix: Minor bug fix to packaging, and in client's mandos-keygen, ignore failures to remove files in some cases.
1.8.110 Feb 2019 09:37 major bugfix: TLS key generation only worked when using GnuTLS 3.6.6; fix this by only generating keys if this is the case.
1.8.010 Feb 2019 05:44 major feature: Now supports systems having GnuTLS 3.6.6 or later by using TLS "raw public keys" (RFC 7250).
1.7.1922 Feb 2018 20:33 minor bugfix: Client bug fix: Avoid LeakSanitizer message and error by not using LeakSanitizer for the binary using libraries which leak memory.
1.7.1812 Feb 2018 18:06 minor bugfix: Client bug fix: Revert faulty fix for a nonexistent bug in the plugin-runner.
1.7.1710 Feb 2018 22:06 minor bugfix: Client bug fix: Fix memory leaks in password-prompt and the plymouth plugin.
1.7.1620 Aug 2017 20:11 minor bugfix: Client bug fix: Fix memory leak in password-prompt to eliminate ugly warnings when plymouth is installed. Client bug fix: Ignore "resumedev" entries in initramfs' cryptroot file.
1.7.1523 Feb 2017 21:13 minor bugfix: Server Bug fix: Respect the mandos.conf "zeroconf" and "restore" options. Client bug fix in "mandos-keygen": Handle backslashes in passphrases.
1.7.1425 Jan 2017 20:24 minor bugfix: Server Minor Bug fix: Don't use deprecated directive name in systemd service file.
1.7.1308 Oct 2016 06:27 minor bugfix: Client Minor Bug fix: Don't ask for passphrase or fail when generating keys using GnuPG 2.1 in a chrooted environment.
1.7.1205 Oct 2016 20:57 major bugfix: Client Bug fix: Don't crash after exit() when using DH parameters file
1.7.1101 Oct 2016 15:25 minor bugfix: Client Security fix: Don't compile with AddressSanitizer. Server Bug fix: Find GnuTLS library when gnutls28-dev is not installed. Server Bug Fix: Include "Expires" and "Last Checker Status" in mandos-ctl verbose output. Server New Feature: New option for mandos-ctl: --dump-json
1.7.1023 Jun 2016 21:10 minor bugfix: Client security fix: restrict permissions of /etc/mandos/plugin-helpers directory (by default empty). Server bug fix: Make the --interface flag work with Python 2.7 when "cc" is not installed
1.7.922 Jun 2016 09:07 minor bugfix: Client bug fix: Do not include intro(8mandos) man page which conflicts with the same one from the server package.
1.7.821 Jun 2016 20:47 minor bugfix: Client bug fix: Work with GnuPG 2 when booting (Debian bug #819982) by copying /usr/bin/gpg-agent into initramfs. Server bug fix: Make the --interface option work when using Python 2.7 by trying harder to find SO_BINDTODEVICE.
1.7.719 Mar 2016 22:26 minor bugfix: Bug fix: Fix bug in Plymouth password prompting plugin, bug present since 1.2, but only recently broken since the introduction of the -fsanitize=address compilation flag in version 1.7.2.
1.7.613 Mar 2016 22:45 minor bugfix: Bug fix: Fix bug where stopping server would time out. Also make server program compatible with Python 3.
1.7.508 Mar 2016 00:55 minor bugfix: Bug fix: Fix security restrictions in systemd service file. Work around bug where stopping server would time out.
1.7.405 Mar 2016 22:42 minor bugfix: Bug fix: Fix compilation on mips, mipsel and s390x. On boot, tolerate errors from the external "configure_networking" shell function. Add extra security restrictions in systemd service file.
1.7.329 Feb 2016 22:50 minor bugfix: Bug fix: Remove new type of keyring directory used by GnuPG 2.1. Bug fix: Remove "nonnull" attribute from a function argument, which would otherwise generate a spurious runtime warning.
1.7.228 Feb 2016 16:17 minor bugfix: Bug fix: Don't try to send D-Bus signal ClientRemoved if not using D-Bus. Also stop using Python-GnuTLS library and instead call the GnuTLS library directly.
1.7.124 Oct 2015 18:33 minor bugfix: Bug fix: Can now really find Mandos server even if the server has an IPv6 address on a network other than the one which the Mandos server is on.
1.7.010 Aug 2015 21:22 minor feature: Server bugs fixed: Handle local Zeroconf service name collisions better, the "ERROR: Child process vanished" bug, start server correctly in systemd, be compatible with old 2048-bit DSA keys. Server features: The D-Bus API now provides the standard D-Bus ObjectManager interface (deprecating older functionality). Client bug fixed: mandos-keygen now generates correct output for the "Checker" variable even if the SSH server on the Mandos client has multiple SSH key types. Client features: Can now find Mandos server even if the server has an IPv6 address on a network without IPv6 Router Advertisment, now uses a better value than 1024 for the default number of DH bits, can now use pre-generated Diffie-Hellman parameters from a file.
1.6.926 Oct 2014 15:23 minor feature: Server: Changed to emit standard D-Bus signal when D-Bus properties change. (The old signal is still emitted too, but marked as deprecated.)