We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback
00:00

Formal Metadata

Title
Mandos
Subtitle
Disk encryption without passwords
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Disk encryption is essential for physical computer security, but seldom used due to the trouble of remembering and typing a password at every restart. We describe Mandos, a program which solves this problem, its security model, and the underlying concepts of its design, and some of its evolution over the 10 years since its initial release. Any security system must have a clear view of its intended threat model – i.e. what threats it is actually intended to protect against; the specific choices and tradeoffs made for Mandos will be explained. Another danger of security system design is the risk of its non-use; i.e. that the system will not be used for some real or perceived drawbacks, such as complexity. The deliberate design choices of Mandos, involving low-interaction, “invisible” and automatic features, will be covered. If possible, the many necessary changes made since the last FOSDEM talk in 2015 will also be described.
PasswordMiniDiscEncryptionVirtual machineComputer hardwareMiniDiscComputer hardwareEncryptionServer (computing)Slide ruleBoss CorporationVirtual machineDescriptive statisticsRight anglePlanningType theoryBit ratePoint (geometry)WordModel theoryComputer animation
Virtual machineKernel (computing)Power (physics)PasswordBootingServer (computing)Virtual machineEncryptionType theoryMiniDiscWordBoss CorporationComputer animation
Physical systemVirtual machinePasswordKernel (computing)Power (physics)Interactive televisionComputer animation
Computer wormPhysical systemPasswordNormal (geometry)Server (computing)Type theoryUtility softwareGame controllerProgrammable read-only memoryBoss CorporationService (economics)Internet service providerPhysical systemLine (geometry)Computer virusComputer animation
TelecommunicationComputer wormInstallation artRevision controlPasswordTelecommunicationSubject indexingRepository (publishing)CASE <Informatik>Communications protocolEncryptionObject (grammar)Slide ruleInformation securityWebsiteDoubling the cubeCryptographyWeightProduct (business)Computer animation
TheoryBootingData modelComputer wormMiniDiscEncryptionVirtual machineComputer hardwareModel theoryInstallation artRevision controlEncryptionVirtual machineKey (cryptography)PasswordBootingType theoryServer (computing)Local area networkLatent heatMultiplication signContext awarenessRootkitMiniDiscClient (computing)Physical systemService (economics)Vulnerability (computing)Disk read-and-write headSoftwareFile systemFingerprintConnected spaceNormal (geometry)Scripting languageEndliche ModelltheorieCASE <Informatik>Virtuelles privates NetzwerkPublic key certificateIntegrated development environmentRight angleUniform resource locatorConfiguration spaceComputer fileUtility softwareMetropolitan area networkDifferent (Kate Ryan album)TelecommunicationGroup actionTaylor seriesInformation securityPlanningDatabaseInternet service providerDescriptive statisticsBoss CorporationDeadlock1 (number)Model theoryCoefficient of determinationLogic gateConsistencyExecution unitRoutingQueue (abstract data type)Office suiteCryptographyTheoryQuicksortComputer animation
Open sourcePoint cloudFacebookOpen set
Transcript: English(auto-generated)
For the next speaker we have Teri and who's going to talk about Mandos. So please introduce, please welcome the speaker. Thank you.
I can't see my slides from here, so I'll have to read from the same display as you. Mandos is something that enables you to use this full disk encryptions on your on your servers. Which you should do. Probably, let's see. Yeah, if you use physical or bare-metal hardware
and you have more than one physical machine, then you can. And you want to use full disk encryption, which you should do. Then you should use Mandos because it enables you to do that. If you don't already use full disk encryption, you probably should. But if the only reason you wasn't doing that because you couldn't, then Mandos will probably help you do that.
So the problem with running full disk encryption is normally that you can't type in the password if the server reboots. But Mandos solved that problem. It's Mandos, one running machine can send the password to the other machine which is booting up, which needs the password.
So if one machine reboots, the other machine can send the password and then the first machine can run the reboot and get the password from the second machine. So two machines can reboot and still be secure, both of them with full disk encryption. And if both machines are turned off,
let's see. Dang it. Yeah, and the crucial thing is there's no interactivity here. You don't have to approve, although you can configure it to do so. You don't have to and normally it doesn't require approval.
Yes. It's basically invisible once you install and configure it. It just reboots normally. You don't have to say anything. Password prompts appear and then it disappears. You don't have to type in anything. And it supports all the normal in-a-romFS tools and Rakut, both with and without systemd.
Both are used now in Debian. The server side is all configured and controllable by D-Bus and various command line utilities for control and inspections are provided.
I thought I had a slide there, but never mind. Let me check here. I think I'm skipping slide. No, I guess not. There are various objections to this protocol because everyone thinks that, wait, isn't that insecure?
But no, it's actually not insecure. We use TLS encrypted communication with the perfect for security and that data that is transmitted is not a cleartext password even though it's TLS encrypted. It's double encrypted because the data that's transmitted says OpenPGP encrypted.
So it's quite easy to install. It's been in Debian and Ubuntu for about 10 years. No, maybe five. I can't remember. Many years in any case. So if you want to just install it, you can just install it from a normal Debian or Ubuntu repository or you can use our private package
index from instructions on that website. Let's, dang it, I think I skipped some slides. Yeah. These keys. Okay, let's see. Slides, yes. Ah, here we go.
Mandos has a threat model that's probably what your threat model is also because what you really want to protect from is what could reasonably, you could reasonably assume to happen, like there is someone coming in, taking all your service and
running off of them, turned off. And if that happens, if you don't have folding subscriptions, then of course they can read all your disks. But if you have Mandos, then since both servers are then turned off, the disks are fully encrypted and someone has to type a password to either one of the servers to get both up.
So in that case, that's secure. So in that normal expected case, it's just as secure as normal for disk encryption. Of course, so, as I said, in that case, it fails safe. It's like it deadlocks both the servers if both are turned off.
Yeah, and if you currently do not run full disk encryption, then you probably use full disk encryption with Mandos anyway, because at least that's better than nothing.
In theory, there is one weakness because you could, in theory, take one server offline, inspect the init runfs and extract the secret key within this very short timeout, and then use that to unlock the other server. But you'd have to assume very sophisticated attackers to do that. And if your attackers were very sophisticated,
they could just as well do a cold boot attack and read the keys directly from RAM. So that's not really what we aim to protect against. What we aim to protect against is the usual expected attack of somebody turning off both servers and making off with them.
And of course, if you want to, you can configure Mandos to require approval for each reboot. So you can, okay, some server wants to boot up, and you have to log in and say yes, allow this server. You don't have to type in the password, you just have to allow it to boot. And then it's just as secure again. But of course, then you can't reboot while you sleep.
That's the installation instruction, basically. It's very easy. I think that's it. I'm just mostly here because I want to promote awareness that this system exists, because I see many, many people running
servers and not using full disk encryption because they think they have to type in the password every time they reboot, which, you know, with remote servers or servers not in their room, you can't do that. But with Mandos, you can. So I'm just putting it out there. This exists, and it has existed for like 10 years, but
not very well known still. I think that's about it. I think we have time for some questions. Of course, most faster than I thought. I can't hear anything from my microphone. I think it's working.
Let me come from the others. Just to make sure that I understood correctly, so if I have two machines and both of them are down,
then to start it again, there will be a password that has to be entered, right? If both are down... Not for every reboot, but if it happens that all the machines are down at the same time... Then you have to type in password for at least one of them. Then that one can automatically
respond with passwords to the other ones. And that's... I read that it said it was GPG encryption. Is that the way... Is that the key? Is this GPG encryption? We use both TLS encryption for the actual network communication, but the thing that is communicated over that encrypted channel is OpenPGP encrypted data.
Thank you. Thank you for your talk. I have two questions. The first one is how do you provision the TLS certificates and
the PGP keys for the communication? They are automatically generated when you install and then you manually configure the system with the fingerprints of all the keys. But don't you have to copy them or send them to some key server? No, not key service. You just manually copy the fingerprints of the keys to the configuration files of the servers. Okay, and the second question is
let's say I have two machines which are in different physical locations and one attacker smashed and grabbed the first one and I didn't notice that
one of my machines disappeared. Can he reboot it over the network and get access to it by trying to send some packets to the other machine which can send back the password? Well, if he's really really fast he can do that, but not normally. There's a timeout, but
he's shaking his head no here. Mr. Co-author here. Local network. Okay, it's only on the private network. Normally the Mandos server and the Mandos client is assumed to be on the same local network. You can manually configure it to ask a specific server remotely,
but that's not the normal case. In this case, can we have something like a virtual private network using a VPN like a wire guard or something like that? Yeah, you could do that. You'll have to create some scripts to
because the Mandos client runs before the root file system is decrypted, you run without any specific good utilities. You have to write the script that runs in that environment to take up your VPN and stuff, but we provide hooks for all that. We have scripts. Okay. All right. Thank you.
Do we have any other question? For the TLS connection, do you have client authentication? Client authentication, we check the exact fingerprint of the key.
So you check it for the server, which I guess is the server that's already booked? Actually, no. We're kind of funny that way. We don't run the TLS connection backwards. The Mandos client, which runs in their small Linux environments,
which wants the password, is connecting, but is then doing the TLS handshake as a TLS server. So it has a key which is automatically proven in the TLS handshake to be, I have that key. So then the server acting as a TLS client checks that fingerprint against its database.
So, I mean, it's automatically verified by the TLS itself. I see we have time for more questions. Is there anyone who wants to ask something? I have a machine which doesn't have full disk encryption, which is really bad. How can I easily migrate it to a
full disk encryption? Like, is there some tooling you provide or is there something which can... We don't provide the actual full disk encryption. We use the normal Linux full disk encryption system. We just provide the hooks, which provides the password at boot time when it needs it.
Okay. So if you just convert to normal full disk encryption, you can then install that and use it. All right. Do we have any questions? We have some time. So, oh yeah, I don't see any hands. So thank you Teddy for the talk.