[Question] Is /dev/hwrng safe for generating keyfiles with sksum?

[phantomcraft]

I have been using this command for generating keyfiles to use with tfcrypt:

sudo cat /dev/hwrng | sksum -D 1024 -n 1000000 -W -l 1024 > ./keyfile

My questions are: Is /dev/hwrng safe for getting random bytes to transform in a key with sksum?

Is this /dev/hwrng the hardware RNG which uses the processor RNG directly?

/dev/hwrng appeared when I installed rng-tools package from the Debian repository, it seems my processor (AMD Ryzen 5 1400) has a built in TRNG.

[strlcat]

You can pull more (possibly less secure) sources like /dev/urandom into the main stream to be fed to sksum. I would do it like that (assuming I have these sources) with some simple xor program which blends them all into unified stream:

xor /dev/urandom /dev/hwrng | xor - /dev/__some_other_random_source__ | sksum ...

The security of /dev/hwrng depends on hardware, who can know is it secure? I would not trust hardware crypto too much, but in these security circus days you can only try to amend what you can.

[phantomcraft]

I discovered other method of generating keyfiles with sksum, it relies on a TRNG called "maxwell":https://github.com/sandy-harris/maxwell

It's very slow but enough for feeding sksum.

maxwell -s -f 0 -p 6 | sksum -D 1024 -n 1000000 -W -l 1024 > ./keyfile

At least, doesn't depend on hardware.