MANDOS-KEYGEN(8)                  Mandos Manual                 MANDOS-KEYGEN(8)

       mandos-keygen - Generate key and password for Mandos client and server.

       mandos-keygen [--dir DIRECTORY | -d DIRECTORY]
                     [--type KEYTYPE | -t KEYTYPE]
                     [--length BITS | -l BITS]
                     [--subtype KEYTYPE | -s KEYTYPE]
                     [--sublength BITS | -L BITS]
                     [--name NAME | -n NAME]
                     [--email ADDRESS | -e ADDRESS]
                     [--comment TEXT | -c TEXT]
                     [--expire TIME | -x TIME]
                     [--tls-keytype KEYTYPE | -T KEYTYPE]
                     [--force | -f]

       mandos-keygen {--password | -p | --passfile FILE | -F FILE}
                     [--dir DIRECTORY | -d DIRECTORY]
                     [--name NAME | -n NAME] [--no-ssh | -S]

       mandos-keygen {--help | -h}

       mandos-keygen {--version | -v}

       mandos-keygen is a program to generate the TLS and OpenPGP keys used by
       mandos-client(8mandos). The keys are normally written to /etc/keys/mandos
       for later installation into the initrd image, but this, and most other
       things, can be changed with command line options.

       This program can also be used with the --password or --passfile options
       to generate a ready-made section for clients.conf (see mandos-

       The purpose of this is to enable remote and unattended rebooting of
       client host computer with an encrypted root file system. See the section
       called “OVERVIEW” for details.

       --help, -h
           Show a help message and exit

       --dir DIRECTORY, -d DIRECTORY
           Target directory for key files. Default is /etc/keys/mandos.

       --type TYPE, -t TYPE
           OpenPGP key type. Default is “RSA”.

       --length BITS, -l BITS
           OpenPGP key length in bits. Default is 4096.

       --subtype KEYTYPE, -s KEYTYPE
           OpenPGP subkey type. Default is “RSA”

       --sublength BITS, -L BITS
           OpenPGP subkey length in bits. Default is 4096.

       --email ADDRESS, -e ADDRESS
           Email address of key. Default is empty.

       --comment TEXT, -c TEXT
           Comment field for key. Default is empty.

       --expire TIME, -x TIME
           Key expire time. Default is no expiration. See gpg(1) for syntax.

       --tls-keytype KEYTYPE, -T KEYTYPE
           TLS key type. Default is “ed25519”

       --force, -f
           Force overwriting old key.

       --password, -p
           Prompt for a password and encrypt it with the key already present in
           either /etc/keys/mandos or the directory specified with the --dir
           option. Outputs, on standard output, a section suitable for inclusion
           in mandos-clients.conf(8). The host name or the name specified with
           the --name option is used for the section header. All other options
           are ignored, and no key is created. Note: white space is stripped
           from the beginning and from the end of the password; See the section
           called “BUGS”.

       --passfile FILE, -F FILE
           The same as --password, but read from FILE, not the terminal, and
           white space is not stripped from the password in any way.

       --no-ssh, -S
           When --password or --passfile is given, this option will prevent
           mandos-keygen from calling ssh-keyscan to get an SSH fingerprint for
           this host and, if successful, output suitable config options to use
           this fingerprint as a checker option in the output. This is otherwise
           the default behavior.

       This is part of the Mandos system for allowing computers to have
       encrypted root file systems and at the same time be capable of remote
       and/or unattended reboots. The computers run a small client program in
       the initial RAM disk environment which will communicate with a server
       over a network. All network communication is encrypted using TLS. The
       clients are identified by the server using a TLS key; each client has one
       unique to it. The server sends the clients an encrypted password. The
       encrypted password is decrypted by the clients using a separate OpenPGP
       key, and the password is then used to unlock the root file system,
       whereupon the computers can continue booting normally.

       This program is a small utility to generate new TLS and OpenPGP keys for
       new Mandos clients, and to generate sections for inclusion in
       clients.conf on the server.

       The exit status will be 0 if a new key (or password, if the --password
       option was used) was successfully created, otherwise not.

           If set, temporary files will be created here. See mktemp(1).

       Use the --dir option to change where mandos-keygen will write the key
       files. The default file names are shown here.

           OpenPGP secret key file which will be created or overwritten.

           OpenPGP public key file which will be created or overwritten.

           Private key file which will be created or overwritten.

           Public key file which will be created or overwritten.

           Temporary files will be written here if TMPDIR is not set.

       The --password/-p option strips white space from the start and from the
       end of the password before using it. If this is a problem, use the
       --passfile option instead, which does not do this.

       Please report bugs to the Mandos development mailing list:
       <> (subscription required). Note that this list is
       public. The developers can be reached privately at <>
       (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
       C2C4 for encrypted mail).

       Normal invocation needs no options:


       Create key in another directory and of another type. Force overwriting
       old key files:

       mandos-keygen --dir ~/keydir --type RSA --force

       Prompt for a password, encrypt it with the keys in /etc/keys/mandos and
       output a section suitable for clients.conf.

       mandos-keygen --password

       Prompt for a password, encrypt it with the keys in the client-key
       directory and output a section suitable for clients.conf.

       mandos-keygen --password --dir client-key

       The --type, --length, --subtype, and --sublength options can be used to
       create keys of low security. If in doubt, leave them to the default

       The key expire time is not guaranteed to be honored by mandos(8).

       intro(8mandos), gpg(1), mandos-clients.conf(5), mandos(8), mandos-
       client(8mandos), ssh-keyscan(1)

       Copyright © 2008-2019 Teddy Hogeborn, Björn Påhlsson

       This manual page is part of Mandos.

       Mandos is free software: you can redistribute it and/or modify it under
       the terms of the GNU General Public License as published by the Free
       Software Foundation, either version 3 of the License, or (at your option)
       any later version.

       Mandos is distributed in the hope that it will be useful, but WITHOUT ANY
       WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
       FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

       You should have received a copy of the GNU General Public License along
       with Mandos. If not, see

Mandos 1.8.14                      2019-07-18                   MANDOS-KEYGEN(8)