Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure random entropy pool #33

Closed
branneman opened this issue Mar 25, 2019 · 7 comments
Closed

More secure random entropy pool #33

branneman opened this issue Mar 25, 2019 · 7 comments
Assignees
@imthenachoman
Labels
enhancement New feature or request

Comments

@branneman
Copy link

Thanks for this How-To guide, I'm happy this project exists!

A lot of linux servers are headless (no keyboard/mouse/monitor), and therefore have less sources for good entropy as there is no human interaction beyond ssh. There have been cases of headless servers generating predictable ssh keys after boot. [1]

Thus it can be reasoned that security can be increased by setting up additional sources for entropy. A simple sudo apt-get install rng-tools on debian-based distro's already adds value, but there might be more tools available.

I suggest adding this as a section to the guide.

Sources:
@ThatLurker
Copy link

A section for hardware based entropy tools could be nice too for example https://www.crowdsupply.com/13-37/infinite-noise-trng

@imthenachoman
Copy link
Owner

@branneman Wow. That is great. I had never even considered that. Will work on adding it. Thanks!

@imthenachoman
Copy link
Owner

@pahakalle Now that is interesting. I'd be worried about trusting the hardware tech. I'll do some research. Thanks!

@imthenachoman imthenachoman self-assigned this Mar 25, 2019
@imthenachoman imthenachoman added the enhancement New feature or request label Mar 25, 2019
@imthenachoman
Copy link
Owner

Added something basic for now. I'll add more detail when I have time.

@imthenachoman
Copy link
Owner

Thanks again!

@Triveri
Copy link

Triveri commented Jul 29, 2024

Is this still relevant?
Some of the sources linked about this topic were updated, and it seems that since version 5.6 of the kernel, /dev/random doesn't block anymore either, and behaves almost the same as /dev/urandom. As such, there doesn't seem to be anymore a need to generate entropy for the randomness pool on modern linux systems.

Also, the problem with headless server generating predictable keys at boot seems to be mitigated by getrandom(2), a syscall available from Linux 3.17 onward, which blocks until it has gathered enough initial entropy, and then never blocks after that point.

Sources:

@imthenachoman
Copy link
Owner

I'm not sure. I've been a bit occupied with things and haven't had time to dig into this. But I will accept PRs if folks want to make changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@imthenachoman imthenachoman

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@imthenachoman @branneman @ThatLurker @Triveri