Comment on [deleted]
thelittleblackbird@lemmy.world 5 days ago
Chech here, I think is a more sensible way of doing things www.recompile.se/mandos
Comment on [deleted]
thelittleblackbird@lemmy.world 5 days ago
Chech here, I think is a more sensible way of doing things www.recompile.se/mandos
dont@lemmy.world 5 days ago
Interesting, do you happen to know how this “approval” works here, concretely?
thelittleblackbird@lemmy.world 4 days ago
I am afraid I don’t get the question.
What do you exactly mean?
dont@lemmy.world 4 days ago
It wasn’t clear to me at first glance how the mandos server gets the approval to supply the client with its desired key, but I figured it out in the meantime: that’s done through the mandos-monitor tui. However, that doesn’t quite fit my ux-expectations. Thanks for mentioning it, though. It’s an interesting project I will keep in mind.
thelittleblackbird@lemmy.world 4 days ago
Ehmmmm I still don’t grasp what you mean.
In any case, mandos has a possibility to do it automatically via rsa encryption, so you have the possibility of totally unattended restart.
Because the server is (ideally) in a different location, if one of yiur systems is stolen / compromised then you only delete / revoked the certificates ID and then that machine would not be able to decrypt its own luks system.
I never deployed this system on my own, but I know a few guys who did it
Regards