Date: Fri, 31 May 2013 12:01:02 +0200 From: Dirk-Willem van Gulik <dirkx@webweaving.org> To: freebsd-hackers@freebsd.org Subject: seeding randomness in zee cloud Message-ID: <0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6@webweaving.org>
next in thread | raw e-mail | index | archive | help
Thanks to a badly-written mngt script - we've rencently noticed a = freshly generated ssh-key on a new AWS instances to be indentical to one = seen a few months prior.=20 Careful analysis of some other logs showed that we've had similar = clashes on another script just after startup generating a very short = x509 CSR. It happens quite rarely though. But still. I am surmising that perhaps the (micro-T) images do not have that much = entropy on startup. So I am wondering how to best make our images 'more random' -- and want = to avoid the linux/openstack suggestion[1] of doing this through the = boot-params [2] (as in our case it is the operator of the machine we're protecting/guarding against = accusations/temptations). Now we happen to have very easy access to blocks of 1024bits of = randomness from a remote server in already nicely PKI signed packages = (as it is needed later for something else). Is it safe to simply *add* those with: set -1 # fetch randomness & check signature .. snipped... # Seed Software random generator # cat rnd > /dev/random # Activate software random generator as an additional source sysctl kern.random.sys.harvest.swi=3D1 Or does this cause a loss/reset of all entropy gathered by the hardware = sofar ? Or is there a cleaner way to add a additional seed as a one-off = with disturbing as little as possible (in the few seconds just after the = network is brought up). =09 Thanks, Dw. FWIIW: this is the output of sysctl kern.random. kern.random.yarrow.gengateinterval: 10 kern.random.yarrow.bins: 10 kern.random.yarrow.fastthresh: 192 kern.random.yarrow.slowthresh: 256 kern.random.yarrow.slowoverthresh: 2 kern.random.sys.seeded: 1 kern.random.sys.harvest.ethernet: 1 kern.random.sys.harvest.point_to_point: 1 kern.random.sys.harvest.interrupt: 1 kern.random.sys.harvest.swi: 0 1: = http://blog.dustinkirkland.com/2012/10/entropy-or-lack-thereof-in-openstac= k.html 2: https://review.openstack.org/#/c/14550/=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6>