From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 20 Apr 2010 21:11:48 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id B56B0121802D for ; Tue, 20 Apr 2010 21:11:47 +0200 (CEST) Date: Tue, 20 Apr 2010 21:14:45 +0200 From: Arno Wagner Message-ID: <20100420191445.GA17384@tansi.org> References: <20100420180612.7720D7C437@ws5-10.us4.outblaze.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100420180612.7720D7C437@ws5-10.us4.outblaze.com> Subject: Re: [dm-crypt] passfrase or dev_random for keyfile of a dmcrypt_swap List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Nice find! Yes, that is the issue and a solution. Arno On Tue, Apr 20, 2010 at 07:06:12PM +0100, Si St wrote: > > > QUESTION: But in case I would have to use a seed, how is this done? > > Especially with an UPDATED seed? This I do not know. > > Advanced practical crypto implementation. What you do is, you store > some entropy on system shutdown to use at the next start together > with the best you can get at the start. On first start you are > screwed, buut for swap it is less critical. For exaple done by > GnuPG, in the form of $HOME/gnupg/random_seed. > > Arno > > SiSt: > > I assume that I am close to the understanding of your point here, with this > excerpt from the urandom manual(?): > > When a Linux system starts up without much operator interaction, the entropy > pool may be in a fairly predictable state. This reduces the actual > amount of noise in the entropy pool below the estimate. In order to > counteract this effect, it helps to carry entropy pool information across > shut-downs and start-ups. To do this, add the following lines to an > appropriate script which is run during the Linux system start-up sequence: > > echo "Initializing random number generator..." > random_seed=/var/run/random-seed > # Carry a random seed from start-up to start-up > # Load and then save the whole entropy pool > if [ -f $random_seed ]; then > cat $random_seed >/dev/urandom > else > touch $random_seed > fi > chmod 600 $random_seed > poolfile=/proc/sys/kernel/random/poolsize > [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512 > dd if=/dev/urandom of=$random_seed count=1 bs=$bytes > > Also, add the following lines in an appropriate script which is run > during the Linux system shutdown: > > # Carry a random seed from shut-down to start-up > # Save the whole entropy pool > echo "Saving random seed..." > random_seed=/var/run/random-seed > touch $random_seed > chmod 600 $random_seed > poolfile=/proc/sys/kernel/random/poolsize > [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512 > dd if=/dev/urandom of=$random_seed count=1 bs=$bytes > > > -- > _______________________________________________ > Surf the Web in a faster, safer and easier way: > Download Opera 9 at http://www.opera.com > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier