<div dir="ltr">Good idea, but if I followed the conversation here correctly, the desire was to minimize the number of windows required for the user to pass through during the installation. Having a window where the user has to do something, that in essence, seems really really random probably isn't the best thing to put in the installer. Would it be possible to delay key generation until the system uptime has reached a certain time or the user specifically requests the key to generated (in which case they can get to hammer on their keyboard). <div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr"> <div><div class="Wj3C7c"> <div class="gmail_quote">On Wed, Sep 24, 2008 at 9:37 PM, Michael Casadevall <<a href="mailto:sonicmctails@gmail.com" target="_blank">sonicmctails@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've did some work implementing /dev/random in GNU Hurd (yes, yes, I know :-P). Static bootups are fairly constant, i.e., poor source of entropy, so that is a major problem. However, it might be possible to have the user provide or generate entropy (maybe a friendly message such as "Ubuntu needs to generate entropy to encrypt your files, please bang on the keyboard like a monkey"), or the ability to provide a private key from another source like a USB key or something. Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: <a href="http://getfiregpg.org" target="_blank">http://getfiregpg.org</a> iEYEARECAAYFAkjbB1wACgkQpblTBJ2i2psm4ACfcjq/0QyAV3PARKIgWmfNpdTy WKQAni0DPfLwUwW39PVklGZ32wCaS0do =TGV+ -----END PGP SIGNATURE----- <div><div></div><div> On Wed, Sep 24, 2008 at 11:28 PM, Kienan Stewart <<a href="mailto:kienan.stewart@gmail.com" target="_blank">kienan.stewart@gmail.com</a>> wrote: > Hi > > I was looking at the wikipedia article on /dev/random and /dev/urandom, > having previously not used them. The article linked to a paper that analyzed > the cryptographic procedures of the /dev/random and /dev/urandom in linux. > The main thing that I took out of paper and the wikipedia article was that > there was a small concern about the lack of entropy available in /dev/random > during installs and on livecds. If the key is generated right after a > reboot, they may not be sufficiently random. I'm not sure, but this could be > a thing to consider if keys are going to be generated early in the install > procedure. Would anyone else consider this a concern? > > P.S. Sorry if I sent this to someone twice, gmail only replies to the last > writer and not the list. My apologies. >> >> On Tue, Sep 23, 2008 at 3:48 PM, Onno Benschop <<a href="mailto:onno@itmaze.com.au" target="_blank">onno@itmaze.com.au</a>> wrote: >>> >>> On 24/09/08 01:43, Dustin Kirkland wrote: >>> > That said, let me throw out another perhaps more controversial >>> > option... What if we didn't ask, and we just provided ~/Private >>> > encrypted by default? If unspecified, the mount passphrase is >>> > randomly generated from 128 bits of /dev/urandom. We can do that >>> > completely entirely and reliably without adding a screen to the >>> > installer, and provide the system administrator user a secure, >>> > encrypted location to drop critical data by default on any Ubuntu >>> > Server >>> When I saw the previous posts come past I wondered if this wasn't a >>> better option. Leading by example. >>> >>> I'm not familiar with how it's created, but could it be "built-in" as >>> you suggest and be created when an account is made as part of the >>> adduser process? >>> >>> Could the (initial) pass-phrase be the user's login password? >>> >>> >>> -- >>> Onno Benschop >>> >>> Connected via Optus B3 at S31°54'06" - E115°50'39" (Yokine, WA) >>> -- >>> ()/)/)() ..ASCII for Onno.. >>> |>>? ..EBCDIC for Onno.. >>> --- -. -. --- ..Morse for Onno.. >>> >>> ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - >>> <a href="mailto:onno@itmaze.com.au" target="_blank">onno@itmaze.com.au</a> >>> >>> >>> >>> -- >>> ubuntu-server mailing list >>> <a href="mailto:ubuntu-server@lists.ubuntu.com" target="_blank">ubuntu-server@lists.ubuntu.com</a> >>> <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-server" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-server</a> >>> More info: <a href="https://wiki.ubuntu.com/ServerTeam" target="_blank">https://wiki.ubuntu.com/ServerTeam</a> >> > > > -- > ubuntu-server mailing list > <a href="mailto:ubuntu-server@lists.ubuntu.com" target="_blank">ubuntu-server@lists.ubuntu.com</a> > <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-server" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-server</a> > More info: <a href="https://wiki.ubuntu.com/ServerTeam" target="_blank">https://wiki.ubuntu.com/ServerTeam</a> > </div></div></blockquote></div> </div></div></div> </blockquote></div> </div>