26 Apr
2010
26 Apr
'10
10:47 a.m.
In a very similar manner I use rng-tools to replenish entropy from
urandom if entropy falls too low, which whilst having the security
hole of being more predictable (especially when consuming below my top
up margin) of has the benefit of real randomness mixed in there.
I believe rng-tools is supposed to be used with a hardware key
(possibly such as Andy's) but even when using urandon as a source it
works around the issue of blocking randomness.
~Mat
On 26 April 2010 08:43, Matt Holgate <matt-bitfolk(a)holgate.org.uk> wrote:
Hi Andy,
Thanks for the detailed response.
Unless you get entropy from somewhere else, the
lack of real
hardware devices means a lack of entropy which means things which
require a lot of entropy like setting up SSL connections under GNU
TLS may be slow. If you can't get enough entropy then yes, forcing
things to use /dev/urandom when they really wanted /dev/random might
be your only option.
The entropy keys sound very interesting, however it's probably sufficient
for my purposes to just link random->urandom (that's not an open invitation
for you all to attempt to compromise my box ;-)).
I found an article which gives the necessary udev runes here:
http://n0tablog.wordpress.com/2007/11/24/running-out-of-entropy-in-debian-e…
(otherwise a manual symlink will be lost on reboot).
I don't think many people verify certificates
for SMTP, not between
themselves and third parties anyway.
Cool...
Thanks for your help
Matt.