[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] PV random device

  • To: Steven Haigh <netwiz@xxxxxxxxx>
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Tue, 6 Oct 2015 05:18:09 +0000
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 06 Oct 2015 05:18:29 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
Hi Steven

On Tue, Oct 06, 2015 at 03:50:10PM +1100, Steven Haigh wrote:
> On 2015-10-06 15:29, Andy Smith wrote:
> >- Your typical EntropyKey or OneRNG can generate quite a bit of
> >  entropy. Maybe 32 kilobytes per second for ~$50 each.
> 
> If you can get one... :)

Yeah, EntropyKeys aren't really obtainable any more but I have some
OneRNGs for if my installed EntropyKeys ever die.

> >- You can access them over the network so no USB passthrough needed.
> 
> Care to give details on this? I've got a HWRNG on a system that I'd
> like to 'share' the entropy source out - but haven't found anything
> to do this.

Okay so the people who made EntropyKey made two pieces of software
called ekeyd and ekeyd-egd. They're available with source here:

    http://www.entropykey.co.uk/download/

They haven't been modified since 2009 or something, but they still
work.

ekeyd-egd is what you install on client hosts (e.g. VMs). You point
it at an IP address that will serve it entropy in EGD format and it
stuffs that entropy into the client hosts's /dev/random. Despite the
name it is not specific to the EntropyKey.

ekeyd is what you install on the host that has the EntropyKey.

Now, ekeyd is obviously specific to the EntropyKey, so if not using
an EntropyKey you'd probably need to replace that part with a daemon
that serves your /dev/random out in EGD mode.

I haven't yet tried to do this because my EntropyKeys still work and
making use of my OneRNGs is a future project. I think this should
work:

    http://www.vanheusden.com/entropybroker/

That was going to be the first thing I looked at anyway.

But again as I say, that article I posted earlier contains a bunch
of smart crypto people saying that all of this is unnecessary. So
should we be enabling it?

Cheers,
Andy

-- 
"SCSI is usually fixed by remembering that it needs three terminations: One at
 each end of the chain. And the goat." â Andrew McDonald

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.