From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NvBzW-0006G6-HS for garchives@archives.gentoo.org; Fri, 26 Mar 2010 16:02:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 31AA5E0AC2 for ; Fri, 26 Mar 2010 16:02:34 +0000 (UTC) Received: from flounder.pepperfish.net (flounder.pepperfish.net [87.237.62.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 0F7D6E0866 for ; Fri, 26 Mar 2010 15:38:12 +0000 (UTC) Received: from cpc2-asht1-0-0-cust798.manc.cable.ntl.com ([80.5.55.31] helo=master) by flounder.pepperfish.net with esmtpsa (Exim 4.69 #1 (Debian)) id 1NvBbN-0003QB-Nk for ; Fri, 26 Mar 2010 15:37:37 +0000 Received: from trite.i.flarn.net ([10.19.3.100] helo=trite.i.flarn.net.i.flarn.net) by master with esmtp (Exim 4.69) (envelope-from ) id 1NvBbv-0001LR-B2 for gentoo-hardened@lists.gentoo.org; Fri, 26 Mar 2010 15:38:11 +0000 Date: Fri, 26 Mar 2010 15:19:05 +0000 From: Rob Kendrick To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Bought an "entropy-key" - very happy Message-ID: <20100326151905.55ba1743@trite.i.flarn.net.i.flarn.net> In-Reply-To: <20100326141518.GN10118@gmail.com> References: <4BA92703.4020200@wildgooses.com> <4BAB657C.8060309@wildgooses.com> <20100325201104.77d1c310@trite.i.flarn.net.i.flarn.net> <4BABC8E5.7040305@wildgooses.com> <20100326141518.GN10118@gmail.com> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.18.3; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/o7_3nflIT3QeR+yqjilJstF"; protocol="application/pgp-signature" X-Archives-Salt: 7d8f045d-f512-45b1-8c2f-aaa6ec6960a4 X-Archives-Hash: aa312bb1f8703fe078f205c017302a2e --Sig_/o7_3nflIT3QeR+yqjilJstF Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 26 Mar 2010 09:15:19 -0500 Brian Kroth wrote: > This probably won't actually happen until some distant point in the > future, but I'm especially interested in getting it to virtual > machines. Unfortunately, from what I can find there's no nice > interface between the host's rng and the vm for vmware esx like there > is for kvm (eg: virtio_rng). Anyone know of one? The tool you previously mentioned, Entropy Broker, is amongst the better choices. > With the entropy broker the thing I'm not totally clear on is how > entropy bits transferred over the network (presumably without > encryption as that might require entropy) would be worthwhile > entropy? =20 I believe Entropy Broker encrypts, so it should be safe in that respect. Not that it's much of a problem on a VM where the network cable in question is a completely virtual one. > What makes it different from the situation where you're > using the network device interrupts as an source of entropy? > Couldn't both be observable? Such interrupts aren't great choices for entropy because they're so easily manipulable, anyway. > Another question - I keep seeing people suggesting to hook rngd (from > rng-tools) up to /dev/urandom. Doesn't that just feed your system > entropy with an prng most of the time? I feel like this just gives > the illusion of a decent sized entropy pool. Might as well hook your > app up to /dev/urandom instead, correct? Yep. B. --Sig_/o7_3nflIT3QeR+yqjilJstF Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkus0GkACgkQ2+TFlDZR0XrAiQCeLbHsdNdt9ntRvTEgkpBoEs0f 9AIAnj23YfWdDgeYi+sFOBTznMmXo00X =fp7y -----END PGP SIGNATURE----- --Sig_/o7_3nflIT3QeR+yqjilJstF--