More secure random entropy pool

[branneman]

Thanks for this How-To guide, I'm happy this project exists!

A lot of linux servers are headless (no keyboard/mouse/monitor), and therefore have less sources for good entropy as there is no human interaction beyond ssh. There have been cases of headless servers generating predictable ssh keys after boot. [1]

Thus it can be reasoned that security can be increased by setting up additional sources for entropy. A simple sudo apt-get install rng-tools on debian-based distro's already adds value, but there might be more tools available.

I suggest adding this as a section to the guide.

Sources:

• https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/
• https://www.2uo.de/myths-about-urandom

[ThatLurker]

A section for hardware based entropy tools could be nice too for example https://www.crowdsupply.com/13-37/infinite-noise-trng

[imthenachoman]

@branneman Wow. That is great. I had never even considered that. Will work on adding it. Thanks!

[imthenachoman]

@pahakalle Now that is interesting. I'd be worried about trusting the hardware tech. I'll do some research. Thanks!

[imthenachoman]

Added something basic for now. I'll add more detail when I have time.

[imthenachoman]

Thanks again!

[Triveri]

Is this still relevant? Some of the sources linked about this topic were updated, and it seems that since version 5.6 of the kernel, /dev/random doesn't block anymore either, and behaves almost the same as /dev/urandom. As such, there doesn't seem to be anymore a need to generate entropy for the randomness pool on modern linux systems.

Also, the problem with headless server generating predictable keys at boot seems to be mitigated by getrandom(2), a syscall available from Linux 3.17 onward, which blocks until it has gathered enough initial entropy, and then never blocks after that point.

Sources:

• https://www.2uo.de/myths-about-urandom/
• https://man7.org/linux/man-pages/man2/getrandom.2.html
• https://wiki.archlinux.org/title/Rng-tools
• https://man7.org/linux/man-pages/man4/random.4.html

[imthenachoman]

I'm not sure. I've been a bit occupied with things and haven't had time to dig into this. But I will accept PRs if folks want to make changes.