[ubuntu-hardened] rngd: enable hardware-supported random generators.
Seth Arnold
seth.arnold at canonical.com
Thu Jan 7 03:40:11 UTC 2016
On Wed, Dec 23, 2015 at 11:21:46AM +0100, daniel curtis wrote:
> I have one more question. What do You think about a Haveged[1]? It
> is an attempt to provide an easy to use, unpredictable rng based
> on the HAVEGE algorithm. There is an opinion saying that if an
> user have a specific reason to not trust hardware random number
> generator on his system, he should try to use the 'rng-tools'
> (I mentioned about 'rng' in my first message).
I'm not a big fan of HAVEGE: on e.g. hosting providers, the things it
measures may not be random at all if they are scheduled by a hypervisor.
I'm afraid that it would be giving a false impression of extra entropy
when it isn't actually feeding any novel information into the kernel's
pool.
> Coming back to the mentioned list of available entropy (via
> /proc/sys/kernel/random/entropy_avail): it is true that if collected
> entropy is rather low (let say less than 1000), user should probably
> install haveged? According to what haveged is etc., what is your
> opinion?
haveged wouldn't be my first choice for this.
- I don't think most people actually need to do anything about entropy.
- You can use RDRAND instructions on Intel CPUs via the rngd tool to help
seed your entropy. rngd will also use TPM devices if they exist, and can
be configured to use other hardware generators too.
I hope this helps.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160106/94d36783/attachment.pgp>
More information about the ubuntu-hardened
mailing list