Re: [bitfolk] Entropy and virtual machines

Hello, On Mon, Jun 07, 2010 at 01:36:31PM +0000, Andy Smith wrote: As I thought might happen sooner or later, I have received some criticism that "using random over urandom (and adding reliance on an external proprietary black box you bought on the internet for $30 on a site designed to appeal to paranoid people) is a poor engineering tradeoff." [1] so I would just like to clarify some things in case anyone believes that I have been suggesting that you all need the whizz bang Entropy Key to carry on your Internet existences: - I personally haven't encountered any problems with my entropy being exhausted, I have only received complaints of this from other customers. I would expect few people to have a problem, and those who do will probably find it revolves around gnutls (which is becoming popular as an OpenSSL replacement in things like Exim and gnupg since OpenSSL has license linking issues). - If it were just me experiencing this problem, I would likely run rngtest on my /dev/urandom to satisfy myself that it could supply me with a sufficient amount of entropy that it considers to be high enough quality. Once it did (and I would expect it to), I'd symlink urandom to random. - It's my *opinion* that Linux urandom would be good enough for *me*, but not being an expert, and given that the authors of these software packages disagree with that opinion, I will only ever advise people to make their own judgement. http://lwn.net/Articles/261091/ and http://savannah.gnu.org/support/?106112 may be of interest. - I did not intend to advise that Linux's /dev/urandom is inferior; you must make your own judgement (if you even feel the need to care). For those who *do* feel more comfortable going with the judgement of the authors of gnutls and other packages that like to use /dev/random a lot, you have an operational problem and this is an interesting area of study for me. I have seized the opportunity to offer a solution to your problem that my competitors have not. Some will call you paranoid. It's your call. Thank you and sorry to anyone who felt that I was pushing snake oil or worse on them. Just interesting my self and trying to do something different, whilst still being an honest bidnizzman. :) I will clarify these things on the blog post tomorrow, and when I eventually get around to documenting the entropy service it will carry similar disclaimers. That won't be for a while because I need to add resilience (another Entropy Key being plugged in tomorrow), measure the limits, add monitoring, and run quality tests on the entropy. Cheers, Andy [1] This is not from a customer. They aren't on this list. Please don't heckle them. :) -- http://bitfolk.com/ -- No-nonsense VPS hosting