8 Jul
2019
8 Jul
'19
6:40 p.m.
Hi Keith,
On Sun, Jul 07, 2019 at 02:58:28PM +0100, Keith Williams wrote:
I was reading in the pages and pages of guidance notes
that there can be a
problem with entropy starvation, even to the extent of SSH not working
properly. Debian recommend doing a lot of pings as soon as you can to build
up the entropy. Of course, how you do that during an install is another
matter...
There is no entropy problem at boot on BitFolk because all of
BitFolk's servers have CPUs that support RDRAND and the buster
kernel trusts the RDRAND instruction of the host CPU:
[ 1.170404] random: crng done (trusting CPU's manufacturer)
I tested disabling RDRAND ("nordrand" on kernel command line) and
that resulted in a delay of almost 49 seconds before sshd would
respond:
[ 1.231884] random: fast init done
[ 48.655256] random: crng init done
Installing ekeyd-egd-linux and configuring it to use BitFolk's
entropy service:
https://tools.bitfolk.com/wiki/Entropy
brought this time down to:
[ 10.879583] random: crng init done
Possibly the time could be reduced further by forcing
ekeyd-egd-linux to start sooner.
The entropy service wiki page needs a rewrite and then I will post
more about this.
My personal view is that given the amount of other ways that the CPU
could work against you, there is no reason not to trust RDRAND, so I
do, and I also use the entropy service.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting