Closed phantomcraft closed 3 years ago
You can pull more (possibly less secure) sources like /dev/urandom
into the main stream to be fed to sksum. I would do it like that (assuming I have these sources) with some simple xor
program which blends them all into unified stream:
xor /dev/urandom /dev/hwrng | xor - /dev/__some_other_random_source__ | sksum ...
The security of /dev/hwrng
depends on hardware, who can know is it secure? I would not trust hardware crypto too much, but in these security circus days you can only try to amend what you can.
I discovered other method of generating keyfiles with sksum, it relies on a TRNG called "maxwell":https://github.com/sandy-harris/maxwell
It's very slow but enough for feeding sksum.
maxwell -s -f 0 -p 6 | sksum -D 1024 -n 1000000 -W -l 1024 > ./keyfile
At least, doesn't depend on hardware.
I have been using this command for generating keyfiles to use with tfcrypt:
sudo cat /dev/hwrng | sksum -D 1024 -n 1000000 -W -l 1024 > ./keyfile
My questions are: Is /dev/hwrng safe for getting random bytes to transform in a key with sksum?
Is this /dev/hwrng the hardware RNG which uses the processor RNG directly?
/dev/hwrng appeared when I installed rng-tools package from the Debian repository, it seems my processor (AMD Ryzen 5 1400) has a built in TRNG.