I wrote this article as a reminder. I’m using Ubuntu 16.04 server on both sides.

I have a server, let’s call it Box1, with full (root file system) LVM encryption. It’s great as it protects my data but the problem is that it needs someone to input the password at boot to decrypt the LVM volume.
If the server reboots and is unattended, it stays stuck at the decrypt password prompt and doesn’t boot. The same when having a headless server running remotely in a data center.

The solution? Mandos!

Box1 will run a small mandos client program in the initial RAM disk environment which will communicate over the local network with the mandos server, let’s call it MandosServer1. All network communications are encrypted using TLS.

Box1 will be identified by MandosServer1 using an OpenPGP key; each client (in this case Box1 but I could have many) has one unique key.

MandosServer1 sends Box1 an encrypted password. The encrypted password is decrypted by Box1 using the same OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.

This basically works with MandosServer1 located in the same local network as Box1.
You still can find a WAN setup later in this article.

WARNING
At the time of writing this article the mandos packages provided with Ubuntu 16.04 are buggy (1.7.1-2build1 500). You need to either recompile a newer version or you can download the ones I compiled here:
mandos_1.7.12-1_all.deb
mandos-client_1.7.12-1_amd64.deb

UPDATE (June 5th 2017), my latest build:
mandos_1.7.15-1_all.deb
mandos-client_1.7.15-1_amd64.deb

Server Installation

We will start by installing mandos on MandosServer1:

It will throw errors related to dependencies. To solve that do:

Then we start mandos and make it startable at boot:

Client Installation

We will install the mandos client on Box1.
The following is mainly useful to increase the quantity of entropy in kernel to make /dev/random faster:

Installing the client (it may take a while…):

Now we will generate the client certificate. It will ask for a password. Be sure to enter here the very same password as the one  you use to unlock the client (Box1):

Copy the above command output to the end of the file /etc/mandos/client.conf server side and restart mandos:

Voila!

Now restart your client (Box1). It should boot, pause few seconds at the decrypt password prompt to receive the password from the server MandosServer1 and then continue to boot without interruption.

Using Mandos in a WAN environment

Mandos Server side

First, you need to modify the /etc/mandos/mandos.conf on mandos server. Set up the port to something convenient for you, set use_ipv6 = false (unless you are using IPv6), set zeroconf = False.

Here is my mandos.conf:

Adjust the timeout parameters on the client.conf file. Adjust so that it will not disable the client by mistake. This is my client.conf file (I removed the client config):

Client side

Then go on the client and modify /etc/mandos/plugin-runner.conf. It should look like this:

This will make the client to contact a distant server to get the key instead of trying to contact a local network one.

At the moment of the boot process when the mandos client will try to reach the mandos server for the key, the network is not up. You will need to bring it up to be able to reach the server. For this we need to add a network hook  by creating a file in /etc/mandos/network-hooks.d containing the necessary commands to bring the network up. This is a very simple example with a DHCP configuration:

We need to update initramfs:

Before rebooting to see if this is working, test that the client effectively is able to decrypt the password by receiving it from the server with this:

This should output the password.

Reboot and check that it works !

Debug

If it doesn’t work as expected, server side you can set debug = True in /etc/mandos/mandos.conf and watch the syslog.
On the client side you can try this command and watch the verbose output:

For a client and a server on the same network:

If you are in a WAN configuration:

If everything is fine, issuing this command without the –debug flag should output the password you use to unlock the encrypted file system.

You can also check the config details of a client:

If it shows your client is disabled, check that the mandos server can reach your client via ports 22 and ping. If a client is off or unreachable for some time, mandos disables it (configurable in the client.conf file server side as showed previously).

You can also type this to check if your client is enabled:

To Enable all clients:

To enable a specific client: