Mandos has very similar goals as FDEunlock but both address different uses cases. The key difference is the server/client model. With Mandos you have one or more Mandos servers providing keys to hosts. The hosts initiate the request for a key. They find the Mandos server either by configured IP address or using Avahi.
On the other hand, FDEunlock works the other way around. FDEunlock is started by the user to initiate a connection to the host. FDEunlock then checks the host and enters the keys it requests which are/where (previously) provided by the user for that host.
Also, on the implementation side there are a few differences:
|Transport security||TLS, GnuTLS, +optional: OpenVPN, …||SSH, Dropbear, OpenSSH|
|Transport sec certs||OpenPGP keys with GnuTLS||OpenSSH host keys|
|Mode of operation||Hosts connect to any Mandos Server||FDEunlock connects to hosts|
|Complexity approx.||High. Python: ~3500 LOC; C: ~4000||Medium. Python: ~1000 LOC|
|Implemented in||Server: Python2; Client: C, Bash||FDEunlock: Python3|
|Key encrypted||Yes, only decryptable by target||No, see TODO list|
|Anti Evil Maid||Not SOTA. Dead man switch using ICMP.||Not SOTA. Multiple checks.|
Which to use really depends on your use case.
If you focus on end point/workstation security and don’t put much trust in servers, which might not always be under your supervision then FDEunlock might work better for you because that is what it was build for (to use it on workstation of admins).
If you operate a big data center and want to have encrypted servers by default then Mandos should be your number one option.
Note that as both projects use Python to implement similar parts of their design, using/importing/combining/improving each other is possible but currently not done.
If simplicity is key then not much will beat the default way for remote
unlocking as documented by Debian.
Either write the passphrase directly to
/lib/cryptsetup/passfifo or run
ssh fde-server.example.org-initramfs "echo -ne 'fnord' > /lib/cryptsetup/passfifo"
antievilmaid is a proper SOTA tamper detection tool for workstations using trusted boot.
chkboot is a non-SOTA Anti Evil Maid detection tool intended for workstations.
It uses cryptographically strong checksums to measure the content of
/boot BUT after the decryption key has already been entered/passed to
The functionally is similar to the ChecksumChecker of FDEunlock.
ypid is not aware of other similar projects. If you are, please get in touch.