HANAZONO(1)

NAME ¶

hanazono - receive and print a key from hahari

SYNOPSIS ¶

hanazono

DESCRIPTION ¶

hanazono listens on port 6100 for an incoming connection from hahari. If a key has been received successfully, it will be printed to stdout and hanazono exits. It is not possible to submit a second key in case the first one was incorrect.

To use hanazono, add the hanazono feature to your mkinitfs config. Then modify the kernel parameters to include

cryptkey=EXEC=/usr/bin/hanazono

To prevent unauthorized key submissions, hahari also sends a username and password. These have to match the username/password combinations in /boot/hanazono/users. scfg is used for the format of this file. One directive represents one combination with the name being the username and the first parameter being the password. This is an example of such a file:

hannes super-secret-password
conan "password with whitespace"

To encrypt the traffic, TLS is used. Save the key as /boot/hanazono/key and the certificate as /boot/hanazono/cert.

Finally, regenerate your initramfs and test if it works.

SEE ALSO ¶

hahari(1), mkinitfs-bootparam(7)

AUTHORS ¶

Created and maintained by Hannes Braun <hannes@hannesbraun.net>. Up-to-date sources can be found at https://git.sr.ht/~hannes/hanazono. Bugs and patches can be submitted by email to ~hannes/public-inbox@lists.sr.ht.