From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NvWar-0008O8-Gu for garchives@archives.gentoo.org; Sat, 27 Mar 2010 14:02:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 20203E08F7 for ; Sat, 27 Mar 2010 14:02:29 +0000 (UTC) Received: from mail1.nippynetworks.com (mail1.nippynetworks.com [212.227.250.41]) by pigeon.gentoo.org (Postfix) with ESMTP id CCEF0E0777 for ; Sat, 27 Mar 2010 13:11:36 +0000 (UTC) Received: from localhost (mail1.nippynetworks.com [127.0.0.1]) by mail1.nippynetworks.com (Postfix) with ESMTP id 05DBB6756D8 for ; Sat, 27 Mar 2010 13:11:36 +0000 (GMT) X-Virus-Scanned: amavisd-new at nippynetworks.com Received: from mail1.nippynetworks.com ([127.0.0.1]) by localhost (mail1.nippynetworks.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bGNUVA1Pegup for ; Sat, 27 Mar 2010 13:11:35 +0000 (GMT) Received: from eds-mbp.wildgooses.local (office.nippynetworks.com [94.194.201.187]) (Authenticated sender: edward@wildgooses.com) by mail1.nippynetworks.com (Postfix) with ESMTPSA id A985D6756D5 for ; Sat, 27 Mar 2010 13:11:35 +0000 (GMT) Message-ID: <4BAE0407.5040205@wildgooses.com> Date: Sat, 27 Mar 2010 13:11:35 +0000 From: Ed W User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Bought an "entropy-key" - very happy References: <4BA92703.4020200@wildgooses.com> <4BAB657C.8060309@wildgooses.com> <20100325201104.77d1c310@trite.i.flarn.net.i.flarn.net> <4BABC8E5.7040305@wildgooses.com> <20100326141518.GN10118@gmail.com> In-Reply-To: <20100326141518.GN10118@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 6e0e8166-4155-4c17-8fde-25e8ee100d2c X-Archives-Hash: fb52920ceeae8e3b6385510f7f75001b On 26/03/2010 14:15, Brian Kroth wrote: > Here's another graphing tool I started using since whoever started this > thread got me hooked on the subject :) > http://collectd.org/wiki/index.php/Plugin:Entropy > Nice For those using snmpd (eg cacti) all I did was add this line to my /etc/snmp/snmpd.conf file: exec .1.3.6.1.4.1.2021.60 entropy /bin/cat /proc/sys/kernel/random/entropy_avail Then I used a template from the cacti mailing list to easily pull that into a graph in cacti and plot it > Things are much worse, even for physical machines, than I originally > suspected, so I'm now thinking about trying to setup something like this > in conjunction with both the entropy key and the timer_entropyd so that > I can provide an entropy service to various clients. > http://www.vanheusden.com/entropybroker/ > I don't have audio, video or builtin hw rand on my servers, so I could only user timer_entropyd. This chewed about 2-5% CPU on one very lightly loaded quad core intel board and kept the entropy at about 80-100%. On my other AMD dual core live server, it chewed more like 5-15% cpu (not sure why) and mostly it keeps entropy at 70-100%, but with regular dips to zero (server is pretty lightly loaded, load average around 0.2). Unless you are a complete tinfoil hatter then this is probably plenty The ekeyd keeps the machine at 100% entropy (actually it keeps it at slightly *over* 15,000 bytes which is the pool size - I'm not quite sure how/why it's keeping the pool at 101% filled, but there you go). CPU load is zero For distributing entropy around, the entropykey comes with a basic egd compatible socket and you simply setup an egd client (also supplied) to read from that socket. I don't believe this is encrypted, so entropybroker looks better over a real network, but it's also not yet in portage (anyone got some time to contribute an ebuild?) So from a "it's done" point of view, the entropy key really is a very simple and low CPU solution. Ed W