From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NutYP-0006v4-Q4 for garchives@archives.gentoo.org; Thu, 25 Mar 2010 20:21:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F314BE0871; Thu, 25 Mar 2010 20:21:03 +0000 (UTC) Received: from flounder.pepperfish.net (flounder.pepperfish.net [87.237.62.181]) by pigeon.gentoo.org (Postfix) with ESMTP id C70A4E0871 for ; Thu, 25 Mar 2010 20:21:03 +0000 (UTC) Received: from cpc2-asht1-0-0-cust798.manc.cable.ntl.com ([80.5.55.31] helo=master) by flounder.pepperfish.net with esmtpsa (Exim 4.69 #1 (Debian)) id 1NutXZ-0004Vx-Ih for ; Thu, 25 Mar 2010 20:20:29 +0000 Received: from trite.i.flarn.net ([10.19.3.100] helo=trite.i.flarn.net.i.flarn.net) by master with esmtp (Exim 4.69) (envelope-from ) id 1NutY7-00056I-1p for gentoo-hardened@lists.gentoo.org; Thu, 25 Mar 2010 20:21:03 +0000 Date: Thu, 25 Mar 2010 20:21:02 +0000 From: Rob Kendrick To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Bought an "entropy-key" - very happy Message-ID: <20100325202102.496a1eb6@trite.i.flarn.net.i.flarn.net> In-Reply-To: <4BABC4C8.2080603@wildgooses.com> References: <20100325131033.0dc5429b@trite.i.flarn.net.i.flarn.net> <4BABB06F.5232.1636AE96@pageexec.freemail.hu> <4BABC4C8.2080603@wildgooses.com> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.18.3; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: a57f60d6-4bff-4445-8673-d915e568f6d6 X-Archives-Hash: 3fd557c981d6346c58455f484efe760f On Thu, 25 Mar 2010 20:17:12 +0000 Ed W wrote: > > out of curiosity, what's that mean exactly? > > > I believe that the random numbers are encrypted out of the device? I > say that because when you start up the userspace daemon you tell it a > long random number supplied with the device. I assume this is > designed to make sure that some local process can't sniff the entropy > (over the USB bus, or whatever) before it's added to the kernel pool? Pretty much. It is worth noting that the entropy is decrypted before being added to the pool; it's not just a whitening scheme. (Rootly processes can, of course, pretty much know whatever they want to. The encryption and hand shaking is there to prevent physical access to the outside of the case being as much of an issue.) B.