[Cryptography] provisioning a seed for /dev/urandom
Theodore Ts'o
tytso at mit.edu
Sat Oct 26 12:58:28 EDT 2013
On Sat, Oct 26, 2013 at 03:49:15AM +0800, David Mercer wrote:
>
> Unfortunately access to the host hypervisor's /dev/urandom isn't normally
> available.
virtio-rng has been around for over 5 years, and it specifically
provides access to the host's /dev/random and makes it available via
/dev/hw_random; you then run rng-tools on the guest. Qemu/kvm uses
virtio-rng. I'm not sure about Xen, but if it doesn't, boo, hiss to
the Xen folks, especially since the paravirtualized interface has been
around for so long.
> You aren't going to have lots high quality randomness available via
> /dev/random on the hypervisor in currently deployed VM hosting environments.
There is typically plenty of interrupts from your network and storage
devices which should provide plenty of entropy for the hypervisor.
- Ted
More information about the cryptography
mailing list