[Cryptography] request for consideration: VM guest entropy: specific constructive suggestions

Yaron Sheffer yaronf.ietf at gmail.com
Mon Feb 3 22:22:35 EST 2014

To inject a bit of pessimism into the discussion:

Amazon Web Services is currently the largest public cloud. At the moment 
they don't provide a way for instances (guests) to read randomness from 
the host. Despite the fact that AWS is based on Xen, and Xen does have 
such support.

I also checked one of my instances on Amazon (cat /proc/cpuinfo), and it 
does not support RdRand. Of course they could be virtualizing the CPUID 
command, too.

Our production instances use a proprietary way to seed /dev/random on 
startup. Basically they "call home" to get some bits. A more generic 
alternative could use DHCP: 


More information about the cryptography mailing list