Closed branneman closed 5 years ago
A section for hardware based entropy tools could be nice too for example https://www.crowdsupply.com/13-37/infinite-noise-trng
@branneman Wow. That is great. I had never even considered that. Will work on adding it. Thanks!
@pahakalle Now that is interesting. I'd be worried about trusting the hardware tech. I'll do some research. Thanks!
Added something basic for now. I'll add more detail when I have time.
Thanks again!
Is this still relevant?
Some of the sources linked about this topic were updated, and it seems that since version 5.6 of the kernel, /dev/random
doesn't block anymore either, and behaves almost the same as /dev/urandom
. As such, there doesn't seem to be anymore a need to generate entropy for the randomness pool on modern linux systems.
Also, the problem with headless server generating predictable keys at boot seems to be mitigated by getrandom(2)
, a syscall available from Linux 3.17 onward, which blocks until it has gathered enough initial entropy, and then never blocks after that point.
Sources:
I'm not sure. I've been a bit occupied with things and haven't had time to dig into this. But I will accept PRs if folks want to make changes.
Thanks for this How-To guide, I'm happy this project exists!
A lot of linux servers are headless (no keyboard/mouse/monitor), and therefore have less sources for good entropy as there is no human interaction beyond ssh. There have been cases of headless servers generating predictable ssh keys after boot. [1]
Thus it can be reasoned that security can be increased by setting up additional sources for entropy. A simple
sudo apt-get install rng-tools
on debian-based distro's already adds value, but there might be more tools available.I suggest adding this as a section to the guide.
Sources: