From: Andy Smith <andy@strugglers.net>
To: Steven Haigh <netwiz@crc.id.au>
Cc: xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: PV random device
Date: Tue, 6 Oct 2015 05:18:09 +0000 [thread overview]
Message-ID: <20151006051809.GK4243@bitfolk.com> (raw)
In-Reply-To: <1e6b2ce6bdab30816895b8b251fa29c5@crc.id.au>
Hi Steven
On Tue, Oct 06, 2015 at 03:50:10PM +1100, Steven Haigh wrote:
> On 2015-10-06 15:29, Andy Smith wrote:
> >- Your typical EntropyKey or OneRNG can generate quite a bit of
> > entropy. Maybe 32 kilobytes per second for ~$50 each.
>
> If you can get one... :)
Yeah, EntropyKeys aren't really obtainable any more but I have some
OneRNGs for if my installed EntropyKeys ever die.
> >- You can access them over the network so no USB passthrough needed.
>
> Care to give details on this? I've got a HWRNG on a system that I'd
> like to 'share' the entropy source out - but haven't found anything
> to do this.
Okay so the people who made EntropyKey made two pieces of software
called ekeyd and ekeyd-egd. They're available with source here:
http://www.entropykey.co.uk/download/
They haven't been modified since 2009 or something, but they still
work.
ekeyd-egd is what you install on client hosts (e.g. VMs). You point
it at an IP address that will serve it entropy in EGD format and it
stuffs that entropy into the client hosts's /dev/random. Despite the
name it is not specific to the EntropyKey.
ekeyd is what you install on the host that has the EntropyKey.
Now, ekeyd is obviously specific to the EntropyKey, so if not using
an EntropyKey you'd probably need to replace that part with a daemon
that serves your /dev/random out in EGD mode.
I haven't yet tried to do this because my EntropyKeys still work and
making use of my OneRNGs is a future project. I think this should
work:
http://www.vanheusden.com/entropybroker/
That was going to be the first thing I looked at anyway.
But again as I say, that article I posted earlier contains a bunch
of smart crypto people saying that all of this is unnecessary. So
should we be enabling it?
Cheers,
Andy
--
"SCSI is usually fixed by remembering that it needs three terminations: One at
each end of the chain. And the goat." — Andrew McDonald
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2015-10-06 5:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-06 1:33 PV random device Sarah Newman
2015-10-06 3:35 ` Andy Smith
2015-10-06 4:12 ` Sarah Newman
2015-10-06 4:29 ` Andy Smith
2015-10-06 4:34 ` Sarah Newman
2015-10-06 4:50 ` Steven Haigh
2015-10-06 5:18 ` Andy Smith [this message]
2015-10-06 7:40 ` Sarah Newman
2015-10-06 9:15 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151006051809.GK4243@bitfolk.com \
--to=andy@strugglers.net \
--cc=netwiz@crc.id.au \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.