[Cryptography] provisioning a seed for /dev/urandom
Stephan Mueller
smueller at chronox.de
Mon Oct 28 10:38:49 EDT 2013
Am Samstag, 26. Oktober 2013, 03:49:15 schrieb David Mercer:
Hi David,
>On Fri, Oct 25, 2013 at 4:14 AM, John Denker <jsd at av8n.com> wrote:
>> On 10/17/2013 12:43 PM, David Mercer wrote:
...
>> > The obvious place to do that, when the VM is actually provisioned,
>> > ends>
>> up
>>
>> > hurting deployment time due to sometimes blocking on /dev/random
>> > reads to re-seed /dev/urandom.
>>
>> I'm mystified by that. We're talking about Linux /dev/urandom
>> aren't we? That never blocks, not for reseeding or for anything
>> else. There have been proposals to change this, but that would
>> be a Bad Idea™ and I've never seen any blocking urandom device
>> actually get distributed ... although perhaps I have overlooked
>> something.
>
>I was talking about re-seeding /dev/urandom when the on-disk seed file
>that is read at boot is identical across virtual machine images. We're
>talking about the large VM hosting provider use case. Lots of VM
>instances can be spun up at once on a hypervisor, and re-seeding
>/dev/urandom from /dev/random can and will often block.
>
>Note that on many (most?) data center grade rackmount servers you don't
>HAVE an audio port at all to run something like turbid against.
But you have a CPU and a high-resolution timer. Thus, the CPU Jitter is
measurable and thus usable from within a virtual machine. It would be
great if Ted could pick it up for inclusion into /dev/random as another
seed source.
Ciao
Stephan
More information about the cryptography
mailing list